tv Politics and Public Policy Today CSPAN March 22, 2018 12:00am-1:54am EDT
senator: thank you, mr. chairman. a i think that was meant as compliment. look, we've all -- you and everybody on this panel looked of pages and done the interviews and reviewed is.ything there simple question i have for you, right now we pretty much know everybody'sd and got an idea of what's happened. the question i have for you, are either one of you aware or has it been suggested to either one of you or have you seen that any u.s. person was involved in this scheme? >> not to my knowledge. >> mr. johnson? i am talking about the russian scheme, in terms of interfering in the elections. the kinds of things we have been
talking about. the attacks. recollection of the special counsel's indictment is that there were some u.s. citizens included in it. that is my recollection but i could be wrong about that. i have no knowledge about the hacking of elections. >> think you very much. -- thank you. much. let a just follow up on that quickly. do either of you have any doubt russiansr that the were involved at a higher level than they have ever been involved before? >> i have no doubt. >> no doubt at all. >> ok. russia'slt of meddling, i thought to ensure the bill passed including a
directive to provide technical assistance to the state and local enforcement. this past year i was shocked to learn that many multiple agencies could not confirm that they did not have kiss bursty software in their system. if our own federal department has struggled to find a reliable vendor in relation to the ?ussian company could persky wrecks the short answer is yes. we do not have authority to mandate that the states do that. taken it off of the gsa catalog which would allow states
to purchase it with separate funds. >> i generally agree with what the secretary said. guilty of been found meddling in our elections, i think we have confirmed. what recommendation for punishment or's -- or sanctions told you guys recommend prevent it from happening or any other country going down this path that russia is going down? >> that is an important question because we have a multifaceted relationship with russia. consequences and what we do in reaction to what they did with meddling needs to be driven in a way that they understand the specific behavior we are seeking to avoid.
the hope in general is that the international community continues to recognize that attacking critical infrastructure of another nation is a redline. we need to hold each other to that and recognize that it is a redline. we have looked at everything from sanctions in the obama administration to sanctions now to indictments. we need to do more. >> should we treat a cyber attack intrusion on our war?nment and act of we need to think about that very carefully. hope that we can work together and with other parts of the administration and decide where is that redline. >> do you think we have deterred
russia from infiltrating our election system for 2018? >> know we have not. >> so we are facing the same, if not worse? >> correct. >> there is no reason to believe they will not attack again. >> we have a new retaliation policy. order,ave an executive andking was mentioning it what we need to do in terms of being specific with respect to our deterrence. colleaguesack to my and the president and make sure that we get that done very soon. have theates do not
.herewithal to deter this do you think the government should be involved in helping to secure a state election process? >> we are. we are working state-by-state. we have asked for another $25 million to help our own resources, but as i mentioned earlier, we prioritize these. >> to have the final recommendation? , depending ony all the different parts i mentioned earlier. in some cases, they have resource constraints. >> thank you.
secretaries, we have come to the end of the hearing. two of the people indicted in the special counsel were a mixture of mail fraud. indictments, the other charges were directly at the russian facility where they carried out. if that helps to clarify your memory. and it is my understanding that the appropriators have taken care in the omnibus bill of an grants.f money to be too not want to -- i want
thank the appropriations committee for working with our staff and hopefully i have made a commitment to secretary nelson that we would be more than open as weress any other needs i want to thank you for your testimony today. it sends a strong message that the integrity of our election system is truly the heart and strength of our democracy. the committee's investigation found ample evidence to agree with dhs's assessment in 2016 that russian government actors scanned 21 states to gain access to an access to a handful of those. in at least one of those cases they were successful in penetrating a database. we heard our witnesses confirm that assessment today.
despite that activity, i need to reiterate that they found no evidence of a change and a finding confirmed by our witnesses also today. they confirmed that russian activities fell in a seem of our national intelligence infrastructure. it was a foreign activity, but carried out on the united states inside the united states. where our intelligence agencies have limited authorities and i can't stress that enough that we have got to consider that as we go forward. the intelligence community was there almost entirely dependent for the insight into these activities. the committee found that dhs and fbi alerted them in fall of 2016 in a limited way. our witnesses confirmed they they provided warnings and notifications to election officials were delayed nearly a year.
states therefore understood that there was a cyber threat, but not the seriousness of the scope of that threat. this committee intends hopefully before the end of the week to produce an overview of our report that sanitize and can be released. the full findings and recommendations on election security will be reviewed for declassification and possible redactions and when that is complete released to the american people so they can make their own judgments about involvement and attempts to intrude into our system. once again, i want to thank both of you for being here and want to conclude our first two-minute break as we bring the second panel up.
of you made the trip or to travel through this town that sometimes understand snow removal and sometimes doesn't. it's always a crapshoot. our second panel comprised of jeanette, national director assistant secretary for the office of cyber security for the homeland security. the only thing that changed is acting is no longer in front of that and i'm glad for that. president-elect of the national association of secretary of vats -- secretaries of state's and vermont secretary of state. jim, thankings for bringing this weather today. amy cohen from the national state directors and eric rosen bach, codirector of the harvard school for science and international affairs. i might add for the record that we also invited a representative of the federal bureau of
investigation to participate in today's hearing, but the committee's request was declined. you are the experts on cybersecurity in elections and while we just received the big picture assessment, we are going to rely on you to provide us a great deal more fidelity. jeanette, i would like you to provide details on the services dhs is providing to states and local officials and what a -- what additional resources dhs may need to provide the services comprehensively. jim and amy, i hope you will provide a view from the states and those on the ground who actually run elections. it is critical that we hear what states really need and if all of this help from d.c. is proving to be valuable.
indepth look at posture and run table top exercises and look forward to hearing your outside assessment of how the partnership between dhs and the states is working. in the interest of time, i'll end my remarks and go straight to the vice chairman. but when i recognize you, we will go in order. >> i want to make two brief remarks. the first panel was very good and understand this is a collaborative relationship with the states and localities, but i do think as senator king has mentioned and mention in terms of my state, there are enormous vulnerabilities based on the hack-a-thon of last summer. i made sure we took out voting machines that didn't have audible paper trails. recognizing the collaboration between the state and dhs, how
do we make sure that we appropriately nudge or we as policy makers, if we have to call out states and localities who don't participate and don't upgrade their systems and don't realize the seriousness of the problem and leave that perhaps to us or others? i would like to hear your comments on we focused a lot on the states and localities itself, but there are clearly a whole host of vendors who manage voter files and provide the equipment. how do we make sure they are using best practices and those that are not, that the states and localities you might hire those vendors are notified they are not meeting standards of security that are appropriate. those are the questions i hope to drill down and i look forward to your testimony, everybody. >> thank you, vice chairman. jeanette, the floor is yours.
>> thank you, sir. chairman and members of the committee, thank you for today's opportunity to testify on this lovely d.c. spring day. regarding our ongoing efforts to reduce and mitigate risks to election infrastructure. before i discuss elections, i want to take a moment to thank chairman mccall and ranking member thompson and johnson and mccaskill. the homeland security and this committee in particular for your long and continued support in legislation and granting dhs the authorities that we need to not only secure the integrity of our elections, but to do our job in protecting federal networks and critical infrastructure. they highlight the security agency at dhs which would see our organization, the national protection and programs director become a new agency. this change reflects the important work we carry out on
behalf of the american people to safeguard and secure our infra -- infrastructure. we support this much needed effort and appreciate congress's action and look forward to being the security agency. i was appointed to this position in july of last year, i spent my career to advance the cyber security mission within the department of homeland security. during my time, i personally witnessed the commitment, dedication and tireless efforts of the men and women to secure the critical infrastructure systems and most recently election systems. during the 2016 elections, want -- the department used every resource based on the information we had to make sure they receive the information and the services we can provide to secure their infrastructure. as cyber threats continue to evolve in times of calm and crisis, we will never waiver in the duty to protect the homeland
and i'm honored to have the privilege to lead that today. i would like to thank them for their service and excellence and look forward to leading and serve alongside them. since i last appeared before the committee, the national protection and programs director has continued to lead an inner agency effort to provide assistance to state and local officials. this inter-agency assistance brings together the commission and the fbi and intelligence and other partners and is modelled on the work with other critical sectors. importantly it also depends on the partnership with the representatives on the panel whether from academia or the national associations of state election directors. since 2016, we have learned much from our state and local partners and the efforts we undertook to assist them in 2016 we worked to refine and improve our partnerships and our services. securing the nation's election systems is a complex challenge
and a shared responsibility. there is no one size fits all solution. the systems are managed by states and local governments in thousands of jurisdictions across the country and must remain that way. state and local officials have been working individually and collectively to reduce risks and share the integrity for them rung. as threat actors become sophisticated, dhs supports the efforts of these officials. through the efforts we made significant progress by creating government and private sector counsels who work to promote best practices and develop strategies to reduce risk to the system. the recently formed information sharing and analysis center facilitates the near realtime information. additionally 38 states are receiving feeds of cyber threat indicators provided by the department. we are sponsoring up to three election officials and while not all of them submitted the
paperwork, we have been able to grant security clearances to 21 individuals in 19 states. we increased the availability of free technical assistance by reprioritizing resources that were previously dedicated to federal network it is to election infrastructure and will continue to offer the services whether they are assessments, intrusion detection capabilities, information sharing, incidence sponsor training free of charge to all state and local officials. we will continue to coordinate and support state and local officials to secure the infrastructure for the primary and special elections. cyber actors can come from anywhere. they can come from internationally or within the u.s. borders. we are looking forward to a response prepare for and mitigate risk to the critical infrastructure. we understand it's essential to securing a more secure election.
the voting infrastructure is diverse and subject to local control and has many checks and balances. as we work to address these and other challenges, the department will work with congress and industry experts to support our state and local partners. i look forward to further outlining the efforts to help enhance the security of elections administered by state and local partners and i look forward to your questions. >> thank you very much. jim? the floor is yours. >> thank you. first i'd like to just say i thank you for this warm welcome with the weather outside. it makes me feel right at home. just to give you a perspective, it was minus 11 on the first day of spring on vermont. >> when your flights cancel, i hope you hold us accountable. >> i don't have a flight until tomorrow night. good morning. thank you for this opportunity to appear before you representing the nation's secretary of states 40 of whom serve as election officials in
their states. i am the vermont secretary of state and president-elect of the nonpartisan secretary of state and a member of the department of homeland security new election infrastructure government coordinating counsel. connie lawson of indiana was not able to be here today, but i want to acknowledge her outstanding leadership in leading the organization. we are comprised of members of strong and diverse opinions, but when we speak, we speak with one voice. voting is the core of our democracy. with november's general election months away, i want to assure you and all americans that election officials across the country are taking cyber security very seriously. while it is important to ask what really happened in 2016 and
learn from it, we believe it is even more important for us to be discussing what lies ahead. the 21 states that were not notified until september of 2017, one year after the supposed scans. no votes were changed as you had heard, but let me be clear. the secretaries of state across this nation are diligently working each day to safeguard the election process. when former dhs secretary announced the infrastructure designation in january of 2017, our members raise many questions and express concerns about potential federal overreach into the administration of elections. with the critical infrastructure designation in place, we are focused on improving communications between the state and with dhs to achieve the shared goal of election security. under dhs secretary kirstin nielsen's leadership, we are
working well together. nass is committed to securing this relationship. this is our best asset against cyber attacks. the low connectivity electoral process is designed to with two widths -- to withstand and deter threats. states use many resources available to them to bolster cyber security. some utilize resources by dhs and others use security companies and still others partner with colleges and universities. mr. chairman, in your press conference yesterday you and other senators outlined cyber security recommendations. i would like to highlight that states are implementing many if not all of the recommendations including my own home state. in vermont, and let me go to my vermont home state, we completed a thorough review back in 2014. we completed both physical and cyber. in 2015, we implemented a new election management platform.
because the system was new and it was newly designed, it included cyber risk assessments. some of the best practices we used are paper ballots and post election audits and no internet connection of our vote tabulators and daily back up of the voter registration and daily monitoring of traffic and black listing of known problem or suspected ip addresses and additional penetration testing. we also have same day voter registration and automatic voter registration. we are planning and in the process of planning a statewide cyber security forum to be held in our state. we have no less than three levels of security between the outside internet and our cyber systems and they are monitored on a daily basis. we have joined the sharing analysis center and we receive weekly cyber hygiene scans and met with both dhs and fbi
contacts. we have recently ordered an einstein monitor to attach to the systems to help us monitor. secretaries and their staffs are working to secure more funding for improved cyber security. new voting machines and to strengthen our existing systems. these have become much more challenging as they have to work to counter cyber security to the -- in addiction -- in addition to the elections administration. to ensure the integrity of our systems, we have a prepared ask for you. one of the most critical resources that congress can provide to the states is the 396 million from help america vote act of 2002 that was allocate and never appropriated. meeting the ongoing demands for cyber security upgrades requires funding that the states simply do not have within their budgets. i must say the new and immediate funds are absolutely critical as
we are now only eight months away from the november general election. if we do not receive this money until august, it's too late for this year. we need the money now. as election officials work to fulfill this commit and to improve voter confidence, we asked congress to fulfill that commitment. we asked them to help us improve the confidence by promoting state and local efforts and providing risk assessments. i want to thank it is members of this committee for holding this hearing and giving me this opportunity to speak to you on this important matter on behalf of nass. i look forward to answering your questions. >> i'm not going to speak for the appropriations committee and i have not read the omnibus bill but there is a sizable chunk of money that matches about what you are mentioning. >> we appreciate that. >> where that goes, i will leave it up to the instructions of the appropriators, but i feel confident that the committee and
appropriators and dhs are on the same page. amy, the floor is yours. thank you. >> thank you chairman and distinguished members for the opportunity to submit this testimony on behalf of the national association of state directors. i am amy cohen, the state election directors in all 50 states. the district of columbia, samoa, guam, puerto rico, and the u.s. virgin islands. our members are the professionals that implement policies, procedures and technologies and the mission is to promote transparent elections in the best practices. since elections were detonated, -- were designated our efforts have been more important than ever before. in 40 states, the secretary of state is the chief official and in the remainder, this is the executive correct director of a border commission.
beyond differences in leadership and policies, the states differ in the way elections are conducted. in eight states, they're at the township instead of the county level. wisconsin has local clerks responsible for conducting elections in addition to the state election offices. i highlight these differences with how complex they really are. every state election official is a planner. they spent every day since the 2016 election learning how to improve for the future and the designation has given us access to resources many did not know were available previously. now 15 months into the designation of elections is critical infrastructure and we made great strides as a field. they must communicate to their voters to make sure every voter who wants to cast a ballot can do so and give confident that their vote will count as intended.
effective communication with local official who is serve as the boots on the ground is paramount. states run trainings and make sure that local officials have access to the information, tools and skills they need to do their jobs effectively. state election directors must communicate with our colleagues in the federal government. until 2016 this was primarily with the members and staff of the election assistance commission who provide an invaluable assistance informed by qualitative and quantitative data. communication was new to the members in 2016 and an area where we have seen improvement. in october, dhs, the national association of secretaries of state convened the coordinating counsel as a mechanism for sharing information about the election threats across the governments. since then they met several
times by telephone and in person at the conference. they have representatives from local organizations and dhs that meet every week by television. they have goals and objectives and work groups are doing groups to develop guidelines around communications and a writing of a specific plan to highlight the sector for the next several years. in addition the infrastructure and coordinating counsel was launched in december 2017 with representatives from private sector vendors and nonprofit organizations. the gcc and the executive commitmentee are critical to distributing information to the district of columbia and all 50 states and cyber security information to the more than 8,000 local election officials. the gcc voted at the february meeting to recognize the multistate information as the
election's infrastructure isaac. they were members prior to 2017, election officials were not privy tow the information share -- shared and this could not act on any of the information shared about the 2016 election. as of today however it's free for election offices to join counts estate state level offices and more than 100 local election offices as members. the executive committee of the gcc strongly encourage all jurisdictions to join and are developing a strategic outreach plan to make sure every official understands the benefits of participation and joins. dhs has also facilitated security clearances as well as additional office staff including directors. our hope in doing so is to make sure any future sharing will not be hindered.
processing for security clearances can take time, but we continue to make progress with dhs in this area. dhs hosted more than 60 directors and staffs with d.c. and two territories with the director of national intelligence and the federal bureau. it would be naive to say that we received answers to all of our questions, but the briefing was incredibly valuable and demonstrates how d.c. and others take concerns as well as concerns. there have been challenges, but we have taken leaps forward. states have hardened defenses and other it systems against intrusion. this has included taking advantage of free resources like vulnerability and risk. they are utilizing services by other branches of state government. several private sector vendors have made tools and vendors
-- resources available. the center at harvard and center for internet security provided tools for officials to use to strengthen their posture. officials have long taken steps to build resiliency and redundancy in their position and evaluating the steps they take today. aging voting request has been at the forefront for years. the presidential report released in 2013 highlighted the impend -- impending crisis in voting technology. the problem and the effect on cyber security is multifacetted. first i mentioned that states run their elections differently. local election officials are strapped for resources and dry land -- reliant on vendors for i.t. support. this can make it difficult to make smart technology purposes and as an additional layer maintaining an additional posture. many are taking advantage of in state academics to make sure
-- and national resources to make sure that purchases comply with best practices. second, many jurisdictions have federal funds under the america vote of 2002. without additional funding, they cannot afford additional technology. we are encouraged to hear about the appropriations bill. a handful of states use voter technology with a paper audit trail. they are reliant on the machines because the records only exist in the machine. to be clear, we have seen no evidence that voting machines or election results have been manipulated or compromised in any election. but election officials must relay and vigilant. -- must remain vigilant. understanding these risks is important, but we should not overlook the safeguards to
protect the technology. there are thousands of jurisdictions and thousands of thousands of voting. the diversity and sheer member of precincts and machines. -- machines creates obstacles to a large scale hack. voting machines themselves are not connected to the internet, making them less susceptible and results release said are not the official results. every state and local jurisdiction conducts a canvas of results several days after to complete the official tale of -- tally of results. they are doing post election audits and many more considering risk assessment. in summary, they made great strides since the 2016 presidential elections and they cannot do this alone. if 2016 taught us anything, it is that we need a whole of show -- a whole of government strongh with communication across the state and local players. we appreciate this committee's recommendation yesterday and pleas that many of those are already under way.
thank you for the opportunity to share our thoughts and opinions and i am happy to answer any questions. >> eric, the floor is yours. >> chairman burr, vice chairman warner and other distinguished members, thank you very much for the invitation to testify. the committee is one of the very few efforts to address threats to the integrity of our democracy right now. i have great respect for what you are doing and generally thank you and your hardworking staff for all the work you are doing in your service. our response to vladimir putin's attempt to undermine the strength of the american democracy will be a defining issue. putin's attacks are not limited to elections. recent reports from the homeland security made clear that military intelligence operatives continue to conduct the steps
needed for a major cyber attacks against our energy infrastructure including pre-placing malware in the united states that they used to take down the electric grid in ukraine twice. imagine, if would you that we found out that soviet operatives placed secret explosives that take down the electric grid all-around the united states. would our leaders have stood by and debated the nature of the threat or would we act? over the past three years in both administrations, our national response to russian cyber and info attacks against the united states and our allies has been too weak. american and democracies around the world need action and given the current environment in washington, the senate intelligence committee will need to play a leading role in driving that action. in the summer of 2017, a little team up at the harvard kennedy school set out on a mission with one primary goal, to do as much as quickly as possible to help lower the risk of cyber and
information attacks on the 2018 midterm elections. so, this project, known as the defending digital democracy project, is a bipartisan initiative that i co-lead with robbie and matt, and we're developing real world practical solutions to try to defend against cyber and information attacks. it's a diverse team. we have technical experts, political operatives, public affairs ninjas and a hardworking team of kennedy school students who are working very closely with nas, nased and the department of homeland security. they've been truly outstanding partners, including several secretaries of state, mac warner in west virginia, denise in connecticut and allison in kentucky all part of the team. since then, our team has conducted field research and 34 state and local election offices, observed the november '17 elections in three states and conducted nationwide survey on cyber security in states and territories and engaged in state and local election officials in table top exercise at a national
level three different times. based on that research and our observation, we've released four different practical election related security playbooks, including for a political campaign staffs, local election officials, and two specific playbooks on incident response. next week, up in cambridge, massachusetts, we'll host over 160 state and local election officials from 38 states to run them through a series of crisis simulations that are structured to train and empower them to improve their cyber defenses and incident response capabilities. and to provide them with the tools to run these exercises back in their home states. this so-called train the trainer exercise, a traditional military army way of doing things, will follow up then with a hack a thon where we sponsored a national competition for student teams around the country to compete for three $10,000 prizes which will be awarded to the best developed tech and policy options to counter russian information operations.
now, i'd like to tell you to a little bit about our observations of the states. chairman burr, you asked about that. and the bottom line is this. state and local election officials are on the front lines of the effort to defend against nation state attacks on our democracy. they accept this mission admirably. our team has always been impressed with their professionalism and dedication. but that said, the states need more help. they simply are not equipped to face the pointy end of the spear of cyber attacks and information operations from advanced nation states. one often underemphasized issue is that the states along with the federal government and outside organizations need to continue to develop the capabilities for public incident response to information operations. so, not just the hacks but along the lines of what senator rubio mentioned, and information operation trying to sow distrust in the outcome of the election, even if a hack were not successful. one of the few real antidotes to
aggressive information operations like the russians regularly conduct is effective public communications about the true state of affairs. the work we've done at the kennedy school is really just a small part of the assistance that the states need and deserve to defend themselves. they need extra help. specifically, it will require a four cornered effort and all of nation effort, not just government. there is a lot that people not in the government can do now. the first is the state governments, which i think you've heard a lot about. second of all, we need to pay attention to political campaigns. they're the soft underbelly of this system right now. their cyber hygiene generally is not good and the overall chaotic environment in which they operate is not conducive to good cyber security. social media companies who must accept that our adversaries will continue to manipulate their platforms unless they
dramatically change their organizational culture and their operational paradigm. and finally, the federal government, which must better support state and campaign efforts, oversee social media, and lead in creating a credible national defensive posture equal to the cyber and information threats that our elections face. thank you very much. i look forward to answering any questions you have about any of our research and i promised your staff that i wouldn't go over five minutes. >> eric, thank you. thank you for your service on this committee. senator hagel would be proud of you as we are. i would note that today we're highlighting one slice of the russian effort into the u.s. democracy. it's the election process. when we've completed our investigation, which has been extensive, hopefully it will expose all of the portables that russia used to sow chaos and
societal chaos and everything else that they did. but you also mentioned a lot of things at the beginning that have not historically been on the plate to the senate intelligence committee that are now front and center, not because of the lack of interest of other committees but because of the unique expertise of the staff on this committee and the interest of the members, and so we're juggling a lot of balls in the air right now. with that, i'd like to recognize senator lankford for the first round of questions. >> thank you all for being here and the time you've dedicated to this already. let me ask mr. condos, about the recommendations that this committee has made on trying to make changes for cyber security whether that be systems that can be audited, whether that be --
obviously being separate from the internet during voting times, attentive when there are updates for software, even when you're not connected to the internet for those machines, having a way to be able to risk limiting audits, security clearances for individuals when they -- so we have a point of contact with dhs so they can do rapid communication. are any of those concerns to you or to your organization? >> let me speak on behalf of personally, not in the state -- not nas on this because we have actually not taken a formal position, because we just barely got the recommendations. >> sure. >> but let me just say that we have long believed that having paper ballots, having an audit, we've been completing audits since 2006, and to date, we've not had any anomalies from those audits. in fact, we do the audit that we do now that started in 2014 now as we call it 100% census because we do the entire set of ballots for a particular town, we do a series of towns,
randomly picked, and we do the entire ballot bag for that town that were cast and then we also do every race that's on that ballot from president on down. we believe that having audits is critical to this, and we are completely in agreement with that. and i think that some of the other recommendations that you -- aret forth our excellent recommendations. we're will be implementing many of them in vermont and will be. for example, we're adding two factor authentication for our local towns. we do not have county government in vermont. we go straight from the towns to the state so we're looking now at putting a two-factor authentication between now and probably may or june. >> can i ask you if dhs has been proactive to be able to help your state over the past year and in communication and ideas. >> so, let me just say that when
-- i think there was a lot of trepidation between the states and dhs in the beginning, but over the last -- >> when you say the beginning, are you talking about that august 15th call? >> i'm talking about from august 2016 to sometime last fall. and since that time, we have really improved communications and we're working well together. there are the obvious ups and downs that you have, but we are working well together, and i think that communication has improved tremendously. >> has dhs been an asset to you? >> yes. we do use the weekly hygiene scans and many of the other products that they give, we've already done, and we will continue to do. so, it's not necessarily -- i guess i don't want to leave the impression that just because we're not doing it with dhs, we're not doing it. >> i understand. they're a resource and they're to be available to you if you choose to be able to use those. there's a concern that some of us have that if an individual
state is attacked, that state identifies, i'm getting in some certain attack, and that information, whether it be the ip address or the time of malware, whatever it is, that the state picks up, if that's not shared with dhs there's not the opportunity for other states to also be able to check their system. how can we improve the trust level that when a state identifies, i'm getting an attack that's unique, that they share that with dhs and so other election systems can also check for it. >> let me explain what we've done in vermont. when we see an anomaly, what we think of as an anomaly in our daily monitoring of our systems, if we encounter something like that, we will automatically contact our fbi, dhs partners and msisac to let them all know and once we have -- they will tell us what they need from us and we provide that to them so they can look at it. but i think where you were going is the fact that if one state is attacked, all states are attacked, and that's the way we have to approach this. >> and one of the issues we have is that if one state is attacked, the other states might have been attacked and they just didn't pick it up.
it's exceptionally important that we have that two-way communication going. again, voluntarily, but it is good participation with us to make sure we can help each other. you mentioned as well duplication in your voter rolls. you said you to that every single day, to be able to duplicate voter registration rolls. >> we back up our system daily. it's kept for a period of time before it's cycled out. so at any given point in time, we could always go back to that date and reestablish and then we only have a small sliver that we have to authenticate after that. we also have same day voter registration so nobody will be denied at the polls. >> one quick comment and i want to yield back. thank you for all the work. you've been in quite a few meetings with our team and homeland security that senator harris and i have seen you oftentimes. you've done a lot of work on a lot of these issues, boots on the ground, and we appreciate your daily work on this and you've had some long days with your team, being able to work
through some issues so i appreciate your work. i yield back. >> senator harris. >> and i couldn't agree more with senator lankford. every day it seems like we're see you in one of these committees so thank you for your work. so, as everyone understands, achieving cyber security will be extremely difficult, in fact, some say we're never going to actually achieve security but we will try to do as best as we can. but there are no absolutes in this realm. so, the concern i have is that i think that there is a very real chance that when we're talking about the help america vote act of 2002, that it may be a simplistic approach to suggest that the hava grant program is the solution to election cyber security. and one of the concerns that i have heard and i'd like your opinion about it is that there's a very real chance that states
could acquire a new batch of insecure systems and ms. collins spoke about that concern as well, because they just don't have the resources and it may be the technical resources or advice or support to make the best decisions about acquiring the best and most secure equipment. so, what are your -- what is your perspective about that, and should states be required also to use those funds only for cyber security improvements versus other needs they may have? >> yes, ma'am. i think to start with, your idea and highlighting the risk mitigation in cyber needs to be much broader than just a technical cyber security issue so you talk about an incident response plan and leadership at the top. vermont seems like a model in terms of the secretary of state who can talk about two factor authentication and is doing all these things. >> and he's at this table for that very reason. >> exactly. but that's a rare thing and the states take this very seriously but that level of knowledge is a rare thing. and so the money will do one
thing, but it is leadership that is even more important and rehearsing what happens when you do get hacked or if you don't get hacked but the russians manipulate your information, that is very important. i do think having outside technical expertise that has no vested interest can be helpful to the states in trying to determine maybe how to allocate resources, right? i don't think that you want to make it bureaucratic because we need to move fast and things are already bureaucratic enough in government but some way to help the states, i think, would be appropriate. >> and so as you think about that, do you -- as congress considers appropriating this money, do you have some thoughts about how we can make sure that grant recipients use it in the best way, in the most efficient way? >> yes, ma'am. i think you definitely should appropriate it. there's no doubt about that. and a couple options would be something almost like the nis framework where it's agreed upon framework, you would never try
to stipulate specifically what they should do, because the diversity of systems is so great, it would never be exactly right. it would also change in two years. that broad type of approach, with some outside technical expertise, may be one option. >> assistant secretary, do you agree that there's a certain type of election interference that we should be concerned about that would target the so-called swing states or those jurisdictions within states that have been identified as perhaps making all the difference in terms of the outcome of a national election? i know we've talked a lot about the diversity and the number of jurisdictions that hold elections, but some, perhaps, are more pivotal than others as we have seen. >> yes, ma'am. thank you for your question. while our focus is on the security, not the political dynamics of elections, we do take a risk based approach to everything that we do with critical infrastructure in terms of how we prioritize, so what we
seek to understand is how would the adversary if their end goal was to -- whether that's to sow chaos and discord or to manipulate a voting process, what would be the most likely way that they would do that. so definitely include consideration of that scenario that you described as how we would think about a risk based approach to prioritize. >> and so that we can just take it out of the theoretical, there's pretty much consensus about what are the swing -- so-called swing states and swing counties. what i really hope and would like to know is that you and dhs has identified those perhaps as being priorities, knowing that foreign adversaries, russia for example, all they have to do is pick up the paper to figure out where they should target if they want to manipulate the outcome of the national election. >> we would -- yes, ma'am, we would consider those prioritys.
>> great. and my understanding is that basically if a state election agency is hacked, you pretty much send out a hazmat team to get right out there on the ground, boots on the ground, and do whatever's necessary to help the state in terms of getting back up and also figuring out, in a forensic way, maybe an investigative way, what you need to determine in terms of who was responsible, who the perpetrator is, where the specific breaches are and so on, is that correct. >> there are two models. one would be when we know whether the state -- this is applying the model we use for all critical infrastructure. a state oro where entity reports that they have had some type of unauthorized access and a voluntary request our assistance. our priority would be to deploy a team.
we were with the victim organization to remove the malicious actors from their system. we help them get back up and running quickly. in other scenarios where we have intelligence or other information where we think someone might be a target but we do not know, we do a hunt. it is voluntary. we work with that target daily. us connect to their systems and we attempt to search for any evidence of that adversary. sometimes we find them. or sometimes the entity blocks the intrusion. whenl of that work happens and if you have been notified by the state, correct?
>> in the former case it would require notification by the state. in the latter case, it would be something from the intelligence community, though it could be from the state. dhs is best able to do their job if there is that kind of notification and cooperation. >> yes, ma'am. >> thank you. >> chair would recognize himself and then members according to the site -- sin yard a. simplet me ask you a question. when you leave here today, are you thoroughly convinced that united states government does not want to take over the election process of states and localities? >> i am in that position right now, yes. >> we have accomplished a lot based on where we started. jeanette, let me ask you.
it seems identical while for dhs to come to a solid estimate about the number of states that were actually targets of russian attention and activity. this scamming activity through the fall of 2016. what is your confidence level in that assessment? based off of the visibility that we had at the time, which 2016, we are since confident that that 21 number is accurate. >> i will ask a very broad question. running upen things to the 18 election that concern you? an adversary might be testing the systems. >> not at this time, sir. state election officials
reviewed with our staff to of the dhs conference calls with states. one was in august of 2016. us was thatred with say that they did not understand why dhs was contacting them. there was little context of a call or to any threat related. is that what you hear from your members? i would say that in the august call, it kind a cop us out of the blue. we knew we were invited to this call. we were on the call. when secretary johnson spoke to us, about some of what was going on, we were not sure what was happening.
when he spoke about critical infrastructure, we really pushed back. we push back red states and blue states. we were looking at potential for a federal overreach. >> when i suggested him that the mere mention of state elections being under critical this was aure, passionate point for the state. i?idn't understate that, did >> no you did not. when secretary johnson actually the designation in january of 2017, it was not until july when we met in east that we got ayork presentation on what critical wasastructure designation going to be about. up to that point, we still
didn't know what was happening until then. >> we all agree on this committee that communication was poor. they were waiting for one-on-one calls from dhs to see if they were one of the 21. many of them reported that they were surprised by additional lack of details. n?at has changed since the what assurance can you give the states that we are on top of the number.
and that we have a plan in place. >> yes, sir. on some of the lessons learned over the past couple of years, our policy has always been, in order to notify a target or a victim of a toential cyber intrusion, prioritize communicating with them. participate and have sensors. it was usually the state cio for the msi. we prioritized her existing protocol notifying those victims. what we did not fully appreciate at the time, and through those multiple conversations in 2017, was that just by notifying that victim, that did not necessarily mean that the senior election officials received that
notification. it was at their request that we undertake that brought notification in september. while we did notify the potential targets for the victims when we saw the activity , it was notifying those senior election officials and giving them more insight. is, we do note always have perfect information. we prioritized notifying a target even if we do not fully understand what is going on. conversation, by being able to deploy our response team, it will help the community learn what is going on. notified in 2016, we did not fully understand what .as happening we knew was coming from suspicious servers. now, what we have done is working with the government
coordinating council and representatives, defining who those points of contact are. the states provide those points of contact at the state level. we have the appropriate mechanisms to ensure that we get that information. we are not waiting for clearances. if it is information we cannot we will ensure that even if we cannot declassify, we can provide them additional context. those are some of the things we have improved over the past couple of years. >> thank you for that. brief question and brief answer. as an outside entity looking at this process, what letter grade collectively, us, on the progress that has been made a snap-on the threat that you saw -- based upon the threat that you saw? >> that is a hard question. this is what i would say.
i would give you a b. >> i'm talking about the whole government. because dhs has been working very hard to rebuild that trust with the states and with other organizations so that they can do better. working hard can overcome not having a lot of capacity. is not like dod. it is not as good as it should be. >> i think we all agree. we have more to do. >> thank you. the concerns that were raised by the states when i got the call from secretary johnson. history has shown that designation was correct. i am appreciative of the recognition.
the notion that we have worked through some of the security clearance issues and that there is better communication, i want to commend your efforts. my first question is a speculative question. we know how vulnerable now our systems were. i know the hack caps on that took place last year, every machine was broken into quickly. one of the things i always wondered, with the capabilities that russia clearly has, and the level of sophistication of their cyber activities, the fact that they only scammed 20 states and broke into one. would you speculate whether their goal was to go in and change voter totals in 2016 or whether it was just to leave
digital dust that might then be interpreted as outside interference that someone could then be used to stir up dissension as a kind of concern? either one of you want to try on that? that, in what the russians were trying to do, which we have talked about a lot. it was to sow chaos and confusion. believe, while this is my opinion, that by scanning systems they were looking for vulnerabilities. they were looking for weak points. the good news is that most of the states deflected it. that is something that does not get talked about a lot. they scanned, they look for weak spots, and the state systems deflected that.
that does not mean there are not continued vulnerabilities. that is what they were likely looking for. >> i would start by saying, i have been working in cyber intel for over 20 years. i am not basing this on intel. it is speculation. i do not believe there is not more to the russian story. they may not have penetrated more than we know right now. that has always been the case when i have seen these advance russian actors. does like we learned more about them being in the energy grid. my fear is that, if you look at the doctrine in the way clinton is now, recently reelected, this is about something bigger. ancould be when there is
escalation of tensions and they know they have malware and our grid. they will be a threat and a type of coercion that advances broader national security interest. i do not want to sound shrill. that is my assessment. >> i agree. one of the questions i raised on the other panel and want to raise again. how do we make sure that your wasors -- my understanding that a study showed that over 60% of american voters cast ballots on the system operated by a certain vendor. this was back in 2012. there are these large vendors. how do we ensure that they are up to security? are you auditing that? let me start by just saying,
we build it into our contracts with the vendors. we require them to meet this standard if we are buying new equipment. it has to be eic certified. those of the ways you can do that. get them involved. we also have our own independent that will dos penetration testing. we will do risk assessments to determine whether what we have is what we hope to defend. many of the states, the idea of putting an -- stuffed into the contract, i think that has changed over the last two years. when we first proposed it, we were told, nobody does it. now it is becoming standard, at least in our state, for all i.t.
contacts. we are moving in that direction to protect ourselves. >> i would add that many of the changes that we have seen in the election technology space have been consumer driven over time. the secretary's point is a good one. as we educate state and local education officials to understand what they're putting in their contracts and give them eic, like like the the belford resources and others, to make sure that they are putting good things in their contracts. we will start to see a shift in the vendor area. >> my time is expired. i would commend my colleagues that work at the belford center. the question around campaigns. these are the ultimate startups. huge vulnerabilities. we obviously have a whole segment of our government, the secret service, that protects candidates.
i do think we are going to need best practices and to think about how we can put those best practices out there in terms of protecting campaigns. this could be a next layer of vulnerability. having been involved in campaigns, at least in the past, cyber security has been one of the last items you look at as you try to put together. i commend you. good work there. sawf you thought we bushwhack from state election officials, i cannot wait to see the pushback from campaigns. i would also agree that they are an extremely vulnerable part of our whole election process right now. they are the most vulnerable. it is very chaotic. resource constraints. all the things that lead to poor cyber hygiene. the likelihood is that when theeturn from the easter --
senator will be a chairman of the rules committee where a majority of the federal statute changes, relative to elections, will fall. i think senator blunt from being integrate involved in this process. he will be involved in the next iteration of this, as well. >> thank you. we will see how that works out. we will expect to see you all back when we actually look at legislation. i want to see if i can't cover a note -- a couple of topics with the whole panel. you were all here for the earlier testimony on notification and public notification. we have dealt with this and other areas before and have come to the conclusion that public notification was not necessarily helpful. generally, not desired by the people you were encouraging to report in.
what is your view of that topic? of whether states and local entities are less likely, more likely, helped by some public disclosure that someone attacked your system? does that make it a different kind of decision when you report and what you report and -- in? we madeyour view of, if that, if we required them to report when you report into them? >> state and local election officials balance the right to know and transparency with impacting voter confidence in the system. i can't comment specifically about whether i think they should or should not make it public. it is a difficult balance for all election officials. the public does have a right to
know, as we have discussed throughout this hearing. balancing voter confidence and not impacting people's confidence in their election system and the outcome is something that has to be taken into consideration. >> what are you and your colleagues likely to think about that? >> i will speak for myself. , as ms. cohent just said, it is a balance between transparency and privacy. we have to be careful about that. that if some of our citizens information was actually accessed, they deserve to know that. a target or a scam -- it is important that we use the right words. during that discussion about the 21 states, they were talking about targeted scans, hacks, breached.
target, whichor a is similar to a burglar walking up to your house and trying the doorknobs are looking through the windows. we have to be careful about how we use those words, because they do matter. think there is some likelihood that there will be some public announcement in people's information was actually accessed. i caution that we have to be careful. you want the incentive to be on the states to notify their partners that things have havered or may possibly occurred. you do not want it to be a disincentive. >> secretary manford? >> i would agree with my colleagues. this is not just an issue for the sector. it is across all sectors. we very much would like them to voluntarily report incidents to us.
particularly if we publish a document asking the industry to ofk for indicators compromise. it benefits everybody. it benefits the government and our defense. as far as publicly talking about it, i agree that individuals have a right to know. when their information has been stolen or tampered with. many states have different laws governing that. i do think -- we always have to balance the public confidence in our system. before, austin you know the fact of an incident but not everything about it. you do not know what was taken. it is hard to convey a lot of that nuance publicly. i know it is complicated and challenging. i look forward to continuing to work with you on this issue.
i would prioritize notification of the department over public notification. >> in case anybody is paying attention to this, the information in your voter registration file usually is not as extensive as the information in lots of other files. your social security number, things like that that we have seen large segments of information being accessed improperly. the footer registration file does not have a lot of that in it. registration file does not have a lot of that in it. >> and matters most of it is a compromise. if it is a compromise, it requires disclosure to the hill for certain. you have to disclose it to the public. here is why. ands a most important -- possible to keep a secret. when something like that comes out in a leaked way, it undermines the public confidence in the government and what they are doing. ithough it is very hard,
think you just have to air on the side of publicly communication -- communicating about these things. doing that over and over. otherwise you create a new scene for the russians to try to get in and so this disinformation. how you define compromise matters, too. people have reason to believe they will be directed to the wrong place. anything like that, as opposed to there was an attempt to get this information and we are confident that that attempt failed. other entities may also be having the same kind of attempt. we do not have time today, but the whole idea of the audit system. the paper trail. all of those things. who was doing that, who is not, provisional voting, things i can theyvoters a sense that are going to be able to cast a ballot they intended to cast and without a government that stands in the way of doing that.
to recap a little bit from this morning, i talked with secretary nielsen about the 43% of americans who vote with voting machines that researchers say have serious flaws, including backdoors, which would make them susceptible to fraud and hackers. she claimed that this is now a national security problem. she said best practices are paper ballots. that is encouraging. i want to go a little bit further. i think this is an area that may be a part of your expertise. the main your mac to vectors -- the major manufacturers of boeing airplanes. i asked if they employed cyber security experts, if they were audits, and if they had ever been hacked. have juste companies
been stonewalling. this is how almost half of america votes. there is essentially no over theseity companies. my first question would be. if the voting machine companies do not employ cyber security experts, and they do not have independent audits of their youucts, how confident are that the election technology they sell to the states follow cyber security best practices? i will do my best to answer those pieces. we have been talking up bought -- a lot about our work with state and local entities. we have also worked with the industry that supports election officials. most recently, setting up a sector coordinating -- it allows
us to use our critical infrastructure partnership to have nonpublic conversation with industry on security issues. those manufacturers and others are participating in that. our partnership with them is more recent than with the state and locals, as my colleagues have talked about. the importance of state locals and businesses everywhere in ensuring that they require separate security best practices for their vendors. it is important. i cannot comment on the specific statistic. i'm not familiar with that. the question is, ma'am, how confident are you, as of this afternoon, that the election technology that they are selling to the state follow cyber security best practices? >> sir, it is hard for me to judge right now.
i do not have perfect insight into the machines that the states by. what i can tell you is that many of those manufacturers have submitted their equipment through voluntary compliance and thes run by the eic dhs that include a code review. states use mechanisms for assuring me a security of the systems, whether they mandated or do it voluntarily. i can tell you that many of those machines that researchers say have vulnerabilities or other issues, those can only be exploited when an individual has physical access to those machines. officials have other mechanisms that they put in place to ensure that that physical access is not possible. >> let me be specific.
there have been press reports that the biggest company actually stipulated that remote access hardware be installed in the machines. correct, and that is why a very much want your agency to get back to us, i think my time is almost out. i would like you to get back to me with a written response to my question, how confident you are that this technology that they sell to the state follows best practices. i heard about the voluntary certification and the like. thatyou read press reports the biggest seller of voting machines is doing something that islates cyber security 101 actually directing -- you install remote access software that would make a machine like
fraudsters andor hackers, you say, boy, we have to beef up what we are doing in -- doing. is aecretary said, this national security issue. she wants best practices to include paper ballots. can you get back to me with an answer within a week? >> yes, sir. remote access software is only useful to an attacker if there is an internet connection, which the states do not allow. i will let you get back to you. >> and press reports are talking about it, we have to at least get an assessment from you with respect to how confident you are. >> you look like you may have wanted to comment on that. >> thank you. by the press reports, the press reports initially said that there was remote access
software. i believe there was a follow-up from, perhaps that software company, that said that they do not use it. that was something that was just here from ms. mantra. that will be in writing within a week. >> senator. >> thank you. mr. roebuck, i want you to be shrill. tell us in 30 seconds about general harassment. mouth g --caress heralrasmov believes -- was the second ranking person on the russian staff. in charge of cyber at the pentagon. there was a time where we talked to the russians, a three-star, number three ranking guy. he was taunting me. guys are so dumb,
here building a site -- cyber command without information operations. is howtion operations you take a country down. >> they hacked the joint chiefs of staff. they hacked the democratic national committee. not, you are grading on a curve. you said it was a b. i think you are giving us too much credit. >> a "b" for effort. >> where i'm from, effort doesn't count. sleepdoesn't mean you can well. the russians, they're very good. they have capability and they are mean. they have interests directly opposed to the united states. they have motive. >> welcome from vermont. we think of vermont as the west coast of new england. i understand that in senator langford's bill originally,
there was a red team provision that would have had a hacking team at dhs or somewhere, practice, and that the states oppose this and it was dropped out. is that true? asked i'm not aware of it. i can't answer that. >> do you think it would be a good idea? >> many if not all of the states are going through penetration testing already, the same thing you are talking about. professional folks who have tried to hack into your systems were already doing it. we've done it in vermont, continually do it as we go. >> i hope it's being done at the highest level. i understand there was a hackathon last summer, where tried, managedey to penetrate, the results were devastating.
i hope this is something that's being taken seriously. i have to worry that there is an ofrconfidence here, in terms the sophistication of our adversaries. cracks if there was a hack last year -- >> i don't know about the states. it was the number of states. i don't know if it was 50 states. also, you mentioned you thought one of the strengths -- and i thought this to -- our system was so decentralized. don't have many election system -- do you know how many election system vendors there are? >> i don't. >> my sense is there aren't very many, and they are getting fewer .nd fewer all the time anybody know how many election systems have foreign owners? >> no. >> i don't have it with me. >> owes going to ask you. if you could give us a report on
how many vendors there are, and what the ownership structure of those vendors are. a point that has been made ought to beat's reiterated, they don't have to change votes to win. they just have to show lack of confidence. people lose -- lose confidence in the electoral system, the democratic process. to much aboutked legislation -- registration or election night reporting. what if they hacked into that reporting, and election night reporting turns out to be wrong the next morning? that would be chaotic. i understand the issues of transparency, but we have to understand that they don't have to get in and change votes to achieve the results. do you agree with that? they've done that, they did that in the ukraine. they hacked the webpage used to
publicly announce the final vote coming used misinformation, and ukraine was left in chaos trying one .ure out who -- won. about votingalking machines connected to the internet, how about the lines from the associated press to cnn , because it made -- that may be a place where there could be mischief? yes, sir. we focus mostly on voting machines, but that's not our exclusive focus. we are concerned about the entire process secretary nielsen outlined, everything from registering to the final certification of the vote. and as former secretary johnson talked about, the associated press engagement. we remain focused and thinking about if an adversary is trying to undermine confidence, what are the ways to do that. we've published best practices on voter registration systems. we worked with states on everything from voting machines to election management systems, which, you know, can
include tallying, the how we secure the secretary of state website, how we think about unofficial election night reporting, how we think about crisis communications if there is misinformation on the day of an election or immediately following, so we are trying to take a very wholistic approach and not just thinking about voting machines, and in fact, one of the -- using this risk based approach to it, and thinking about the difficulty in actually trying to manipulate a vote itself is why we prioritize engagement on those systems that are connected to the internet, like voter databases and others that could cause that misinformation issue. >> thank you. and i know i'm out of time. mr. rosenbach, yes or no, do you agree with the contention that we -- this country, aside from all these did he haveefensive measures, needs to develop a strategy so our adversaries know there's a price to pay for these in incursions incursions. >> yes, sir. >> senator collins. >> thank you, mr. chairman.
secretary manfra, senator heinrich and i wrote a letter to the department asking specifically whether or not you needed new statutory authority or funding in order to help state election agencies and ensure the integrity of our election systems and the voting process. i personally am surprised that the department has not been more proactive in that area in submitting requests to the congress. what is your answer to that question? does dhs need additional authorities or additional funding in order to assist states and ensure the integrity of our voting systems?
>> yells, ma'am. thank you for the question. on the authorities piece, i would -- we have the authorities we need right now to do our job, thanks to the work of this committee and the homeland committees, frankly, over the last few years. we have very broad authorities that we can apply. we're continuing to build the capacity and the capability to fully execute those authorities. we have -- we have reprogrammed money. we have reprioritized money. that does mean that we have had to lower the prioritization of other entities receiving our services, whether those were federal or other critical infrastructure but we felt it was appropriate for the risk. we have spoken with appropriators and others to ensure that we do have the resources that we need to continue to prioritize elections in addition to our other missions. >> well, you certainly need to prioritize elections, but you also have to be
cognizant of other critical infrastructure, such as the power grid and natural gas pipelines, so more specifically, are you going to and have you requested additional funding to ensure the integrity of our elections? >> yes, ma'am. we have spoken to the appropriators and requested additional -- >> and how much additional funding have you requested? >> approximately $25 million. >> well, i would note, mr. chairman, that i believe the bills that many of us have cosponsored call for far more funding than that. like $386 million. and i know you've worked hard to get it into the omnibus bill. secretary condos, i apologize for being out for part of your testimony. much of the q&a, due to another commitment that i have. it's my
understanding that at least until recently, you've been pretty disappointed with the level of communication between the department and your office. i'm curious whether you're one of those lucky 21 of the 150 state election officials who has received a security clearance. >> first, let me say, yes, i have received my clearance, so i'm fully cleared at this show -- at this point. secondly, i will say that i'm not sure that that's being lucky or not, but -- >> i was being facetious, actually. >> but you know, i think that the communication levels between the states and department of homeland security have improved greatly, specifically in the
last six months, and i think we're on the same page and we're working to secure our election systems. >> finally, let me ask you, a state election officials have expressed apprehension about the risk that being too public about the threat that we face might provoke exactly the impression that they're endeavoring to dispel and that is that the nation's voting systems are insecure and subject to compromise and thus they help the russians and other foreign adversaries achieve their goals. i would note to counter that that when the french and the german made very public what the russians were trying to do in their elections, it had a beneficial impact on the public and the public was much more wary of fake news stories or other issues. in your view, how do we strike the right balance
in, for public communications, concerning threats to our election infrastructure? >> as far as the threats themselves, i think that we should be communicating with the public to let them know what's going on. i will say that in our state, we are right now preparing for an early april cyber summit that we're going to do in vermont for the media, for the public,public, for the legislatures so they are aware of what is going on and where we are going. and how we are set up to fend off any attacks. it is important, i think it is very important to know that the bad actors that try to hack us yesterday are going to try a different way today and are going to be different tomorrow.
-- date you evolve probably, not probably, but they evolve far quicker than any government can set up. so what you need to do is make sure that you have the protocols in place and the processes in place and that you have the defenses in place in hopes to fend those off. no computer is safe from a hack. every computer can be hacked if it's out there. and what you want to do is make sure you have the proper defenses in place. >> thank you and mr. chairman, thank you for and advice chairman for this excellent hearing. my final message to dhs is again, to stress the urgency. everyone seems focused on the november hearings. we're having elections right now. the bi-elections, special elections and primaries coming up now. we can't wait. we can't just be focused on november. thank you, mr. chairman. >> thank you, senator collins. we have exhausted the questions, i'm going to turn to the advice
chairman briefly. >> i want to first of all thank the panel and echo what senator collins said. but i do think echoing what she said, there's been progress and a recognition of how significant it is. because of the omnibus because of the work done by members of this committee that some of the resources that the state department is looking for will be there. we're going to want to see regular milestones on how we move forward on that. i want to echo what senator king said. we spent a lot of time in closed sessions on this. the need for our country to have a articulated cyber doctrine. that's going to raise a lot of tough questions and raise questions about where does the responsibility lie to report? how far done does it go? it may raise questions around software
liability which has been an area that has been not talked about for years, but in this new realm of the level of vulnerabilities it may have to be explored. i know i gave secretary manfra challenging times last year. but across the government not just the election, the slowness of getting security clearances. we had a good hearing yesterday and a public one a couple of weeks back. it has to be a priority. 700,000 in arrears and we have a few e being elected officials. we need more officers to have security clearances. a lot of work to be done. i want to close and not all of the members are here but thank all of the members from both parties who have worked so diligently on putting together a legislative effort that i'm proud to
cosponsor and shows the kind of commitment to the committee to investigate looking backwards and laying out a solution-sense going forward. and i would point out, yesterday, at the press conference we had virtually every committee member and that's good work. >> i thank the advice chairman and the panel. you have provided us some great insight, not just today but on an on going basis and we are grateful for that. the legislation is not legislation from this committee but it is important legislation and there's others out there and senator blunt and probably the government reform or government oversight will have jurisdictionally have pieces of it. and i have joined senator warner in cosponsoring the
legislation that that we finished this portion of the investigation. i want to thank each of you for being here. the host still nation seeking to invade networks, essential to the functioning of our democracy. while the collective insight is limited and based in large part on state-self reporting. when they saw a problem that the committee found the damage was limited. no votes were changed and only one state reported an actual penetration of voter registration database. still, given the kamtscapabilities and the intent of russia, the lack of resources available to most states. the
committee remains concerns about potential future attacks. states should not be asked to stand alone against a nation. we heard today from dhs how they learned course-corrected and become a true partner with the states. we commend you for that. dhs needs to continue to rise to the challenge with more resources if needed, and they need to tailor their systems to where the state's needs are. we heard from nasa and how the states feel about suddenly being in the cross hairs of a host still foreign power. and we heard what states need to do to secure their election systems. the witness lineup today made clear of the decentralize systems at the state and local level. pair wd capability and resources at
the federal level. we have to have a solid deterrent. a deterrent to activities like this in the future. any host still power that seeks to undermine the fundamental structures of our democracy, should be prepared to pay a hefty price m the close of this hearing includes chapter one of the committees investigation. we have shown through our work today that these issues go beyond party politics. we may disagree on some things but we agree that we need to take steps to make sure elections are secure. -- we now hand this over to the rules and the governor affairs committee to consider legislative approaches within the jurisdiction. i would like to take a moment to thank the committee staff for their work. the staff involved in this effort worked tirelessly with few days off over the last 14 months in a politically charged
and demanding environment. they are talented, professionals and they are focused. and they have done outstanding work for the committee and most importantly for the american people. while their names won't be on the report, and probably and hopefully will never be released publicly, they should know just how much we appreciate their hard work and how beneficial this has been to states, localities and to the american people. once again, thank you for your testimony today. this hearing is adjourned.