tv Newsmakers Jim Condos CSPAN July 22, 2018 6:00pm-6:34pm EDT
>> here on c-span, "newsmakers" is next with vermont secretary of state jim condos, followed by a house hearing on the use of virtual currency. at 8:00 on q&a, grace cannon warnecke talks about her memoir "daughter of the cold war." susan: on your screen is jim condos. he has been since 2011 vermont secretary of state and just recently in philadelphia was elected president of the
national association of secretaries of state. he is here to talk with us about security going into the 2018 midterm elections. let me introduce our two reporters asking questions today. reid wilson for the hill coming back to "newsmakers." nice to see you. and eric geller making his first appearance is politico cyber security reporter. as we get started, on your twitter feed is a statement your office released after the summit between mr. putin and president trump and some strong criticism of the president. some of what you said is his words make the secretaries of state job harder and the president has let the viper into the sandbox. can you tell us how the president's words in finland makes your job harder? jim: first thing i would say is, as we all know, vladimir putin and russia are adversaries of the united states.
there is no question that russia through their military and cyber security attacked our democracy and essentially we have attacks by soldiers, but this was an attack by cyber. frankly, it is really against everything we do as secretaries of state. we come from red states and blue states, but we are all concerned about the attacks that have occurred. reid: the vast majority of secretaries of state across the country are the chief election administrators in their state. how concerned are you about the possibility of more cyber attacks ahead in the november midterm elections? jim: the briefings we have had and what has and reported is that the russians will attack us
again. and i don't see any reason why they wouldn't. we had secretary nielsen speak to us at a luncheon in philadelphia. she as much as said the same thing. for us as secretaries of state across the country, we have been focused and working to overcome the issues around cyber security. keep in mind prior to august 2016, cyber security -- we were concerned about, but nothing like what happened after august of 2016. since that time i think all 50 states have been focused. eric: there are five states that completely use electronic voting machines that do not have a paper record. those states have told us for a story we recently published that they are not going to be replacing those machines before the midterm elections. they don't have time, even with the federal money that they have. do you consider that a concern
and what would you say to those secretaries in those states moving forward about getting rid of those machines? jim: let me be clear, i will be speaking not as a nas president but as a vermont secretary of state. here in vermont, we believe that paper ballots are the correct way to go. we do a post-election audit immediately within 30 days of the general election. and we will continue to work that way. i think that a best practice is to have some kind of paper trail, paper ballots or some other form of paper trail. jim: talk about the steps you have taken in vermont and other states have taken. what can you do to secure your state? jim: let me start by saying we started in 2013. i asked my i.t. director how we were set up for cyber security.
he said he thought we were in pretty good shape, but it would not hurt to have a separate set of eyes. we hired a state-approved vendor to do a complete vulnerability assessment on our physical, and cyber risk assessment. as a result of that, we have been ramping up ever since. we have put in place -- as i said, we have paper ballots, post-election audits, back up our voter registration database on a daily basis, so even if we were hacked, we could go back 24 hours and reset it. we also have same-day voter registration which allows any voter that shows up at the polls on election day to be able to vote. so even if there was a problem, we would still get people to vote. on top of that, we have all the usual stuff. we have web application
firewalls, a monitor to monitor all incoming traffic from the internet to our site, and it is a real-time monitor. the information goes back to the center for internet security and they can tell us within 15 minutes if we are under attack or not. we have shored up every one of our portals into our site. we are continuing to look at different things we can do. for instance, we are adding two factor authentication as we speak. we are just about to roll it out. it has been in testing in the last two weeks. and it will be in place before our statewide primary on august 14. susan: has the system detected any attempts at hacking? jim: we have not had any attempts. let's be honest, every website in the country is getting scanned every day. the question is, are you putting
up enough defenses to defend against them? for instance, we received up to 2 million scans a day. we estimate that about 40%, 800,000, are what we consider unauthorized. we blacklist a lot of those so they can't get back through. so there is a constant upgrade we have to do. remember, cyber security is a race without a finish line. we have to continuously evolve and try to stay ahead of the bad actors. what they tried yesterday, they will try a different way today and a different way tomorrow, so it is really incumbent on us to focus and stay vigilant on our systems. i think most states are doing that now. reid: there is the secure elections act from james lankford and amy klobuchar that would institute information sharing, get security clearances
for state officials, really try to streamline the process. i know the bill has been significantly changed in consultation with other secretaries. what is your position on the bill? jim: as i testified, i support the bill as is. whatever that means. i was a former legislator. i know it changes from day to day or could change from day to day but i support what we saw before. the only thing i would like to see is some kind of funding mechanism reinstated. they originally had money in there, but they pulled it out when we received the omnibus bill. it was really left over money from 2002. i do support the bill. there are certain things in the bill that are good for all states. we were asked by the committee to voice our support. it was myself, secretary simon from minnesota, and secretary ashcroft from missouri. the three of us were there.
jim: congress has allocated $380 million to states around the country to upgrade voting systems. how are you spending that money in vermont? jim: we received our money already. we were in the first group that received its money. we received about $3 million. part of it is being spent right now on a new accessible voting system as we speak. again, we are adding to our portfolio. this will allow anybody with a physical impairment to help us meet the mandate of the ada and be compliant with it. we also are using it for the two factor authentication. we have done some penetration testing. we will continue to do ongoing penetration testing. the most recent penetration test was completed at the end of april. we received our report in the beginning of june. it basically labeled us as one
of the leaders in the country in this area of cyber security. they could not find any real problems with it. one of the main factors or main recommendations was to add two-factor authentication, which we were already in process. reid: is $380 million from congress enough to fix the problem? jim: no. to put it bluntly. let's keep in mind, back in 2002, when the act was passed, there was $3.9 billion. this $380 million is what was left that had not been appropriated. it had been approved in 2002, but not appropriated since then. we had asked our senators to help us. i asked senator leahy, the number two on appropriations to do what he could to help us get that money. if we were waiting for the secure elections act, that has
not even passed yet. if we were waiting for that, the money would have been absolutely no good. many states are using this for cyber security issues. as far as equipment, i think the estimate is somewhere around $1.2 billion or $1.4 billion to replace all of the equipment in the country, but it is an ongoing battle. we will continually move forward. i think congress needs to come up with some kind of funding mechanism that is sustainable year in and year out, not once every 10 years. eric: the head of the cyber wing of dhs was at a "washington post" event and said if states ask for more money, they need to be clear what they're going to use it for. they can't just ask for more money. they need to present us with an outline of how they plan to spend it. as a general rule, do think that is fair that state should come to washington and say this is how we plan to spend the money
before they say give it to us? jim: as part of this money we just received, we had to file by earlier this week basically a narrative with a spreadsheet showing how we are going to spend the money we just received, so i have no issue with that. there are plenty of things we could do with the money. we do plan to put new machines in place -- our hope is before 2020. our original schedule was 2022, but once are received this $3 million, we decided we could move forward and step it up. keep in mind, every state is different. i think there is at least one state right now that has not received the ok from their legislature or governor's administration to accept that money, so every state has different rules for accepting grants from the federal government, and the same goes for procurement. once you have written your rfp,
it can take up to three months to get a contract in place, and maybe even longer. for any of these states that are not able to move forward on actual equipment, it does not surprise me because the procurement rules will be something that gets in the way. reid: before the 2016 elections, the obama administration proposed making election infrastructure -- critical national infrastructure, giving it more protection and involving the feds in what had been entirely state-run election systems. there was a lot of pushback from secretaries of state across the country. democrats and republicans alike. i wonder if you could describe those tensions. why wouldn't people want election infrastructure to be monitored by the feds? does that tension still exist? jim: well, let me be clear. i was one of those pushing back
in august of 2016 when it was first brought to our attention. part of the reason is we were not told what a critical -- we kept asking what is critical infrastructure? what does that designation mean? we were not getting satisfactory answers. again, you said it, red states and blue states. this was not a partisan issue. we were absolutely struggling to understand what it was that it was going to mean to us. it did seem to us that they were looking to take over our elections, which have been for a long time considered a state function. i am of the camp that we should have some national standards on things. that is why i have been a supporter of the election assistance commission. to me, it is unconscionable that it does not have a quorum. it is unconscionable that the
funding for the eac has been reduced. i think that is one area we could do better on, that congress could do better on, that the president has to do better on. eric: i'm curious if you would like to speak to the question of whether the white house should be coordinating strategy. obviously dhs has been working closely with you another states. when i talk to people at dhs and the state level, they say they we are not seeing white house leadership on the issue. do you think that needs to also be there or is it sufficient to have these contacts with folks at dhs? jim: all these federal agencies report to the president. yes, i do think the president and the administration have to take a leadership role in this. in all the discussions we have had with dhs and the fbi over the last two years, one of the things that has become clear to us is we have all these agencies, the intelligence
communities that are united, unanimous that the russians attacked us, that the russians will attack us again. and we have to be able to work together. unfortunately the person at the top has not been supportive and has sent mixed messages, and that makes it difficult on us as secretaries. susan: this week, democratic and republican members of the house sent a letter to the president suggesting the creation of an election securities coordinator, or in washington parlance, a would bring together all the stakeholders in this. do you see that as a viable proposition? jim: this is the first i have heard of it. so no, i cannot answer the question. i will say that we have the eac in place. we ought to utilize their services. they have in the past done testing, approvals, and
certifications of voting equipment. you know, again, they need a quorum and need funding to do their job better but we have the mechanism in place. we have the structure in place. we ought to utilize what we have instead of creating something different. however, i don't know how they or talking about this elections czar or not. but i want to say -- department of homeland security, we had a difficult time in the beginning. communications were not great. but in the last year or so, you will find most of the secretaries will say the communication level has improved and increased. and we are now on the same page. we have a governing council for the election infrastructure. that governing council oversees the policies basically we are going to follow. i am on that committee. we have an elections information
infrastructure committee as well, which is separate. sub to the governing council. so we have the frameworks in place. we just need to work together. and the department of homeland security has been very supportive in providing resources to us. one of the things that vermont has been doing since the fall of 2016 is a weekly cyber hygiene scan where they take a look at us every week and provide us a report to see what they find. they have other resources as well, penetration testing, vulnerability assessments, and there are many other projects they can do for us as well. they are providing these at no cost to the states. so i think it is something that gets lost in the discussion. today, i would say the elections community is in far better shape than it was in 2016. susan: we have six minutes left. eric: there are a couple of different elements to any
secretary of state's job. there is the voter registration side of things. where people sign up to vote, and you keep the records and all that. and then the voter tabulation side where you are counting the votes in deciding who won. as i understand it, it is the voter registration side that has been vulnerable to these attacks and scans from russia and other outside actors. how concerned are you that those scan attacks might impact the voter tabulation side? can someone go in and change the numbers in an election? jim: as far as votes, you mean? reid: yeah. jim: i don't think they can get in and change the votes themselves. in fact, in 2016, the report was ethat not one vote was changed, eand we agreed with that. we did not find any state that had a disagreement. i think one of the fallacies -- it literally took several months before dhs had understood that
none of our election equipment, our voting equipment, is actually attached to the internet. they are not connected by the internet, wi-fi, hardwired. they are not connected. they are separate, standalone units. ethat is what makes our systems what i think much more secure because they are decentralized. however, we have our election management systems, and that is where we usually find the voter database, the registration database, election night reporting and other things. so those are the areas that we really need to shore up. as i said, we think we have done that already in vermont. i believe my colleagues across the country have been working to do that. when we were told in august of 2016 that there were 21 states that had been attacked, there was only one state that had actually been breached. to this day, the report this
past week was saying there was one state that had been breached. i think what gets lost is the media has been very clear about focusing on that one state. but what i think it's lost is the other 20 states actually fended off the attacks. that's what we hope everybody is doing. fending off these attacks is a constant battle, it's ever-changing, ever-evolving and we will continue to be focused on it. reid: you're saying the election night reporting might be vulnerable to an attack, so the numbers that come in on election night might not be the actual numbers that you then report on a secure system that is not attached to the internet? jim: well, let me be clear. election night reporting, i believe in every state -- i can't say that for sure -- but i know in vermont and every other state i know of that has
election night reporting, the website actually says if you go to the website, it will say these are unofficial numbers, unofficial results. in vermont, for instance, we do not certify the election until seven days after the election has occurred, and that is when we actually do that. so the election night reporting site is not interactive with the vote counting site. they are separate sites and they have a separate portal. eric: what about the companies that make voting machines and election management systems? they are making products for critical infrastructure, not unlike companies that make power plant controllers. things like that. it is considered critical infrastructure now. do you think those companies should be regulated more tightly the way other companies making critical infrastructure are regulated for you have to have an independent testing or certification. right now the eac has a certification system, but it is
voluntary for states to adopt. if the state doesn't adopt it, the vendors can sell them products that don't meet the standards. would you like to see those vendors regulated more closely? jim: i think there ought to be a little more regulation of it. i don't know to what level. i will tell you in vermont, the statutes give me the power, but we have rulemaking and our rules state we will use a uniform machine, a tabulator throughout the state. we now have strict guidelines for how that machine, how that tabulator is chosen. one of them is that it be certified. i get to review the certification. my i.t. team gets to review that certification before we make a choice. we will be making a choice probably in the next year for a new system. two things i can guarantee you. one, it will be a certified machine. two, it will be able to accept
paper ballots, and we will have some kind of a paper ballot system. susan: we have one minute. either of you have a final question? reid: a few years ago before the russians got involved, the trend was angling somewhere towards internet voting. there are some states that deal with internet voting for people who live overseas and in the military. how does this impact any move towards internet voting? do you want to see internet voting in the future if it can be totally secured? jim: well, i will never say never. frankly, i don't think it will be in my lifetime. i think that internet voting -- i know a lot of millennials and young adults would love to be able to vote on their telephone, cell phone, but that's not going to happen in the near future. i think there are ways it can be done. one way that is being tested
right now, piloted in west virginia, is using block chain for overseas and military votes. there are also ways we are looking at a secure web portal that you have to have passwords, gets password-protected, to get into to process your votes. we do send ballots overseas by email. by ♪ email -- by email. we will pdf a ballot across the oceans to make sure we get there as quickly as we can. keep in mind, the vermont law, many states have a law that requires the ballots be received by the close of business on election night, so for vermont, 7:00 p.m. on election night. if someone calls us on a friday before the election, the chances of them being able to get a ballot back to us from overseas are pretty slim. however, if we can find a way to do that, we would be open to reviewing it.
again, security will be of the utmost importance. i think we will continue to look at that. we have, in vermont -- well, first let me say, the federal law says we must be able to provide ballots to our overseas and military voters 45 days prior to the election. in vermont in 2009, we extended our early vote period for all vermonters to 45 days. and we believe offering that is of the utmost importance and convenience for our voters. we have to find a way to be able to get those ballots back. we have looked at ways. one way we are looking at is a accessible voting system, where
we are looking at right now, is really called a ballot marking device. it can take an actual ballot and mark it, so when someone votes on a screen, on a tablet, they can look at the vote, the ballot, see it is exactly what they wanted. susan: that is it for our time. secretary condos, thank you for being our guest. jim condos, the brand-new president of the national association of secretaries of state. we appreciate you being with us on "newsmakers." jim: thank you very much. susan: there is a testy debate on the floor of the house of representatives about election funding on thursday of this week. we want to bring our viewers up-to-date on where this idea of more funds going to states for election security. reid: this is something states have been working on for quite a while. asking for funding to update ballot systems, ballot boxes, the actual machines on which we vote. this was a debate we were having over hanging chads in the 2000
election, and it has not gotten much better sense. the machines the states bought right after the 2000 elections, we are still using them today. technology evolves and things like that, so congress is still debating whether we will be funding these states and their efforts to upgrade their equipment. we have seen states taking advantage of this $380 million. secretary condos mentioned that. the secretary state of maine just got his yesterday or wednesday or thursday of this week. here we are 112 days from election day and they are only now getting this money. that tells me that these systems are not going to be completely upgraded by election day. susan: eric geller, what does this bipartisan senate bill you referenced in this discussion do other than funding? eric: it sets up a grant program, but the funding mechanism would have to be dealt
with separately, so the appropriators would have to agree to fund it. it mostly focuses on process. it doesn't have regulation, as i asked the secretary about for vendors. it doesn't tell them to stop using paperless systems. it focuses on making the secretary feel like the federal government's listening to them. better channels for sharing information. it sets up a grant program they can apply for. the money would have to be requested separately. it expedites security clearances. it is focused on making sure the federal government is saying "we hear you" to states. susan: everyone is thinking of russian interference right now, but what is the broader threat facing the american election system besides the russians? eric: there are a lot of ways you can disrupt an election without attacking the voting machines. our power grid is very vulnerable. there are adversaries now
seeking to find ways into power grid equipment. if you can take down the lights in a city while they are voting, you have disrupted the election, even if you don't touch the voting machines. we talk about critical infrastructure. the vulnerable critical infrastructure around the process, not part of it directly, folks need to think more about that and what contingencies are in place. in washington, i don't know what would happen if the lights went off in d.c., if the elections would proceed. that's the question. how can you scare the most people, disrupting the election by all means necessary? susan: a bit of good news, bad news. the dhs is working better with states, but five states still don't have a paper trail for the ballots. how would you assess when you are doing reporting about all the concerns going into the election, how much progress we have made, where things really stand? reid: progress has been slow
after the 2016 lection, but it is happening, especially at the margins. some of the older machines are being replaced in a lot of states, and states are on notice that this no paper trail approach is really not going to be acceptable or sustainable in the long run. we have a fascinating juxtaposition in a couple ways. first of all, we are the only western democracy in the world that doesn't have a centralized election hub. not just that we have 51 different jurisdictions operating their elections, 50 states and d.c., even beyond that. the state of wisconsin has literally hundreds of election officials responsible for this. there is strength and weakness in that. the strength is that all those different systems mean that somebody trying to hack in doesn't have one place to go hack and change all the numbers. they have to be present in 3000 places, especially when these machines are not connected to the internet. you don't have the same standards is the weakness, state-by-state.
you don't have training budgets, so you don't have a lot of infrastructure for cyber security. one of the things eric mentioned, this notion of people getting top-secret clearances, people in the secretary of state's offices getting top-secret clearances at the federal level. they never had to do that before. all these roles have yet to be written. it's a juxtaposition between the uniqueness of our system, the strength that it brings in diffusing power, but the weakness it inherently provides. susan: thank you very much. please come back. nice to have the this week, and nice to see you again. [captions copyright national cable satellite corp. 2018] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> c-span's "washington journal," live every day with news and policy issues that impact you. a white house,
correspondent and national journal correspondent preview the week ahead in washington. irs taxpayer advocate nina olson will discuss irs reform, tax law, and how to resolve tax problems with the irs. be sure to watch "washington journal" live at 7:00 eastern monday morning. join the discussion. >> next, a house financial services subcommittee hearing on the use of virtual currency. witnesses were asked about some of the benefits and the potential security risks. this is just over one hour. >>