Americas elections. I will now recognize myself when Opening Statement. Yesterday the director of National Intelligence testified that, quote, the greatest challenge we have as a nation is making sure to maintain the integrity of our election system come close quote. Excuse me. I agree. Our democracy was founded on a government elected by the people, for the people and free and fair elections. They are elections very core of our democracy under a aa tactic special counsel most report in no Uncertain Terms detailed how reform government attack on her 2016 elections. The russian objectives were clear, deep in distress and discord in a society come secure the election of one candidate of president over the other, and in so doing undermined confidence in the integrity of our elections and damaged our nations standing in the world. There is no evidence russian affected the actual vote count of our elections but russia did successfully steal thousands of documents from american citizens that it used to influence public opinion. It also access voter data to gain intelligence which it may seek to exploit in the future. Special counsel emphasized in his recent press conference russias attack quote deserves the attention of every american. Russias attack was not an isolated incident. Nor is rush the only for pirating the to influence our elections. We live in a world with agile persistent enemies. As fbi director ward, make no mistake, the threat just keeps escalating and were going to have to of our game to stay ahead of it. Despite a concrete evidence confirmed by the heads of our intelligence agencies, President Trump has refused to acknowledge russias attack, let alone publicly denounce it. Or outline clearly intends to deter future interventions. To the contrary, the president has openly declared he sees no problem with foreign influence in our elections. More troubling, thered been reports from multiple senior white us officials including the former sect of Homeland Security, the organization tasked with leading our Election Security efforts at the white house failed to adequately inform americans about continuing influence efforts and instead directly stymied against investigator even discussed the attacks in our elections. More troubling still we now have evidence the president of the United States asked a foreign leader to interfere in our next election. The president is not on refusing to defend our elections against foreign attacks but is actively soliciting such intervention. That is unacceptable. It puts our nations at great risk. We must not let foreign attacks go unpunished or undeterred and we must make the investments necessary to withstand any future attacks. The Judiciary Committee is tasked with the duty of protecting the right to vote for every american. That includes not just equal Voting Rights and access to the polls but confidence in accuracy and security of our election systems. We will protect that sacred right. We will not let anyone, not en the president attempt to undermine the integrity of our democracy. Todays hearing help carry out that duty, to ensure that we understand the extent and scope of the threat to our 2020 elections, and to identify appropriate steps for determining, detecting and defending against those threats. I am pleased last week the Senate Finally approved a bipartisan spending bill to safeguard Voting Systems but much more needs to be done. U. S. Elections are not built of isolated parts. Existing infrastructure is a vast echo system that includes Voter Registration, vote casting, vote tabulation, election of reporting. Each of those components is possible to attack and with any ecosystem if any one component part fails, if theres a flaw in one piece of the technology they can jeopardize the entire process. As former secretary of Homeland Security jeh johnson explained, the integrity of our Election Outcomes are National Level dances on the head of a pin. Security our election system requires securing each of its component parts. This begins with ensuring we can verify all votes through postelection audits and certify each vote is accurately counted which will lovemaking trust and transparency for the election process. We must also secure our Voter Registration databases. Voting machines in Voting Systems. A report published down in at least 40 states Voter Registration databases and machines were instituted more than a decade ago. Outdated systems are difficult to maintain, are subject to serious flaws and vulnerabilities, and are vulnerable to attacks from the outside. Our adversaries are agile and technologically advanced. We must be, too. We must provide states with the resources needed to secure their systems and update their Critical Infrastructure. In addition, nearly all states and territories with my on outside vendors in some capacity. Of the states and territories, roughly 92 rely on just three vendors. These vendors must be regulated to ensure all of all of the prs meet minimum Election Security requirements. Finally, state and local officials are responsible for administering elections. Our democracy frontline defenders must have the resources and cybersecurity training necessary to protect our Voting Systems. We must develop better tools to share cybersecurity and threat information. In 2016 according to the intelligence community, state Election Officials were not sufficiently warned or prepared to handle an attack from a hostile nation state actor. We must ensure that each component of our election system is sufficiently integrated, equipped and ready to handle any attack from any actor going into 2020 and beyond. In short, the challenges facing our elections are serious, evolving and multipronged here there are no easy answers. I know Ranking Member college agrees with me that the threat to our elections is a threat to the American RepublicRanking Member college i think in force attention on this issue on a pleased to say our stepdaughter selected the witnesses here today. These witnesses will help us understand further the extent and scope of the threats we face and the vulnerabilities in our systems that must be passed. Thats been help guide this committees efforts to ensure the integrity of our elections and i think them for appearing today. I have confidence that working together we can address the imminent threat to our elections and protect our Voting Systems going forward. Our democracy depends on it. The Ranking Member has been detained i dont recognize and force Opening Statement after he arrives. Without objection all other Opening Statements will be included in the record. I will now introduce todays witnesses. Debora plunkett is a junior fellow for the defending Digital Democracy project at the Harvard Kennedy school of Belfer Center for science and international affairs. As an etching professor, she prints assert as Deputy Director and then director of the National Security agencies Information Assurance directorate. She served as both director under National Security council under both president clinton and president george w. Bush. She received a bachelors of science degree from houston state university, and a ba from johns hopkins, and a masters of science and National Security strategy from the national war college. Kathryn boockvar is acting secretary of the commonwealth of pennsylvania. She also serves as Elections Committee cochair for the National Association of secretaries of state and his associations represented on the election infrastructure subsector governing or needing counsel. Previously she served as seniorr advisor to the government of pennsylvania on election of modernization and is executive director of lifecycle women care and as chief counsel for the pennsylvania auditor general. She also worked for many years as a poll worker and Voting Rights attorney. She received her bachelor of arts degree from university of pennsylvania and her j. D. From American UniversityWashington College of law. With a gentleman yield . All right. I yield to the judgment. She was my student. I yield back. [laughing] i will assume she learned well. Tom burt is the Corporate Vice president of the Customer Security and trustee at microsoft corporation. Where he works to formulate an advocate microsofts cybersecurity policy globally, including advancing the digital geneva convention, the tech court and at the defend democry project. Mr. Burt joined microsoft in 1995 and a sense of several leadership roles including leading to Companies Litigation group 19962007, and more recently leading the Digital Trust team. Prior to joining microsoft mr. Burt was a litigation partner in a law firm in syria where he on Voting Rights cases. He received a bachelors of arts degree from Stanford University and a j. D. From university of washington law school. We welcome all of our distinguished witnesses and we thank you for todays hearing. Now, if you would please rise i will begin by swearing you in. Raise your right hands, please. [witnesses were sworn in] thank you. Let the wreckage of the witnesses answered in the affirmative. Thank you and please be seated. Please note that each of your written statements will be entered into the record in its entirety. I ask you summarize your testimony to five minutes. To help you stay within the time theres a timing light on your table. When the light switch from green to yellow your one minute to conclude. When the light turns red it signals to five minutes have expired. Ms. Plunkett, you may begin. Thank you, mr. Chairman, Ranking Member collins, thank you for the opportunity to testify before you today. My testimony focused on potential security vulnerabilities of our election system and recommendations to better protect our democratic processes and systems from Cyber Attacks. We must take bold, decisive, and expeditious steps to address Cyber Threats and then assume efforts are insufficient given the rise of attacks and capabilities. All known threats must be addressed in order to better ensure secure and trusted elections. Bad actors with a nationstate or loan criminals on gaining unauthorized access to systems that provide the best opportunity to achieve their goal including influence, distraction, tropic, espionage, coercion or just fine and favorite attackers make their tents from across the ocean from down the street. We must treat elections he could as imperative for safeguarding our democracy. Intelligence leaders warn of ongoing and escalating interference attempts by multiple foreign actors who view our 2020 election as an opportunity to advance their interests at the expense of american democracy. In the United States elections are complex and decentralized. The United States has over 10,000 election jurisdictions. These vary by technology and processes. Recognizing the right of election jurisdictions is central to developing and implementing strategies to improve election infrastructure security. While elections operations can vary significantly across the jurisdiction, there are fundamental similarities in some infrastructures. Many election assistance are built using generalpurpose technology and commercial offtheshelf software. While this means there often subject to attacks, popular and other sectors, it means experts have identified some best actresses to mitigate many of the risks. They key is to make sure these solutions are kept uptodate. At harvard the Belfer Center defending Digital Democracy project produced a state and local Election Security playbook which identifies ten best practices that apply to all elections jurisdictions which ill briefly summarize today. The first is to create a proactive security culture. Most cyber compromise the start with human error. A Strong Security culture makes a big difference as to the success of a malicious actor. The second is to treat elections as an interconnected system. Any digital device attaches election processes must be safeguarded. Device Security Management should be centralized and streamlined. The third is to require a paper book record. It is essential to have a voter verified audible paper record to allow votes to be cross checked against electronic results in the paper record must have a rigorous chain of custody. The fourth is use audits to show transparency and retaining trust in the elections process. Auditing should be in embedded in the process for data, integrity and accuracy are critical. That this is to implement strong password and twofactor authentication, Strong Passwords are important, twofactor authentication one of the best defenses against account compromise. Number six is to control and actively manage access where users should take the minimum access required to perform their jobs. When soma no longer needs access, it should be revoked. Number seven is to prioritize and isolate Sensitive Data in systems so you know which system should be properly protected. Number eight is to monitor, lg and back of data which enables attack detection system or Data Recovery after an incident. Number nine is to require vendors to make security a priority. Detailed security specification should be written into acquisition documents, and vendors must be required to notify officials immediately after becoming aware of a breach. And finally number ten ten is o build public trust and prepare for Information Operations. Transparency and open communications will counter Information Operations that take that seek to cast up over the integrity of election system. In conclusion, election systems are Critical Infrastructure. To protect them the federal government must provide the guidance and support by allocating resources to upgrade election systems to the highest security standard, ensuring Information Exchange between federal, state and local entities is seamless, instituting Security Standards that vendors must follow for election systems and components, and encouraging a culture of security by keeping the American Public fully informed on malicious actors behaviors and attentions and the governments efforts to stop them. They do for the opportunity to participate in this important dialogue today. Thank you. Chairman nadler and esteemed members of the committee, thank you so much for your leadership on Election Security. As chief election official a pennsylvania i have the privilege of working with dedicated Election Officials across the commonwealth and all 67 counties to make sure all of our elections are fair, accessible and secure for all eligible voters. As has been discussed the issues surrounding Election Administration have become more complex and complicated because of security issues. As we know foreign adversaries are continuously trying to influence our elections. They key to supporting this effort is to make sure we are building our cyber walls faster than those that are trying to tear them down. Election security is a race without a finish line and are adversaries are not slowing down but we need to make sure we are meeting and exceeding those technologies and making sure we invest at all levels substantial and sustained resources. Alongside the great majority of states, we urged the federal government to provide additional Election Security funding but also infrastructure. We need to look at this like we look at other ongoing initiatives. We dont do once and done appropriations for other types of security, for health care, for education. We look at these as ongoing investments and thats how we have to look at our elections. Nothing is more important than the security of our democracy. There have been great advances over the last many years as discussed. The eis gcc, Election Infrastructure Subsector Government Coordinating Council has been a great collaboration among federal, state and local officials to secure elections and its working to formalize and improve information sharing, communication protocols, to make sure that our local entity Election Officials can respond to timely threats. The great thing about eis gcc is that has and 29 members, 24 them are local and state Election Officials it also includes critical federal partners like dhs, eac, the Election Center at the interNational Association of government officials. Another key partners in this fight are dhs, National Guard come center for Internet Security would be an incredibly strong part of making sure with risk and vulnerability assessments, shared intelligence, tabletop exercise and extensive communications. But theres more that we could do. One of the things i would love to see the federal government being more involved in his vendor oversight, tracking Foreign Ownership making sure we are getting background checks for making sure theres a good chance of custody across all voting and election components. We need to strengthen lines of communications in both directions from that of state and local. For example, with our local incidents reported to our federal partners, they need to make sure the state Election Officials know so we can kindly respond to those incidents. On the pennsylvania landscape weve had some Great Successes over the last year and have that ive been very proud to be a part of. We broke down silos. We knew it was important to have an integrated approach to Election Security, and its been incredibly effective. We have an Interagency Work Group that involves i. T. Professionals, security, Law Enforcement, Homeland Security, elections and emergency preparedness. We beat and Work Together to make sure were working together as a front to make sure with the most secure and accessible elections in pennsylvania. Weve provided tabletop exercises and we were the first state in the country to accept dhs offer a free vulnerability assessments to states. One of our big successes over the last year has been our transition in pennsylvania to voter verified paper ballot systems. Im happy to say where as a you ago we had 50 counties across pennsylvania that had no paper trails. As of this november there will be 52 counties that will have paper trails. So a huge flip, Great Success and a credit to the county Election Officials for all the work. Im also happy to say that with a postelection audit group as discussed by the chili. This is a critical piece of our elections is making sure were auditing and instilling confidence in our voters about confirming the results of the election. The right to vote is a fundamental right, and of the voter must be provide equal access to the polls and a deepseated confidence in the security and accuracy of their vote. Our democracy and bolstering our confidence in that democracy is worth every dollar. Thank you very much. And chairman nadler, Ranking Member collins, and members of the committee, thank you for the opportunity to testify today on the important topic about emerging technology can contribute to the security of our elections. My name is tom burt, Corporate Vice president for christmas to get it and trust at microsoft. My Team Includes are defending Democracy Program which works to protect democratic elections from Cyber Attacks around the world. We know skilled and wellfinanced adversaries have banned will continue to attack elections in the u. S. And in other countries. All in the pursuit of their goal of undermining citizen confidence in democracy. Defending democracy in our elections are important to microsoft so we spent the last you working on what we as the Technology Provider can contribute to this effort and im pleased to inform the committee this week we released free, Opensource Software developer kit called election guard. Simply put, election Guard Technology can enable the most secure and trustworthy election in the history of the United States. How does it do this . When a vote is cast it is immediately encrypted so that it cant be seen or changed. The voter receives a tracking number and when the election is complete, the voter can go online and check to see, for the first time in history, that the vote was, in fact, counted and unchanged. Election guard, more than that come also enables anyone, voting officials, the media, thirdparty watchdog organizations, to build a a very application that will let them confirm that the tally is correct and unchanged. All of this can be done without ever decrypting individual votes through the use of homomorphism encryption, a wellestablished technology that can count votes without ever decrypting the underlying data. Election guard is designed to work with many of Voting Systems in use today including electronic ballot marking devices or hand marked paper ballots read by optical scanners, and we have on our roadmap making to work with other forms of elections. Weve made this Technology Free and open to everyone. Microsoft is not making any revenue from election guard. Weve been working closely with all the major u. S. Election vendors, encouraging them to build systems with election guard. Were excited to report that the response has been uniformly enthusiastic. But there is a significant impediment to the rapid adoption of this and that the new voting. This certification process also hinders basic security hygiene. Today is a voting machine is updated with a minor Security Patch from a trusted vendor, it will have to go through a full recertification process. This creates a significant disincentive for Election Officials and vendors to deploy Security Patches, leaving our elections vulnerable. We are pleased the Election Assistance Commission is in the process of revising these certification rules and we would ask all of you to encourage the commission to adopt soon new rules that enable rapid and actual deployment of new Security Technology and basic security hygiene. While we and others in the private sector can contribute technological advances to secure the vote, there is an Important Role for congress. We agree with the written testimony regarding the urgent need for longterm sustainable funding. This is critically needed to enable Election Officials to plan ahead, to purchase equipment rather than letting outdated systems remain active, and to invest in cybersecurity training and staffing that we expect of all Critical Infrastructure providers. We live in a world with agile enemies who are persistent in their efforts to interfere in our democratic process. Our citizens deserve to be able to cast their vote with confidence it will be counted without manipulation. We believe election guard is Breakthrough Technology that can help achieve this goal, but we remain committed to working with government, civil society, the Technology Sector to take even more steps to ensure that every vote is counted and every voter has confidence in our free and fair elections. The stewardship of our democracy requires nothing less. Thank you, and i look forward it to your question. Thank you. I think all the witnesses for the testimony. We will now proceed under the fiveminute rule with questions. Ill begin to recognize myself for five minutes. I like to focus on one component of our election system that i find particularly concerning, Voter Registration databases. The Mueller Report concluded that on approximately june 2016, the Russian Intelligence Organization gru compromised the Computer Network of the Illinois State board of elections and gained access to database concerning information on millions of registered illinois voters, unquote. Ms. Plunkett, in this case the russian hacker successfully breached the databases but they failed to alter or to delete voting records. My question to you is, if Russian Hackers had changed the voting records including deleting photos from the databases, could you describe the specific parcel and facts it couldve on the election if they had altered the databases . I mean, it wouldve been devastating had altered the databases and altering in this case could have been changing records, it couldve been deleting records which would have made it in some cases impossible for voters to vote, to register to vote. Voters could have been turned away. It could have inserted voters evilness into the database that could have provided an opportunity for those who shouldnt be voting to vote. It wouldve been devastating had that happen. So thousands or tens of thousands of voters mightve turned up at the polls and turned away because there was no record of the registration . Thats correct. Thousands of nonexistent voters mightve voted. Thats correct. Thank you. Ms. Plunkett, the bill includes six and mentors in funding for states. Also includes Accountability Measures and requires that finding cannot be used to purchase nonqualified Voting Machines. The Senate Versions only 250 million with no accountability restrictions. The written testimony emphasizes the need to replace paperless machines end of a robust postelection using paper ballots. We saw in 2000 how one counties failure to properly maintain chads, held at the entire country. And one counties dereliction could again hold up the entire Countries National election. I understand why some states or counties might not want to spend the money necessary to update their election machinery so they cant be hacked but i was astounded to read recently couple of days ago that states are still buying come spend large amounts of money on Voting Machines that are electronic, that didnt have paper trails and vulnerable to hacking. My question is, aside from the obvious necessity of appropriating money to update our election machinery so that we have hack proof machines that cannot be tampered with from outside and that cannot, at least, the auditable trails, paper trails, you think the federal government should mandate this . Because after all, the federal elections are premised on i could count in every state and county. Should we mandate as those providing the funds for modern Election Technology so that we can be sure that no foreign actor is, in fact, hacking, in fact, ponying up our vote and perhaps doing so and leaving a trail that you knew it later . What was me to make a comment about federal and state roles and responsibilities, but heres what i would say. It is incumbent upon every state to institute the appropriate secret images and make sure that their technology is that most robust available in order to protect the democracy and the election vote. I believe theres a role for the federal government in this space that starts with requiring that vendors follow certain Security Standards in the production and delivery and maintenance of the equipment that these states are using. So that would thereby standardize at least the security of the systems. Everything from auditing and database management, on the back in should something happen to the systems, being able to report on that. If the federal government mandated that only machines could be made, then new purchases would only be a proper machines. In a fight seconds ive left, do any of the other witnesses want to comment on whether they think its necessary for the federal government to mandate that existing machines be replaced in time for the election so that we can guarantee an election and dictated from moscow or someplace else . We think as the Election Assistance Commission is revising its standards for certification there is an opportunity to inject standards for the security of devices to be certified. I would caution though that we must be careful not to specify specific Technological Solutions because our enemies move very quickly. We need to be agile in response. But to have basic security guidelines that are part of that certification process would be an advance in the current state and would help us secure our election. Thank you. Ms. Boockvar, very quickly. I just want to say that i think you mention a lot of the areas that we need to investigate talk about Voter Registration systems. You talked about how i think you talked about sensors and all kinds of other things. What i would like to see is that we define a continuum, a number of Different Things that are critical priorities might allow the states who know best whats the most critical need in their state to decide whats the best use of those funds. Thank you very much. My time has expired. The gentleman from colorado. Thank you, mr. Chairman. Mr. Burt, im interested in the election Guard Technology you were talking about earlier. One of the interests i have is that the United States wasnt the only country that russia targeted in the last decade. Its clear that russia tried to impugn the integrity of the brexit vote, the Scottish Independence vote, that involved spain with the catalonia independence movement. Will microsoft make election guard and payable to our allies, foreign countries, or something similar so we can try to make sure democracies across the world have elections that are considered by the people to have integrity . Yes, thats absolutely our plan. As you may know, our account Guard Service which would offer for free to help protect campaigns against been hacked, with extent that to 26 countries around the world and we intend to do the same with election Guard Technology as well. It is a free open source project so any vendor in any country is free to take that technology and build it into election systems. We work to expand our protections to all democracies committed to free and fair elections. One of the things im interested in is exactly, youve used the word agile a number of times, and im assuming that there is a distinction between hardware and software. Im wondering if you could explain that . When the chairman talks about, and rightfully, updating systems, i think were in large part talking about hardware. I want to make sure we have hardware thats compatible to whatever the software is that we need to be agile with. Yes, its also important that both hardware and software be the most secure, current engineering, and theres work to do frankly on both sides of that. But most importantly for most of these systems is the ability to update software. As i i mentioned in my written testimony we Just Announced recently we are going to provide Free Security updates to windows seven election voting devices because we discovered by many of those devices still in operation around the country even though thats decades old technology. It reaches its endoflife this january for most customers, but because it of the importance of securing our vote we are providing for free the security updates through the end of 2020. The challenge as i mentioned earlier with current regulations its difficult and burdensome for local officials to apply Security Patches to their devices. We need to work on both the software and hardware side of the equation to ensure we can be agile and adopting the best technology to defend against these attacks. Old folks like me, we think if its not on paper its not secure. And its not believable. I want to open this up for the young folks on the panel here if you have an opinion on how we convince the American Public, because thats the audience in this case is making sure the American Public understands were doing everything we can to make elections credible. How do we convince the American Public that something we cant see, that exists out there somewhere is just as good as a paper ballot and been able to see something on paper . If i could start off him at least i will claim to be young at heart. There are two really important things we can do to help establish that trust and one which youve heard about from others which we absolutely endorsed at microsoft is the existence of a paper backup at least that can be used in risklimiting audits. Our election Guard Technology supports an advanced form of risklimiting audits which enables voting officials to audit the outcome after the vote and show it wasnt tampered with. Thats one important thing is the application of audits and the maintenance of at least a paper backup so youll always have that as as a resource to o to. If we can get to a world with election Guard Technology is broadly adopted that provides a whole new form of voter trust because now voters will be able to for the very first time actually see that their vote got counted and wasnt changed. Today, i am from washington state, i have no idea whether about i mark was ever counted or not. With this Technology Voters will know which should help establish voter trust. Mr. Chairman, i dont often do this but it wanted to thank you for holding this year. I think this is beneficial. I think it has very little to do with partisanship. I think a support for everybody on both sides that ill and all around the couch to make sure we had this integrity, so thank you very much. Thank you. The gentlelady from texas. Thank you, mr. Chairman. Let me add my appreciation for this very crucial thing as well. Thank you to all the witnesses. Let me ask one question from each of you with a yes or no answer to do think its important for there to be governmental involvement in right infrastructure, in review of the technologies as we move toward the Upcoming Elections as quickly as possible . Ms. Plunkett . Yes. Secretary . Yes. And mr. Burt. Yes, i do. Let me ask ms. Plunkett with respect to the 2016 election and the russian gru officers compromise, Computer Network of the Illinois State board of elections and gained access to a database containing information on millions of registered illinois voters. The russian gru officers were able to steal data of thousands of years u. S. Voters before ils was aware of hack. Russia had succeeded in all these efforts can you explain how attacking Voter Registration software and electronic polling stations can impact an election . Certainly. Since the foundation of the voter system begins with the registration databases which validates that a voter is eligible to cast a vote, should that database be altered in any way, whether it be destroyed or deleted or additions made to it, it could jeopardize the ability of a legitimate system has a right to vote from voting, and would certainly alter the outcome of the election because it would prevent those who should be able to vote from casting their vote. In essence it would undermine the very basis of our democracy. Thats correct. Mr. Burt, you could make in the election guard. We all fancied by that. Its outstanding technology, but in your marketing to the entire world im not sure what kind of litmus test are going to use to determine whether or not it is a democratic government and what is the potential of innocent democratic governments now giving technology of that level of sophistication to be utilized been to hack into the system . What are the protections and the firewalls on your system if i chance you sell it to an enemy . Were actually been quite deliberate and careful about the countries to which we expand our services but let me be clear about election guard. Its an opensource project that anyone can access, and that leads to the security because as people find any flaws or security flaws in the software it can be updated. What important to understand is this technology is not capable of being used as an offensive weapon. What it does is secure the vote. What it does is inshore that votes are encrypted and cant be changed or altered and it ensures the vote can be verified and account can be properly verified by individual voters and by any third party. So to the extent this technology is employed even in countries that we would not consider an ally, it just means that the votes are going to be more trustworthy. It doesnt give them the ability to breach or hacked hao the vote of another country . Thats correct. Let me ask the secretary, what is importance of having a variety of technologies that states can have access to unlimited number of vendors that we all have in terms of protecting the election process . So i think one of the benefits that we have is decentralized systems have a tangent disadvantage is that having of technology is definitely an advantage because the likelihood of the ability to breach all the different technologies is certain harder than if you had one uniform across the board. Its key to keep the diversity of our so when mentioned three, so having us to be able to certify legislation that deals with expanding that opportunity would also enhance the security and safety of elections. You are all lawyers in the past, election 2016 we determine the were a lot of foreign operatives. Do you think its important of legislation that indicates if an elected official or a candidate are approached by foreign adversary that you need to report that immediately to an authorization agency such as the fbi . Ms. Plunkett come , just ask evy across the board. Yes, i do. Yes, i do as well. Mr. Burt . Certainly. I asked nimbus consent to place into the record eight or 2353. Fiftythree. Without objection. Cant an effective Deceptive Campaign spoofing attack be deployed to use Search Engine requests . Can you just answer the question, mr. Burt . The time of the gentlelady has expired. The witnesses may answer the question. Yes, thats possible although a more fulsome and would take considerable time in terms of how that would work and how we can defend against it. Time is i agree. All right. Thank you. I yield back. The gentleman from florida. Thank you, mr. Chairman. Id like to associate myself with the comets the gentleman from texas and the gentleman from call about that elections could issues must be viewed as a bipartisan endeavor for us to make progress and that all voters deserve to have confidence in that process. It was disheartening that the chairman began the hearing by taking a bunch of partisan shots at the president. I dont understand how that is helpful to the work we are doing here and really thinking in terms of the value of elections most probably, i fear that the greatest risk to our democracy may not be hacks or interference with the boat. It may be the effort by radical democrats to try to impeach a president who was duly elected. That seems to undo elections more than hacking. Alas, back to this important work of the committee. I wanted to thank congresswoman murphy as the lead but also our colleagues on the Judiciary Committee, mr. Deutch for coauthoring h. R. 3529, Bipartisan Legislation requires the head of the department of Homeland Security to notify state and local Election Officials in the event of some intrusion or hack. My question is there any other members of the panel, to speak to the tivoli and the importance of realtime coordination in the event of an intrusion, and how you might see state and local officials working elaborately and proactively with the federal government in such an endeavor. I would love to take a crack at that. Thank you, congressman. Its critically important that collaboration at the state, local, and federal level, and we saw in pennsylvania last year, november 2018 election. We were connected across the country to other states and to the federal government giving realtime information about things that were being seen in other states. We could not only take, so, for example, there were attempts to hack into machines and other states. Ip addresses were identified, passed along to other states. We then were connected across the state to the 67 counties, could pass along those ip addresses so they could block it proactively before having to have it was literally in action collaboration that protected our election. That kind of thing, both before, during, and after, is critical to make sure we have the most secure elections possible. If i may, in 2018 under the direction of the director crabs, there was a war room established at the federal level in which Technology Providers, state and local officials were all invited. We participate in that and that was a good step forward for what you suggested is critical. I agree that the more efficiently can have communication between all federal agencies more aware of attacks in real time with state and local officials and also leading tactility providers who stand ready to assist with this effort of protecting our elections, the better it can be. We need to improve and expand on that rapid realtime sharing a threat information at the time of the election, and before then. I agree with boat and i which is also add, its critically important a good role for the government to create the environment where information sharing can happen without restrictions and a smooth and precise and expeditious manner such that it donates information can get it and its presented in a usable fashion. I would not limit that to state and local and federal. Vendors, they are very good Threat Intelligence organizations that are doing a great job in uncovering good information that needs to be a part of this dialogue. That is incredibly helpful advice, especially when you think about the experiences in florida where hackers masquerade as the vendors. They would seem to be an important part of that community and its helpful. I would observe that there seemed to be some confusion in florida as to the extent to which any hack leaked to voter manipulation in future elections, not based on changing the tallies of for the post buy manipulating someones name. On Matthew Lewis gets a second but its a winwin in and change my name to matt gaetz, potential i would have a hard time having my vote counted. This may be a broader question and youre able to answer but im interested and if think the Judiciary Committee could partner with others on the utility of Blockchain Technology to enhance the security of elections. In in a decentralized ledger i would think such a manipulation of the voter rolls themselves would be less likely. I would seek any comment if anyone has, and i would appreciate the chairs indulgence. I think there is great, there certainly the opportunity for blockchain to be relevant in the space. But if we think now about the American Public and understanding of voting and Voting Systems, we are talking about tapir ballots as a backup. Generally people understand that. Watching textiles is very complicated and is untested. I know it is been tested in West Virginia as i understand it. Theres possibility but its that something i think is ready for use for general or primary election. [inaudible] thank you, madam chair. And thank the witnesses for your parents today and for your testimony. Ms. Plunkett, the center for American Progress recently reported that, quote, voting on paper is the most hack proof way of conducting elections, and you agree with that, do you not . Today, yes, i do. What about you, ms. Bookmark . Absolutely. At least with the paper record, i should say. And mr. Burt . I would say that we actually bleed election card provides an even more hack proof way of voting paper at least a backup or as primary because the technology would support either is important to maintain the security of our elections. So when we talk about a paper ballot were talking about a hand marked paper ballot, is that right, ms. Plunkett . It doesnt assert have to be hand marked, but it should be, there should be a piece of paper involved that if the paper involved is produced by a touchscreen voting machine and that piece of paper also has a barcode along with though races that the voter voted on and is paper that the machine produces with the barcode is given to the voter who can then check it, make se that it reflects accurately what choices were made by that voter, and then that piece of paper is then scanned into a counting machine, which counts not the actual choices made by the voter but the barcode on top. Thats the kind of paper ballot that youre talking about . I dont know about the barcode part. I think i can answer that. For example, thats or audits come in, right . For example, were developing a process in pennsylvania where i guess the question that asking, if its the barcode that is counted and not the box that is identified as the one that was checked by the voter, how does the voter no that the barcode, which is counted, actually reflects the choices that the voter made, or does the voter just simply have to depend on the barcode to accurately reflect how can we get around that it recounting the barcode and not counting the hand marked paper ballot . So most systems, whether they are paper or ballot marking devices use some form of mark for the tabulation process, whether its a barcode, or the timing mark which some of the hand marked ballots use. Theres basically triggers into the speed is within your able to actually count the hand marked ballots by hand. Exactly. The way that produces and audible trail. The ballot that discounted by the barcode and is not hand filled out is just simply a further extension of the mechanics of the computerized voting. If i may, congressmen, we are talking about the barcode. That still shows the specific individual votes. The voter has had an opportunity to verify the checkmarks in the boxes. Not the ones that are counted. Even if it is not hand marked. Verifying those boxes, now now you have a paper ballot verified. How do they verify the counting mechanism . That really reflects the choices that the voters made. That is part of the audit process that can be performed by looking at the tally against the audited subset selected for the audit. Looking not at the barcode at this case, but the barcode that is check. Isnt it clear that a hand marked paper ballot that has been fed into a counting machine that counts that tally, along with the other voters and then at the end of the process, if there was a recount venue, you could actually count the paper ballot by hand and compare that to the tally that was produced by the counting machine. Doesnt that provide the most effective way of auditing the results of an election. I would say that it is not important whether it was hand marked are marked by a machine as long as they get the opportunity to verify that what they see is what they intended. Whether it is my hand marking or the machine, you have a clear represent tatian. Sometimes that is clear. They are often disputes about what the voter intended. I think him and i yield back. North dakota, mr. Armstrong recognized for five minutes. Thank you, mr. Chair. I will come back to this. Your written testimony, you mentioned, you talked about future threats. I am an old state Party Chairman things escalate extremely quickly. Why is this such a threat and what can we do to deal with it on the front end . Our colleagues, they did one yesterday. They look absolutely legitimate. That is exactly why it is such a threat. We know they engage in diffs Information Campaign in which they attempt to take the extreme positions on social issues relevant to the campaign and they try to incite conflict. They seem to discredit candidate or positions through their campaign. We should anticipate that they will become more sophisticated in their efforts. Audio and video advancing rapidly. As you point out, it is now possible to really create videos that appear to be entirely realistic. There is a lot of Research Going into detection technology. Showing that they are artificial and not real. At the end of the day, the technology to create the videos will always be ahead of any detection algorithm. The opportunity for our adversaries to use this technology to try to influence a campaign or election is very real. Today as it stands right now, we dont have a great answer to that other than to educate the American Public that it will be even more important now than it has been in the past. They consume the information to make election decisions from sources they believe is credible. They try to rank and rate various sources. In todays world, that will become even more important. Thank you. I get criticized for a lot of things that i say. As far as the defense to that, if the technology is advancing faster than the detection of it, probably us as a body and whoever else is doing some of these things, being able to have immediate removal and those types of efforts. We are moving forward and going towards this. We have to have a way as a congress or government or just as in election to be able to deal with this. I think using available technologies to try to identify those that originate from adversaries which is cyber Security Technology, those will be the best things we can do for this election cycle. We and others are investing in a number of different efforts to try to come up with ways to detect and identify legitimate sources of video and audio so that over time we will have a better approach to solving this problem. It will be a real challenge for us in the 2020 election. How does the broader debate affect the guard . It is a backdoor that potentially could be exploited. That could create a weakness in the balance. How do we balance Law Enforcement and the ability to do that with Cyber Security . A broader question. The context, the encryption encryption we build into election guard would never have a back door. It would reveal specific votes which you do not want to do for a variety of reasons. This is a very nuanced discussion. A paper from the Carnegie Institute that i thought was very well done and talking about the broad range of issues relevant to encryption, Law Enforcement enforcement access, protections, the legitimate uses for why that is important. One of the things that that paper said which we absolutely endorse, its important to get very specific about the problem you are trying to address. Look at how to properly balance to that problem. There is no general approach to encryption that does not create way too many problems. We need to be very specific and then balance the social issues to find the right result. That will be some work that we have to do. The time for the gentleman has expired. Thank you, mr. Chairman. Thank you to our witnesses. One of the things i am particularly concerned about is the regulation of vendors. A large percentage, 97 97 of states and territories use vendors in some capacity. The computers they used to access information, the management database is continuing that information to cast votes. To the software that creates ballot design and helps transfer information across systems. Three vendors control over 90 of this process. Over 60 of American Voters cast ballots on systems owned and operated by a single vendor. Despite the incredible impact, there seems to be regulation over vendors that really inshore Election Security. I think we have seen some very serious issues with vendor security. For each of the witnesses, should we consider regulations at the federal level in creating some standards for vendors . If so, why and if not, why not . I absolutely agree and believe that we should. An election system is a National Security threat. It has been the approach of the u. S. Government. It is to develop federal standards in this case would be federal Security Standards for election equipment that really ran the gamut from how the environment in which the software is developed and ensuring it is developed in a secure manner. Straight through to the implementation and maintenance. Any vulnerabilities that are discovered even after that software and hardware is deployed. I think it absolutely should be done. It is a role for the federal government. I agree. On every level. As you probably know, not only have they been underfunded, but they were also unable to update their standards. Voluntary standards for a long time. For example, in pennsylvania, we stepped in and last year when we knew we knew we had to certify Voting Systems, we created our own Security Standards because we did not want to rely on the outdated ones. Much more effective if the federal government would have stronger oversight. To standards and oversight. Talking about the Foreign Ownership and making sure the chain of custody controls every component of the voting in election system. Standard requirements. Not voluntary. Correct. I think we are all in agreement with that. The standards not dick tate any technological solution because that then sticks to states and local government with a particular solution. Taking too much time to change. They need to be generalized standards so there can be innovation in terms of the Technology Approach used to meet those standards. In addition to the establishment, are there other Things Congress should be thinking about with respect to the role vendors play in our electoral process . One thing that is another one of the future that i think the vendors can be playing a more significant role is the risk of ran somewhere and ran somewhere attack. This is something that the director pointed out a few weeks ago after this whole rash of ran somewhere a tax on small municipalities. Relatively recently. The risk that they will use that same malware injected into the Voter Registration devices and showing up on the day of the election and the entire database will be locked up and you cannot see it. That is a significant risk. Vendors need to work with their customers to help them understand how to establish defenses. How to have backups that are offline backups and do tabletop exercises so state and local officials know how to restore those systems very rapidly so there is no interruption in the event that Everything Else we do to try to maintain security is unsuccessful. Thank you. I want to thank you for holding this really important hearing. Protecting the right of the American People to have their voices heard and their votes count in our election. This requires strong leadership from everyone at every level of government. Thank you. The gentleman yelled back. The gentleman from texas. Thank you, mr. Chairman. I appreciate you all being here. I noted that the chairman said basically that it was astounded to find counties still buying machines with no paper trail. Were you at the nsa back in 2000, 2001 . Yes, i was. Do you remember who mandated every county or parish in america by electronic Voting Machines and there was no requirement for paper trails because that was more expensive . Do you remember who mandated that . I do not. I was working for the state and county as a judge. Counties were outraged that they had an Unfunded Mandate that these people were in. Democrats intimidated republicans because of the votes in florida even though there were fifthgraders tested, none of them had trouble with butterfly ballots and such. Apparently people trying to vote democrat had a lot of trouble with them. There was outrage. Demand for electronic voting. Congress mandated it. It was very, very difficult for counties, many counties to come out of the financial burden that this congress put on them. If some of them have had trouble recovering financially for the poor mandate in this congress, hopefully they will be forgiven. It is wonderful that election guard is being provided by microsoft to help secure elections. Does that work as well on apple or mac systems as it does on microsoft operating systems . Yes. It works on any platform. I had heard that here in washington. I could have whatever Computer System i wanted. I have used microsoft operating system for years. It screwed up all my software. I finally got mad and went and bought an apple. The best thing i ever did. When i was in congress, i wanted a mac. I got one, but microsoft system is what things are based on. It screwed up my computer. You just cannot have a mac if you are going to communicate with other computers around. I just did not know. I understand that your job is security and trust with microsoft, so maybe they had not told you. Is there any backdoor into election guard that Microsoft Might have in order to fix the system. Engineering work on this election guard. I am confident that there is no back door. We are making it an open source project. Available today for anybody to look at. We actually encourage hackers to try to hack into it so we can find any security flaws and fix them. Really, we are all very concerned about Election Security. No matter how big your system is, it cannot do anything about a county that hires a vendor as my colleague and the vendor at the end of our early voting on friday before the election on tuesday takes the 48 flash drives from the 48 precincts home and plays with them until election day. Your system cannot help with that kind of problem. Correct . The election Guard Technology , the way that it works actually provides a security and trustworthiness even if you have a vendor or election official that has been compromised. The vote gets encrypted the moment that the voter boats on it. It is protected against any of those kinds of attacks. Protected against that kind of abuse then a county may not want to use your system if they need a vendor to take them home and play with them. I am concerned that each of you think it is possible to rig an American Election and if that is the case, i just warn you that in president obamas eyes, that would make you a nonserious person. No serious person out there would suggest that you could even rig americas elections. I would urge you that you figure out a way to secure our graveyard so people dont keep turning out and voting in our elections. The gentlemans claim is expired. Thank you, mr. Chairman chairman. Hank you all for being here. It is very important the information that you are giving us. I have been quite stunned that the United States is currently the only major democracy without a centralized agency governing Cyber Security. We have multiple federal agencies, there is no clear place that is concerned about hacking can go to. I read this recent report that explains there are single centralized Cyber Security agencies in australia, canada and new zealand. In the United States, International CyberCyber Security efforts must go through multiple agencies including the nsa, dhs and fbi. I am really interested in this idea of coordination of our nation Cyber Security to better protect from threats. I want to thank you for your work and say how proud i am that microsoft status microsoft home state and i have the honor of representing many workers as my constituents. I think you have brought up some , you have done some really important work. I know you just released it, is it in use anywhere yet . The most relevant question. It is not yet and use anywhere. Just released it for public use in the last few days. We are working with all the election vendors. They are all very enthusiastic. They are in the process of evaluating the technology and thinking about how they can offer it into new devices. We need both election vendors as well as state and local officials to understand the technology. Out actively helping explain and educate that. We do expect that either later this year certainly in 2020, we are working on a number of partners on pilot elections where we will be used for certain precinct so that we can test the technology and make sure that it is working as expected in the coming months and certainly by 2020. That is what i was wondering. In your testimony, you talked about imposing a culture of Cyber Security including training. Many of the existing Voting Systems were using windows seven. You talked about that. How do we, and maybe this is a question for for you, but also for you. How do we make sure that we are providing the support and incentivizing in some way, states and local counties to update their technology. We can have the best stuff and we can put it out there. If people dont continue to update, we will have this problem. A number of comments that address that already today. Among other things, consistent federal standards on security for elections would be useful. Useful guidance. You also need to have a sustained durable longterm funding solution so state and local agencies are not stuck because of financial considerations with outdated technology. This is just too important to our democracy. Is it just about money . Or is it also about peoples fear on how to use technology. Not having their Technology Officers in place. There is a role for lots of different pieces of the puzzle here. We were talking earlier about how it would have been great if the new systems, pennsylvania that we just certified over the last year, it would have been great if they were never made with windows seven so it was an earlier sort of prevention in place. That involves that at the front end. At the county level and at the state level to have easier certification. When there is the transition, we need to be able to make sure that those systems can be in use without being out a play for a while. There are a lot of Different Levels with it. Made with windows seven. Having an operating system with them. That is their operating system base. It would have been great if all the systems even being made over the last year where already windows 10. They are updated as they were being put out. There were negotiations. In terms of the money piece, negotiations to make sure they would not charge for the upgrade. It would have been better if there was never a need for upgrades. Thank you. I yield back. The gentleman yields back. The gentleman from virginia. Thank you, mr. Chairman. I am grateful to you for holding this hearing today. An issue that has been in need of examination for some time. Im hopeful after todays hearing we can act on some of the excellent ideas and many others that have been put forward on this committee. While the responsibility of carrying out elections is one of local State Government, they do have a Critical Role to play as has been discussed. It is a fact that other countries are trying to interfere in u. S. Elections. Russia, most notably. We must remain vigilant. New threats will never cease and our nation must stay to ensure our elections stay secure. It is our duty to carry out that mandate and resist all forms of tyranny that written our freedom. I have listened with interest. It seems we moving into different directions. One towards more use of technology. Decentralization, block chain. I am curious about real time testing of block chain in West Virginia. Your your neighboring state, West Virginia had apparent success in using to allow deployed to explore. What have you done to ensure deployed Service Members can vote. We have not explored directly West Virginia and watching how this goes. I think it see my the first run of it was successful. Like we all know, there is a lot of risks with using untested technology. In the meantime, we are, sorry, an encrypted email process that is going to be used. I lost my voice. It will allow instead of having to access a website encrypted emails. It seems to utilize both ends of the spectrum there. Having a paper ballot backup. Exploring open source solutions. Are you researching efforts to replace paper ballots that could replace the mind that you should have that paper ballot backup. Backup or primary. Either way the technology can help provide this level of security and verifiability. Paper ballots to either way. A minimum for the audits you can do a hand count if necessary. Are researchers who look really closely election based technology we are very familiar in the West Virginia experiment. We will continue to look at that. It has a specific focus. You have leaders with the state and local what the rules are for voting and who is on the ballot into is not. The security and privacy that is critical to our national election. Have you seen in other countries any evidence of hackers denying an option to penetrate election infrastructure. The work we have done globally so far has been monitoring nationstate actors to hack into the accounts of candidates. Others involved in the academics. What we have seen is there are attacks in many other countries. We saw it. Remember the number one set chairman nadler reference in his Opening Statement. We sought following ours in 2016. This pattern pattern of conduct by the russians a potentially other nationstates is absolutely continuing to multiple different countries. The time for the gentleman has expired. In 2016, Vladimir Putin assessed the russian posture via the other countries. He realized he could not defeat liberal markers sees militarily or economically but he convened the equivalent of a Manhattan Project for electronic subversion of a cyber election and the social media of democratic companies. A threepronged attack. There was racial propaganda and other kinds of ideological poison into facebook and twitter and so on. A direct effort to hack into the dnc. We are aware of that and have testimony about that. The third part was to go right to the state board of elections to get to those systems. I want to ask a couple questions about that. They made the most progress in terms of the illinois system. They were not able to nullify the existence of voters on the database. How secure are we to a similar attack in 2020. The way it has been described to me is you go around the neighborhood and you try to figure out which houses have unlocked doors or windows, which is the easiest to break into. When they are locked, you move move on to the next one. They found most of the doors and windows and moved on to the next i think that is why we were successful at not having a worse situation. It could have been devastating. How secure are the states. How ready are we . We do not have one system. We have at least 50 systems. All over the country. I think we are absolutely in a much better place and we were two years ago. It is Critical Infrastructure that was a big start to that. I think we still have a way to go. We need to be funding the replacement of Voter Registration systems. Making sure that the counties have cyber protection, the passwords, multifactor authentication. Those are just as important as the voting. We need to recognize that. Would we be safer in protecting our president ial elections which are obviously the biggest magnet in target . Would we be better off if we had one National Popular vote in the system . Or are we better off where we have a state i state voting. Whatever we choose to use, what is important we have the right protections in place. Are you telling us that we essentially have a technological fix to the problem of security of the actual Voting Systems themselves . Yes. We think it is implemented in devices and those devices have been adopted. We will have this into and verifiability which will enable individual voters and officials to trust the outcome with the ability to have audits as a backup to add a layer of trust in the system. A lot more confidence in the system. Providing a much greater degree because individual voters for the first time will see that their vote was actually counted. You have emphasized that our electoral integrity was a matter of security. Why does Vladimir Putin and all the other authoritarians want to destabilize our elections. Making deals around the world and going corrupt each others elections and interfere. The gentleman from pennsylvania. Thanks for all youre doing to make our lection safe. This goes to a number of where we are at today. Directing intervenes in our lection. And the process for certifying devices and so forth. This is something that the entire Election Community is reacting to to a relatively short period of time. When our Security Team saw that a group that we call, now we know from the mueller indictment is a Russian Organization operated either gr group, the same the same group, when we saw that organization registering a bunch of fake microsoft domains, domain names, websites that looked like they like they are microsoft, but really were not. Because of the timing we immediately took action. We take those things down. We are in a constant technological battle with that organization. It started then. As we fastforward over the next year, i had a conversation with our president. The obligation that we have as a company. Based in a democracy to help protect however we can those Democratic Institutions and our voting process as a core institution. We are going to continue to invest in an advance coming years. Thank you again. I really appreciate all you are doing. I yield the remainder of my time. Thank you for yielding. Hr 35 be entered into the record. I want to return to paper ballots versus technology. More applicable to the voter rolls. Reviewing the technology is our global or inapplicable. You do need to evaluate those two Different Things separately. They really are different problem sets. You need to look at the problem set. Voting where we do not think it is a great solution. The Voter Registration rolls, something i need to go back. Talking to our experts about whether it is a potential solution. I am not sure that it is. You do not really want in the context, you do not want distributed ledger. You want a ledger with the leader. You want to have someone who has the Decision Making authority about what is a legitimate registration what is not. Distributed environment, that is being determined by every other participant in that environment. There may be a way to make lock chain applicable to the process to help with this security issue i want to go back and talk to our experts. Probably not the right technological fit. It is very interesting to me that it seems to be less susceptible because in the event you had where someone was attempting, instead of us relying on one supervisor of elections. A department of state or even these joint task forces that i think we discussed today. You would have thousands of different capabilities to diagnose the manipulation. If you can essentially you can manipulate the voter rolls. As i stood here today, i am not certain in my state there was not some in the file should of the no one has been able to have that to me. Again, i do not expect anyone to be an expert on this. We have a lot to learn about it. I just reject the premise that only a piece of paper gives us a sense of lack of manipulation. If i may yield back. The witness may answer the question. Let me go back. We come back to you. The block chain and Voter Registration roll. Whether that or some other approaches mean securing the roles. The general lady from florida bank you so much, mr. Chairman. Thank you to our witnesses for being here. I am from florida. A colleagues earlier statement. Every voter, regardless of the party, where they live, they deserve to have their vote counted. Thank you very much. I would just like to ask you, have you faced any obstacles with the federal level and if so, what have have they been . We have not faced any obstacles to implement a lection guard now that the technology is out and available. We expect to have continued conversations with a number of representatives where we will explain the technology and how it works. I do not anticipate any federal level resistance. I think we are aligned with the federal assistance. Those and others responsible for our election committee. The technologies available right now for implementation, the timeline is complex. They want to put it into device. A demand from state and local vendors. Deploying the new devices that implement the technology. All of that is subject to this currently outdated process that takes too long. Its too burdensome and it is too hard. We need to make sure that they are updated in a way that provides much more agility and flexibility. You have all those pieces that need to come into alignment. Where confident well have some pilot elections utilizing this technology no later than 2020. The sooner it can be deployed in order to see our elections, the better. The breaches in the 2016 election. Going door door to door looking to see which windows were unlocked indoors. Not immediately detect dead. My question is, Election Officials trained to be looked for on election day to ensure that there are no undetected attacks. The first and most important is that a baseline of what normal looks like. Every election jurisdiction needs to know what normal operations look like. Appropriate monitoring in place should there be any adversity a flow of data that unusual. A login from an unusual, someone that should not have access. An account that should not have access. Being able to monitor for any abnormal activity is the most important. I would say every level needs to be trained in this. Technology, the intrusion detection system should be in every single county in the country. Every municipality. I think that is one of the most critical components. I would love to see resources from the federal government to make sure that that happens so we dont have voters and under resourced counties with less security than others. My first job in elections was as a coworker. Making sure that we have the support and training to be able to be recognizing not only signs that are problematic, but knowing knowing about provisional ballots. We actually have a provision that allows when people are not in the voter rolls to skill though. Sometimes coworkers do not remember to do that or dont know to do that. They need to be adequately trained. Then it can be checked later. Never ever be turned away. Thank you so much. Yield back, mr. Chair. Four minutes and 20 seconds left on the vote of the floor. A number of votes on the floor. The committee will stand in recess, but reconvene immediately upon the votes on the floor. I asked the members of the committee to come back as soon as the last vote is cast. The committee stands in recess. The general lady from texas is recognized. Tank you for the patience of our witnesses. The more confident voters are in the systems. The more confident they will feel that their vote has been counted and their voice has been heard and of course this directly impacts the future participation. I listened with great interest of your testimony. I wanted to start with you. I heard you explain the system that you have. I just want to make sure anyone watching this is clear. Is it a Software System or a Software System and machine and an auditing system to. Ours is a Software System that needs to be incorporated into the Voting System that was utilized by voting officials. Multiple different voter systems you can start with hand marked ballots that are then scanned. We support those and are working to support others that are not as widely used. It is basically software that needs to be incorporated i vendors into the Voting System itself. The user, the voter can go to online. That would simply just verify they voted. Your Software System. When they vote, when they go to the polling place and they vote, they get a piece of paper that has the code. They can enter the code and later. They can get verification that their vote was counted. They cannot they cannot see their vote. That is critically important. They know who they voted for. Your vote was not changed and your vote was counted. It is important that they not be able to see their vote. They could be coerced into voting a certain way. Also not be able to see how they voted. That is correct. There really is no paper trail. There is a paper trail in the sense that our system supports the creation of a verified paper ballot. You vote. That is encrypted. You get a paper ballot that the voter can look at and say, yes, this, this is correct. That can be used for risk eliminating audits. Even for hand counts, even though it should not be necessary. Thinking about a lot of people they dont have a computer at home. Dont have a laptop reared dont have a way of doing any of that. What are we to do with the usual targeted populations when there is some of this misinformation, hacking. Many times, minority voter precincts that get attacked. What would we do, then, for the person that does not have access to a computer or internet to go through that process. Our system is based on polling place voting. Hand marked ballots are using an electronic voting machine. The election guard supports going to the polling place to vote. You dont need to have any technology in order to vote. Talking specifically about verifying that you voted. This sort of thing happened to me once. I voted and i thought i had done everything. I was the center. It did not go through. I said what do you mean, it did not go through. I had to go back in and vote again. It made no sense to me that i had to do that. Happening more often than not. I am just concerned about the populations that dont have access to a computer to verify that the vote was counted. The good news is, you can do the verification in our system with a smart phone. Most populations, they have penetrated much further than laptops. They just have the one that you go to the flea market or a store. The flip phones. They dont have the smart phones. Those are more costly. Cricket phones. They go in there and they get one month at a time. Were talking about people that are paycheck to paycheck. They cannot afford one like mine i understand. The verification does require some access to a system whether its your neighbors phone, your phone, go to the library and access a computer. To get that personal verification. That is a new advance of the technology. To do that and see that your vote was counted, you will need access to something. A smart phone, a public computer, some, some device that lets you see my note did in fact get counted. I yield back. Yielding back. Thank you very much. I wanted to thank you and your work and removing barriers to voting in pennsylvania for everyone that is eligible to vote. I wanted to thank you for your attention to modernization and things such as two weeks ago rolling out the ability to request absentee ballots online. I know my three children that do not live in the district anymore, when they are at school they appreciate that ability. Youve also paid a lot of attention to our young voters. High school registration. Can you just tell us a little bit about what youve done there it all started a couple of years ago. The governors Civic Engagement award. Its been a tremendous success in pennsylvania encouraging students in school to register eligible voters to vote. It has been a terrific competition from school to school and student to student, but also their engagement and voting which, as we all know, probably a lot of us started our engagement early. Research shows when you are engaged early, you probably become lifelong voters and that is critical to our democracy. Turning to more out what is at hand here. Life and communication. Can you explain a little bit about that . Absolutely. One of the things we have been talking about a lot as we develop these conversations is the importance of operatings. It is one of those things that i think a lot has been doing for a long time. The election spirits relatively new. One of the critical components is to know who to call at the moment you need to call them. Who the right person is to call. The clear parity that we have is the call to make as incident xyz and for the counties to not have to figure it out at the moment. We are doing a lot of work with the counties. We need that to come from the federal government as well. A centralized line of contact. If you have one piece of advice for congress as we debate the appropriate vehicles to legislate, what would that be . I think i would have to go back to our conversation about diversifying the types of Election Security that implemented across the country. There has been a lot of attention to Voting Systems. Transitioning to paper records. As we discussed earlier, so many other components of this process are at least this critical. Funding needs to go to Voter Registration databases. Making sure we have layer defenses to all of our networks. Fishing and security training. All of those things are equally important. I am most worried about thinking that one solution is going to fix everything we need to give the states the ability to decide what their most critical component, components are. That involved work in helping establish best practices that the federal government can help push out and funding to achieve those best practices. Exactly. The general lady yields back. Gentleman from arizona. Thank you, chairman, for hosting for hosting this today. Thank you to the witnesses for not only appearing today and sharing your expertise, but taking such a lead role at all levels of government. Much appreciated. Our nation came under attack in 2016. Russias efforts to interfere in our elections as sweeping and systemic. Americans, hacked into email accounts. Hacked into the very systems and databases. We know that the same kind of attack continues to this very day. Director Christopher Rae stated this is not just an election cycle threat. It is pretty much a 365 day year threat. Despite that, the white house has done nothing. Joins the senate in sitting on its hands in the fight to defend our democracy. Its a real travesty and i hope this hearing we can begin to turn the tide. Unfortunately, my home state of arizona, Voter Registration database was one of russias targets. Their attack was not successful, but it shows the heightened importance local officials must place on Election Security. You mention in your written testimony the importance of the integrity of Voter Registration. When it comes to the use of evil books for Voter Registration rosters and ondemand printers, do you agree it is the best practice to use encrypted communications in all circumstances when data is transmitted or received. Yes, i do. Is there ever a circumstance where Election Officials should transmit or receive data on these devices in a nonencrypted manner. I cannot envision the circumstance such as that. You also mentioned that the steps the federal government and State Government must take will cost more than 2 billion. Not all states are investing in security. Some including arizona, are cutting Election Security funds. What types of outcomes and risks are states that dont take this seriously exposing themselves to . They are exposing themselves to the potential of their Election Outcomes to be corrupted, invalid, not accepted, not trusted by the populace that they represent. Ultimately, the impact could be much worse than the reality which would mean people would not come out to vote. Thank you for that answer. A question for all the witnesses. Some officials use usb devices to transfer data from one device to another. Is that best practice to use those only a single time to minimize the possibility of malware or to use those devices repeatedly . I would go with yes it is certainly a best practice. Some circumstances that as long as there is effective reformatting it might be effective. I think using new ones is probably always the best best practice. Usb devices are known vector for the transmission of malware which can be installed at the time of their manufacture. Even using new devices, anything other than a very highly highly trusted source, american manufacturer of using it in an election of the United States is a challenging thing to do. Unless there are no other alternatives for the use it should be prohibited thank you. Are you back. The gentle lady from pennsylvania. Thank you, mr. Chairman. Thank you for holding this important hearing. I want to associate myself is not to be repetitious with representative stantons remarks of the gravity of the situation as well as the chairman. Secretary, as he said nothing is more important than the security of our elections and nothing in this democracy is more important that and ladd were talking about these issues and secretary thinking for im delighted to see you here from pennsylvania and Governor Wolf for your service particularly in the area of Election Security. Im thinking back to mueller coming in and telling us and telling the world that certainly our elections were interfered with in 2016 and as i recall them correctly he said its going on 247. That interference continues. Can you describe some of our vulnerabilities from 2016 and maybe lay out some of the vulnerabilities that you still see. I think the good news going back to what we talked about earlier is a good that arose from what happened in the past is that we are with the declaration of being critical and the structure has provided us with a lot more resources and is so one of the things that i think is critically important across the country as well as in the state are the collaborations that we been talking about so i think the lack of collaboration and intersection of resources could be a vulnerability if it is ignored. For example, we found in pennsylvania as we started to have tabletop exercises and improve our collaborations a lot of times in the counties the Election Officials did not even know the Emergency Management personnel and that is crazy. In 2018 the primary was almost like a real life tabletop exercise but there was a tornado the crossed the state on primary day and we had to have trees were down, polling places were bought, electricity went out in the intersection of the Emergency Management, lawenforcement and elections was critical. I think one of the fun abilities is not seating that well. Again, it goes back to planning, too. I want to make sure that our counties have the research they need to have advanced intrusion detection systems, effective training of security and all that and every advance sensor protection layer defensive so thats the area that i would focus on supporting the local counties and municipalities is an area i would want to direct attention. In the issue of a certification of the equipment itself what is the delay there . How could we streamline that . Or any of the witnesses. The issue there is the standards or the guidelines that are promulgated by the commission are more than ten years old and in the most recent modification of those guidelines is not a single election system that has been certified under those recent guidelines and those are ten years old election System Commission is doing right now which is advising those guidelines is critically important but they need to move quickly with expeditious activity because of the threat, as you pointed out, congressman is 247 and happening now and will happen through the 2020 election cycle. We need the eac to adopt new guidelines for sonication quickly in the current ones are dont adequately address security and they take too long and are too burdensome so we need to streamline the process to make it faster and one of the really critical things for all state and local Election Officials is we need to make it very easy to apply security updates and thats a key defense to these adversaries from every vendor so we need to apply security updates quickly, expeditiously without so much bureaucracy so that we can respond. Thank you. This will be by way of a vertical statement and i was struck by something you wrote in your testimony to my secretary. You wrote Election Security is erased without a finish line. Our adversaries are continuously advancing their technologies and we must do more all the time so we know we cant see a finish line for this and we have to identify the traps. I wonder what conversations all of you have had half with your own organizations based on foreign threats but now the news of this past week must address to our election and it cannot be a more greediest time and none of us is pleased with the news of the ukraine conversation by the president of the United States in an attempt to interfere in the future election. I praise you all for your work. Help us to better at our work to protect our elections. Ideal back. Gentle lady yield back. This concludes todays hearing. We think our witnesses for participating. Without objection, all members will have five legislative days to submit additional questions for the witness. Additional material for the record and with that, without objection, the hearing is adjourned. [inaudible conversations] one is the possibility, limited, though it may be, of regime change in north korea. Second, we should look at and discuss with china and we should have done it long ago aiming toward the reunification of the peninsula under a freely elected government like that in south korea. Third, if you believe in, you may not, that it is on acceptable for north korea to have Nuclear Weapons at some Point Military force has to be an option. Now, this is obviously the most controversial subject and many people say its just unimaginable, unimaginable that you would use military force. Let me quote to you the words of general joe dunford, chairman of the joint chiefs of staff on his last day is german and has done an outstanding job, he said thie seminar in 2018 on this question of what is unimaginable. General dunford said, as i told my counterparts, both friend and foe, it is not unimaginable to have military options to respond to north Koreas Nuclear ability to what is unimaginable to me is allowing the capability to allow Nuclear Weapons to land in denver, colorado. My job will be to develop military operations to make sure that does not happen and i think general dunford was completely correct. President trumps former National Security advisor, john bolton, speaking today about u. S. Relations with north korea and you can see his entire program from the center for Strategic International study tonight at 8 00 p. M. Eastern on cspan also watch it online at cspan. Org or listen with every cspan radio app. For 40 years cspan has been providing america unfiltered coverage of congress, the white house, the Supreme Court in Public Policy events from washington dc and around the country. You can make up your own mind created by cable in 1979, cspan is brought to you by your local or cable satellite provider. Cspan, your unfiltered view of government. Host joining us on the communicators is senator marsha blackburn, member of the commerce and Science Committee on medications and technology. Senator blackburn, youre here as a member of the house but this is her first appearance as a senator. Welcome back. Guest thank you so much. Good to join you once again. Host i wanted to ask you about the issues you worked on in the house when it comes to technology. Were you able to bring it over to the senate such as data privacy and thing l