vimarsana.com

I will recognize myself for an Opening Statement and then the Ranking Member. We are here to look at election security. Its hard to imagine a bipartisan issue. Its what president Abraham Lincoln meant when he said a government by the people. When our citizens vote, they not only elect their leaders, they choose a direction and set priorities for the nation. Elections with integrity strengthen democracy and confer legitimacy and public trust in government. Concerns with earlier systems have the passage of the 2002 help america vote act. This requires the National Institute of standards and technology for which we have jurisdiction to work with the Assistance Commission to work on the technical and voluntary guidelines for voting. We will discuss the current guidelines that are in place for the states to protect their voting and elections systems. Though they were voluntary, i hope to hear whether they were sufficient to safeguard and whether the state effectively use them. This discussion is timely as many have been raised in recent months about the vulnerabilities of electronic machines and online Voter Registration. The discussion today will review the security of the system and its entirety. We will examine what guidelines are in place, how we currently protect systems from potential technical vulnerabilities and what kind of work including research and development in my home state of texas is under way to protect future voting and election systems. Last year hackers from china to trade at the office of Personnel Management database and stole confidential records and personal information on more than 22 million current and former federal employees including those involved in the National Security efforts with the highest security clearance. The attack on Voter Registration databases in illinois and arizona where the latest incident is of such attacks this time with alleged ties to russia. We have yet to take decisive steps to defend ourselves and detour attackers. The president says we are more technically advanced with authentically and defense of the on cyber warfare than our adversaries so why wont he take the necessary steps to prevent Cyber Attacks on our systems by Foreign Governments. If we are attacked repeatedly and do nothing we will have surrendered unilaterally and put at risk our National Security and very freedoms. This committee has held more than half a dozen hearings on Cyber Security issues. We know it isnt enough to respond to Cyber Attacks with diplomatic protest. We are going to hear from Witnesses Today about how the federal government can help states keep the systems secure the single most important way to protect our systems, to protect each americans right to vote and be heard is that this administration and for the next to take decisive steps to deter and if necessary sanction the Foreign Government that attacked us in cyberspace. That concludes my Opening Statement and the Ranking Member of from texas is recognized. Thank you mr. Chairman and good morning. Ensuring that the elections are fair, accurate and accessible to all american citizens is fundamental to our democracy. Every instance of malfunctioning Voting Technology and without question every cyber attack on our system is significant. All efforts to improve the security, privacy and access are welcome and important. I am confident by the testimony of todays experts and many others that we are in a much better place today than we were ten or 15 years ago. I am deeply concerned however about some of the rhetoric in the recent weeks that seems to have enrolled Public Confidence in the system. The system is riddled with fraud and those conspiratorial allegations like many others that have been floated in the public sphere this election cycle are not supported by actual facts and they threaten the process we have relied upon for more than two centuries. Im eager to hear from the panel today about the challenges of securing the system in the digital age and what actions have been taken at the federal, state and local level to strengthen cybersecurity. However given the rhetoric and other threats the system is facing i want to take this opportunity to put the Cyber Security challenges in context. The u. S. Election system is complex and highly decentralized encompassing approximately 10,000 local county and state election offices. Further, there are few connections between individual Voting Systems and the internet, and at least 75 will be able to verify their vote with a paper ballot this fall. This con Party Mobilization and paper trail provides a firewall against any threats. The recently publicized attacks against the rules in arizona and illinois are in various but havent resulted in any changes to the voter data. In arizona they worked to contain the threat. What i find most concerning is they may be linked to the russian intelligence operation so we must be vigilant and hope they will lead to improve Cyber Security protocols and practices while security of the system is important, voter access is fundamental to our democracy. Baseless allegation of the fraud have been used as an excuse to disenfranchise large numbers of the minority to the discriminatory voter id restrictions. News 21, a Journalism Program established by the corporation in new york found voter impersonation fraud to be extraordinarily rare and the analysis of the 2016 fraud cases in all 50 states from 2000 to 2012 out of th2012 of the regiss identified only ten cases of voter impersonation fraud. You dont enact laws because the cases unless you have an ulterior motive. The courts have been right in the most discriminatory state laws and in addition to the sanctioned voter id law, the Brennan Center have continued to document cases of intimidation, spreading of the information to keep minorities and students from voting and other attempts to target and disenfranchise minority and young voters. These threats to tens of hundreds of thousands of elderly voters were orchestrated by Public Officials should be taken as seriously as they cyber threat. I know my remarks moved beyond the intended scope of the hearing but you know how passionate i am about this issue. It is my hope with this hearing that we can have a thoughtful discussion of the challenges and actions that have been taken related to Cyber Security and other issues while avoiding adding to the noise and confusion sounding piece issues just ate we from the crucial elections and with that i would like to welcome the witnesses for being here today. I look forward to hearing. Thank you and i yield back. I will introduce the witnesses. The first witness today is doctor charles from the Information Technology at the National Institute of standards and technology. In this capacity, he oversees a Research Program that develops measurement and testing for interoperability usability and reliability of Information Systems which include cybersecurity standards and guidelines for federal agencies and u. S. Industry. Doctor rowe mine serves as an analyst at the White House Office of science and Technology Policy and is a progra as a pror at the department of energys advanced Scientific Computing research office. Doctor romine received his bachelors in mathematics and phd in applied mathematics from the university of virginia. I will now recognize the gentleman from louisiana, mr. Abraham, to introduce the next witness who happens to also be from louisiana. It is my pleasure to recognize the honorable Tom Schneider from louisiana to serve a fouryear term hes past president of the National Association of secretaries of state which has turned this past july and he served as the cochairman for the association of secretaries of state task force on Emergency Preparedness for elections. The secretary of state of louisiana he is committed to protecting the integrity of every election and th in the std worked diligently to streamline the process. Its been a costeffective system becoming one of the first states to implement and the first in the country to launch a Smartphone Application to get timely information. Thank you mr. Abraham. The third witness today is the executive director and cofounder of the center for election innovation and research. To increase voter turnout and give officials the tools they need to ensurneeded to ensure ah balls can vote conveniently in a system with maximum integrity. Prior, he was the director of the Elections Program at the Charitable Trust where he worked on reforms and Election Administration that included using technology to provide voters with information they need to cast the ballot. He received his undergraduate and law degree from the university at california berkeley. The final witness today from my home state of texas is a professor in the department of Computer Science and a scholar at the Baker Institute for public policy. The Research Covers a variety of topics in Computer Security that includes electronic Voting System security where he served as the director of a multiinstitution Research Center for correct reliable and transparent elections. He also served as a member of the air force Science Advisory Board from 2011 to 2015. He earned his bachelors degree in Electrical Engineering and Computer Sciences at uc berkeley and masters and phd from princeton university. We welcome you all and appreciate your expert advice. Doctor romine if you would begin. Chairman smith, Ranking Member johnson and members of the committee, thank you for the opportunity to discuss the role in the Voting Systems. Improving Voting Systems requires an interdisciplinary approach that must be reliable and costeffective, secure and usable and accessible to all. The design and standards must consider the diversity of the processes across the state and none of these can be considered in a vacuum. The expertise and testing, information security, trusted networks, quality and accessibility provides the foundation for the Voting Systems work but our experience working in a multistakeholder process is critical. We must bring together Election Officials, industry, technical experts and advocacy groups to address this challenge. The role is limited to the research to develop standards, tests, guidelines, best practices and assistance with Laboratory Accreditation that the commission for the eac and state and local jurisdictions may use at their discretion. Since the signing of the help america vote act, weve partnered to develop a science, tools and standards necessary to improve the accuracy, reliability, accessibility and security of the Voting Systems. Our joint accomplishments include new Voting System guidelines, guidelines in support of military and overseas voters empowerment act and the uniformed and overseas citizens absentee voting act. The establishment of the Testing Laboratories for testing a committeitwould begin Testing Certification program upon which many states depend the Technical Guidelines Committee a federal Advisory Committee assists in the development of the voluntary Voting System guidelines. In 2015, the approved the latest recommendations guidance with new requirements for the fact verse and new security requirements on access control, physical security, auditing and Software Quality and software integrity. To support overseas and military voters including the use of the internet to cast absentee ballots the research concluded widely deployed technologies and procedures could mitigate many of the risks associated with electronic blank deliveries but the risks associated were more serious and challenging to overcome. Based on that research, documented security practices and considerations for officials on the use of electronic mail or the web to expedite the transmission of the registration materials. In early 2011 the analyzed the technologies that may mitigate the risk to the internet voting. We also identified several areas where research and technological improvements are needed to ensure the security, usability and accessibility of the voting. Many of these challenges are not unique to the voting such as strong Identity Management, protection against malware and the resiliency of the systems. The challenges of the voting are the requirements and expectations to ensure the integrity of the voting process while protecting privacy. Theyve recently organized public working groups to provide an open and Transparent Development process to give the state officials the opportunity to work directly with academic and industry and federal government experts. The groups help inform in updating. There are three working groups, pre election and post that are providing insight on the process. The groups are supported by the technical groups, cybersecurity, human factors, interoperability and testing. The working groups take input from the technical groups to inform requirement for consideration. To ensure the systems are secure is critical to provide trust and confidence in the voting process. The Technical Working Group is developing guidelines and best practices to secure the systems. The group is focused on the Security Best practices including physical security, auditing and Contingency Planning to provide a Firm Foundation for the security guidelines they are researching threats and vulnerabilities and the best practices and technologies that can mitigate the risks. As part of the research theyve catalogued the vulnerabilities and weaknesses in the Voting System software. The goal is to understand the vulnerabilities in the systems by looking at the historical evidence and creating a voting specific list and mapping the weaknesses to the requirements. This has identified issues that should be addressed in the requirements and test methods and by Voting System manufacturers. We continue collaborating with others to fulfill the role and we leverage our research which is applicable to a wide variety of organizations used by industry and governments throughout the world. Collaboration in the public and private sector is the only way to meet this challenge leveraging each role and responsibility. Thank you for the opportunity to testify today and i would be happy to answer any questions you may have. I want to thank the committee and Ranking Member johnson for the invitation to address you today. I think its important for you to hear from actual officials our job in my opinion is to make voting easier and more accessible and tough to cheat but in recent weeks reports on Cyber Attacks have voters questioning whether their votes would actually count and in my opinion that is more damaging. We are all on high alert. This has put all of the states working on National Security issues with all National Agencies in the effort to try to improve the system or to recheck the system we have put the states are always evaluating security measures and plans. As i speak in louisiana im dealing with 30 precincts from the record flooding we had in the baton rouge area on contingency plans of what i want to do to notify voters and the like. So yes. Are we concerned about potential interference in the process . Absolutely about voter fraud iss harder to accomplish than you may think. Angie wa was pointed out by the Ranking Member johnson we have some 10,000 jurisdictions voting in the country. Hundreds and thousands of Voting Machines in various locations. The complexity of the system has reinforced the process and what i mean by that is if you think about the complexity of fact it makes it difficult for any to go in and disrupt the National Federal election. Specifically while states have developed online registration, some 31 states have the best practice to improve Customer Service and developed different ways to guard against intrusion. In louisiana information collected through the Voter Registration system that does not flow directly into the statewide system instead of the voter information sent from a website each registered in louisiana the register has direct access to the database, not the voter. While it would be disruptive to have registration systems hacked as we saw in arizona and illinois the voters could still vote and to election day would still occur. Anyone who discovers an issue with their Voter Registration status has the option of a provisional ballot. And remember, no voter information was added or deleted in arizona or illinois and most states have electronic paper backups. In terms of Voting Machines is important to note so far theyve only succeeded in hacking these unfavorable conditions are existed that do not exist on election day including plenty of unfettered access there is no governments that ballot manipulation has ever occurred in the United States. No state coming up i want to make this clear, has internet voting. Our Voting Machines are never connected to the internet. In louisiana all machines are stored in secure owned warehouses and maintenance including most of Software Applications as well as programming is performed by infected the secretary of state employees, not outside contractors and additionally before every election louisiana performs and is a process which we demonstrate each machine is working properly before it is locked with a tamperproof seal. The Testing Process is also done at the end of each day to demonstrate each machine is functioning as required by roughly 60 of the states. And if necessary the majority of states can make paper ballots and audit of a bubble if the review becomes necessary. Finally, please keep in mind that the timing is critical. Elections are no longer one day events. The ballots have been printed and are in the mail and the voting begins. If you say that this is an inopportune time for the officials to be discussing the subject is an understatement. The train has left the station. During a call with secretary johnson, my colleagues and i were sure there would be no intend to declare a system as part of the Critical Infrastructure before the november elections. Some secretaries including myself have been vocal that no matter when death may occur from such would undercut the constitutional role of states and local jurisdiction and only complicate our ability to properly secure elections. As of today there is not enough information on what the designation would mean or why its necessary. States get what we need from existing networks including the United States commission and the standards and technology which already identified th identify f Testing Certification. Most standards needed to reveal signs of tampering there is a rule for congress in this. Most purchased their machines using federal dollars. But theres little interest on the hill when it comes to helping replace the systems. I suggest you see how an investment in Voting Technology could benefit the nation in the long run. In the meantime, we have received a sobering wakeup call on a serious nature of Cyber Attacks. States will continue to take an approach to secure the systems and at the end of the day i want to assure every american, and i speak for all of my colleagues at the association that your next president will be determined by a vote of the people and every vote will count. Thank you for loving me and my comments. Good morning and thank you mr. Tremaine and johnson to testify today on the important issue of the security of the system. I am the executive director of the center for Election Innovation Research and working with those like secretary scheidler to improve the systems. My experience goes back about two decades starting with a stint as an attorney and the voting section of the department of justice under the clinton and george bush administrations where i served dozens of precincts nationwide and served several years as the director of the program where he oversaw efforts to use technology to improve efficiency and security. As an initial matter we should be clear about the systems in place and what they do and what if any vulnerabilities might exist. Voter registration databases are a system in the news a lot recently. As you noted there was a breach in the Voter Registration database where personal information that appears to have been accessed. In arizona it appears the states to attempted and prevented access of any private data. But in both cases initial investigations suggest nothing was changed and the list remained intact and it was to access personal data for the purpose related to Identity Theft rather than to manipulate the voters themselves. To continue to be vigilant about the databases to my knowledge every state creates a backup of the list and most on a daily basis so should anything go wrong with the database themselves, the list could be reconstructioreconstructed. While thereve been concerns expressed about the email system, its completely different than the systems in place. That was an attack on an email server which has no energy to ththe regulated systems in place in the states to administer elections. The machines themselves include paper ballots and devices which the votes are cast and include equipment with regards to the systems i can say that while none is 100 hack proof they are secure as theyve ever been and voters should have confidence their vote will be counted accurately. There are four primary reasons voters should feel confident in the system. First, they are highly decentralized. Each state governs independently and with any state there are many individual jurisdictions. Counties, towns and the like totaling approximately 10,000 nationwide to administer those. Even in many states to counties the differenthe countiesthe difd technologies to conduct elections and within the jurisdictions they are well over 100,000 precincts and polling places and thats just on election day not taking into account the early voting sites and tens of millions that would be utilized since november the there isnt a single concentrated point of entry rather there are thousands of planes they would have to successfully navigate to manipulate the results. Second, the machines are kept securely. They are subjected to rigorous particles per chain of custody testing in every jurisdiction. Held under lock and key with additional protections to ensure nobody without proper credentials can access the device. Its exceedingly difficult to gain access, unauthorized to even one of these machines and even impossible to gain access to more than one. Prior to each election every time the equipment is used to go through a series of tests to confirm that they are working as intended and tabulating the votes accurately. Unlike a Voter Registration databases or systems i know of no jurisdiction where the machines are connected to the internet. This makes it impossible for therwhetherin Moscow Russia or o access the increment and plant a code or hack into the system. That would require a hacker to have unfettered fiscal access and enough time to sabotage one machine to impact the results on one device and one place to manipulate the results on a state or National Scale would require a conspiracy of literally hundreds of thousands and for that to go undetected which brings us to the fourth reason. Hundreds of thousands of conspirators operating on a range of systems defeating the testing in the chain of custody and placed it would likely have no effect on the vast majority of results nationwide because well over 75 vote on paper ballots and in most states 32 plus as of 2014 there is an audit requirement that matches the digital record industry discrepancy exists for the use of the official record. The states that require such suh include the battleground states of arizona, colorado, florida, new mexico, north carolina, ohio, can pennsylvania and wisconsin among others so even if the conspiracy were viral, it would certainly discover the results becoming official. Theres been a lot of hyperbole surrounding this but the process is in place to ensure the integrity of the system and the rhetoric. They are distrusted in the system but far more working quietly and collaboratively at the federal, state and local. Officials across the political spectrum are working to secure the Voting Systems and reassure her that this will accurately reflect voters choices and they can play a role by attending voting machine test and volunteering to serve as workers to see the process firsthand whether it is federal officials offering assistance and resources to the state, state and local sharing best practices or citizens serving as co workercoworker,the cooperation e will protect 2016 and safeguard future elections as well. Thank you and i would be happy to take any questions. Chairman smith and the Ranking Member johnson, it is an honor to speak to you today about the nations Voting Systems and the threats they face this november and the steps we might take to mitigate those. Ive been a professor in the department of Computer Science at Rice University in houston for 18 years and my main message here today is that the systems face credible Cyber Threats from the state adversaries and its prudent to adopt contingency plans before november to mitigate these threats. In particular, we learned russia may have been behind the leaked emails with a purpose of manipulating the elections and we also learned of attacks on Voter Registration databases in arizona and illinois and that is only the ones we know about. There might be more. We must prepare for the possibility that russia or other adversaries will use their skills to attack our elections and they need not attack every county in every state. Its sufficient for them to go after battleground states or a small nudge could have a large impact. The decentralization that we heard about is helpful but its not sufficient. My number one concern is the Voter Registration databases because they are online and if they can damage or destroy the Voter Registration database, they could disenfranchise a number of voters leading to long lines and other difficulties. The provisional voting process requires filling out affidavits and its slow and takes time and that wouldnt work for millions of voters. Paperless Electronic Systems and their tabulation systems are also vulnerable despite not generally being connected to the internet, they are unfortunately never engineered with security in mind and expert analyses by myself and others have found unacceptable Security Issues. The biggest state adversaries have the capability to execute attacks against the systems for example russia was behind the attack in the 2014 election where the system would have reported results favorable to russia. They were lucky enough to catch this. Our options between now and november are largely limited to the Contingency Planning and if we are lucky we might detect them but its important to plan now for recovering from unforeseen disasters in the same way that we make plans for natural disasters including drills and exercises and having plans fall through. If we were to conclude that our Computer Systems had been unreliable a contingency plan might be to print the ballots and run the next day. Legislation passed in most states following the hurricane appeared to allow for such mitigation for details varies from state to state. We should be aggressively pursuing teams for the Network Systems particularly in the battleground states. States. If something has been hacked, the sooner we know about it the better and my understanding is the Critical Infrastructure designation would allow states to request assistance in this role. We must also plan for the next few years after the election is complete roughly one third also heard a quarter im not sure the real number of roughly one third this fall will use aging Electronic Systems with proven and secure designs. Some new Voting System designs with electronic user interfaces and printed paper ballots are being designed by Los Angeles County california and Travis County in austin texas. These have the potential to reduce cost and improve the security. Federal support could advance the deployment nationwide and if we do nothing, keeping the services hold them at risk. As a quick note, our immediate future should not include internet voting. Its hard to protect the systems we already have moving additional voters online increases the risks. The new systems are the best path forward. As Donald Rumsfeld once said you go with the army you might have. We face a similar situation this november with our systems for Voter Registration testing and tabulation. None of them are ready to read off attacks from the adversaries or can we replace them in time to make a difference. Despite this we can pursue a number of pragmatic steps such as verifying the integrity of the database backups and make plans for how we may respond even when we do detect attacks if we can somehow determined tampering in the Voting System did take place we should have plans in place to print paper ballots were otherwise keep the election going. The sooner we can create and agree on these plans more resilient they will be and even if nothing goes wrong an wrong f this turns out to be nothing but hot air we should treat them as a warning with modest investments we can improve the practices and replace obsolete insecure equipment defeating attacks like this before they ever get off the ground. Thank you. I will recognize myself for questions. Let me address the first one to you. You have raised lots of interesting issues and my question is where do you think the systems are the most vulnerable are the one or two areas we need to go against . My top concern is the Voter Registration systems because they are generally online. If it is online it is accessible from the internet and then from the nations state adversaries and as i mentioned before, if you ca can selectively or entiry delete people you would rather not vote, the current provisional system can scale to support a large number who are filling out affidavits and following the process. My second concern is the vote tabulation system. These tend to be Old Computers running the old operating systems in some cases windows 2000 where the patches arent even available from the vendor anymore and that means there are vulnerability where it could result in an interesting result. When i hear he will recommend the paper ballots i went a little bit because those of us from texas have something he read in the 1950s where its stuffed with paper ballots and so i sometimes worry about paper ballots as well. Let me address a question to all the panelists here today. Weve heard about some of the vulnerabilities. Let me ask you to rate one through five where you think we stand and lets take this and the next how vulnerable are we not necessarily successfully but how likely is it. This election or the next and again when5. Its a little hard for me to answer that question because it involves the intent of the malefactors and i dont really have a background to determine. Lets assume its not unreasonable to imagine attempts as others have testified that thereve been a couple of attempts to hack into the systems currently. There is a constant probing in their it systems with Voter Registration iowa to say the possibility that an attempt could be made is not out of the question. With respect maybe i should say likely or unlikely would you consider that . Its still difficult for me to answer that question but i would say i wouldve put it wout somewhere in between. I cant say that its likely thabuti cant rule it out eithe. There is evidence b evidenceo states that had a problem one of which the code was given and detected immediately. I would give it around three. I think it isnt out of the realm of possibility that there would be an attempt before or after that i think the chance that it would be successful is down. It appears the primary goal is to disrupt combatants and manipulate the results. We often have this phrase advanced persistent threat to talk about the nationstate adversaries that have patience and skills and take the time to do something years in advance and its often the case they are very secure for months at a time before they are detected so trying to rank these vulnerabilities im going to rank them relative to access. I think the systems are most accessible. I am secondarily concerned about the tabulation systems independent of Voting Systems themselves particularly. Its very hard to overwrite printed paper. Final quick question what more should the administration be doing to protect us in the systems . I think the short answer is providing available expertise to go into the Network Monitoring and other tasks to go looking for it. Any other response to what the administration can be doing . Spinnaker we should be looking more long term to improve the states machinery of equipment at this time. I do want to make one comment as far as Homeland Security we already have that through the fbi and Homeland Security and ask you dont have to be a Critical Infrastructure to get the service. I take all concerns with cybersecurity and elections very seriously. At the same time we face many other challenges to ensure every vote counts if we count both. Some of the challenges are the direct result of human action related to Older Technology and as we have seen in the past even face risks from natural events such as major storms. I would like each of you to comment on how you would rate the current cybersecurity risk in the upcoming election as it relates to other issues. From my perspective, my entire orientation and of my organization it is looking at the cybersecurity risks and threats and so all of the other things youve talked about our outside of our purview with one exception which is the Contingency Planning that the state and other jurisdictions and local jurisdictions are encouraged to do under the voluntary system guidelines can also protect against these other kinds of natural disasters and other things youve referenced. I would put at risk again as i indicated on election day very low for the same reason no state is on the internet. I find it difficult to hack something that isnt on the internet. All the machines, none of them are linked together. There are separate cartridges so they are independent. My bigger concern would be something of a physical nature, a physical threat that would be something much more difficult to deal with and i would put that at a very high number. But as far as cyber attack other than whats occurring on a sidee side again theres been no change. That was more of a Data Collection attempts. I know in louisiana if you go to the online registration state if you went into my system to change the Party Affiliation you may think that you are accessing my entire system but youre not. You are a silo and a person behind the scenes drags out the information in the local register and puts it in the public eye or the registration so if someone hacked you get for the money hack you it wouldnt get the entire. I agree i think as noted, the officials are on high alert not just for this but for every election and in many states if its tuesday is election day because there are so many. Not only are they trying to make sure the security and systems are in place and the process as a whole is secure but they are doing a good job probably better than ever before balancing that with access to all eligible voters to make sure that they have a good experience. So whether it is more people having access to the ways to vote, more people having easy access to the information like the vote act in louisiana and other states were more than before having access to early voting options i think officials around the country both democrats and republicans are doing a good job probably better than ever before balancing out the security concerns. At the end of the day, we need to worry about every problem. We have to worry about hurricanes, earthquakes and cyber issues and have plans in place to deal with them all. The interesting thing is if you have plans in place for an earthquake the earthquake doesnt really care if you haveu have plans in place for cyber if your adversary knows it isnt going to work then they are not going to bother. So i think its important to do the planning and forward thinking to make this not be a problem in the future. Thank you very much. Another quick question, we would all agree that making it easier to participate in the democratic process should be a priority. Registering to vote and casting a vote shouldnt be an extra burden. For those that cant leave their homes were people with three jobs and a family of caregivers, how do we balance the efforts to make voting more accessible with the necessity of having secure elections . I would like to take a slightly different attack. We work with the election Assistance Commission on accessibility and usability issues with regards to the Voting Systems so that people who have physical disabilities, whether it is Vision Impairment or mobility or other things do have access to Voting Systems that they can also use, and one of the advantages of the electronic Voting Systems is that we can improve over paper and pencil for example. First off, we do have early voting. We all remember the days that is no longer the case across the United States and we do have easy accessibility through nursing home programs and compliance with visually impaired and the like. So i think theres been tremendous improvements made into the voting is probably easier today than its ever be been. Thanks to the efforts of the officials around the country and the election Assistance Commission and many others voting is easier today than it ever has been before. More people have access to the options and many including louisiana joined the Information Center which allows them to keep their data up to date and has resulted in registering about almost a million new voters and more people have access to the information where they can voted by mail or the early. That trend has been remarkable and i think we are going to see the benefits of it as it expands in many years to come. We have heard about early voting and election voting centers. In austin texas, every precinct can handle any voter from the whole county. They did that because of redistricting to avoid chaos but it has an interesting benefit you can both near where you work then your home so theres a lot of opportunity for creative expansion of capability to vote without making radical changes in how we vote. Thank you mr. Chairman. The gentleman from california is recognized for his questions. Thank you for holding this hearing i didnt expect that it would be as interesting as its been. Let me start with one question getting a sense of information on the one issue and then the broad issue of whether or not the integrity of the voting process and system will be maintained is vital to the nature of the country and it goes to the heart of whether or not we are who we say we are if we dont have a process that has integrity, we dont have an election process. First let me ask you this. How many examples do we have where theyve hacked into our elections from . I know of none and could be quitto bequite honest with you a question to secretary johnson, Homeland Security is therhomelan imminent threat known and his answer was no. That made several news agencies. So i know a zero. I had a request from a Russian Embassy and i would suggest to you if i allowed that i would be run out of office but that is in the conversatioisntthe convers. But i know of zero. The nature of the threat is they dont want you to see them there. We cant assume if we havent seen them that they are absent. We do know that we have established the motive on the email server it is a motive that shows they did it for partisan purposes. When you combine what are the examples you just gave . This was reported in the press that they allegedly hacked the email server with the intent of releasing for partisan purposes. Thats not the election process but its an entity that is involved so they have the capability of getting into the various. But actually in the election process we have no examples of them hacking into the system and compromising the integrity of any specifics. The only example i am aware of happened in ukraine in 2014. We have seen the article after article about how russia is compromising the integrity of our system. And the panelists say that is false just to note. For those of us that we want the country to be safe but we also dont want to continually vilify russia and turned them into the bad guys. If we have i an integrity in the system i think we have to look at how for some of these real threats to the integrity of the Voting System and whether that is to say its the oldfashioned way of the licensing has been around for a long time and we should be insisting on making sure we dont have people voting who are not eligible to vote because perhaps they are not citizens or they are here illegally. We have people who are trying to suggest we dont even have any real demands whether they are here or actually who they are they say they are when they go to vote. So we have a challenge to make sure the system is safe from being defrauded because the people of the United States, their ballots are being negated by every other ballots thats cast by someone who doesnt have the right to vote. With that said, we did come to and this whole issue back in 2002 with the help america vote act. And just very quickly because my time is running out, thats been around now since 2002. Congress passed the act specifically aiming to protect the integrity of the system. Is our system now more or less at risk from Cyber Attacks due to this legislation, and very quickly if we could have the panel answer that. I think the legislation has improved our focus on Security Issues associated in the Voting System. My organization has been working with the commission for 14 years to provide the best guidance possible to the states and municipalities. I would certainly echo that comment and if you would allow me just to claw back on the previous comment, the whole russia argument has actually accomplished i think even if they are not trying we would have done it for them quite frankly. I agree i think the help america vote act has helped improve security but even more importantly, what we have learned since has help improve the act and i think the 2016 e. Election will be one of the most secure that we have seen in recent memory that there is no question based on what we are talking about here and the conversations we are having they will be even more secure. How did the help desk get rid of punch cards and the machines and that is a good thing it was two parties that helped create the eac which then could help improve standards and also helped to fund the purchase of new equipment. The equipment was largely purchased before the effort was in action and i think it would be an excellent thing to revisit to get the equipment up and standards. The gentleman from california is recognized. It was interesting to listen to my colleague from california inquire about the role of the russians in this election. The focus on the hearing is the Voting Systems but the question is not limiting to the Voting Systems and its pretty clear that the russians have attacked, have engaged in a cyber attack on the dnc and we have received reports on that i thought it was unfortunate that the republican candidate for president either thought it was a good idea or was making a joke about it. We dont know which, but this is a serious matter what we have been told is not just that the material has been taken but that the pattern is not just to release material but forge material and alter it in an effort to Impact Outcomes of elections. I think that is something we are concerned about but the question isnt really whether the actual vote tabulations could be altered because i dont think that is very likely that whether kiosks could be introduced into the system. That is the goal, the attack on the democratic hardee and i think it may also be the goal of the cyber attack on the state system. What could be done with this voter information . Obviously there are backups on the database to walter who can actually vote but what would happen if emails were sent to all of the voters or just the democratic voters telling them the date of the election has been changed or their precinct had been changed . Would that create chaos in the system corrects a small percentage of those voters would. An email missive by seeing them i do think that there is a vulnerability in the overseeing system. I remember we had a hearing talking about our lack of concern, a lack of concern that the Electoral Systems professionals had about emailing the ballot to these voters provided that the ballot itself was mailed in. The more we think about it, with these hackings if you alter the ballot on the email that you would again create chaos in the electoral system so i think thats really the goal here, is not necessarily to impact the tabulation although there may be efforts to do it, but to create long lines and people in the wrong places to create chaos and to attack the base and the confidence that the American People have and they are election systems, to long lines at and all sorts of mischief. I do think that to downplay the role that the russians have had in this is a huge mistake when you take a look at what they did to the dnc and the dccc and i will just close with this. I do think that its been disappointing, the reactions have been disappointing, that if you attack one of the Major Political parties somehow thats okay if it could be to your advantage. I like to think if the russians had attacked the Republican National committee, the democrats would be as outraged as republicans because its an attack on the merrick. Its not an attack on the party and the fact that there hasnt been outrage expressed at all levels of both parties about the effort of the russians disrupt this election is a sad commentary on the leaders of that party and also is very chilling when you think about what just happened. I see that my time has expired. I yield back to the chairman. Sprey thank you ms. Lofgren and the republican from louisiana. Secretary web in your opinion is the integrity and the security of the Voting Systems being the past president of the secretaries of states. You have i think some knowledge of the subject. Do you think its good, bad, average . Congressman i would say it could. We did a survey before this hearing and begun a response and i think 19 to 20 states to try to ascertain that. Aside from my knowledge of observing and i dont say im an expert but theres a lot of differences in the states and thats what makes it so unique that i feel very comfortable again in the representative from california just stepped out. Keep in mind the Democratic National convention, the component that was hacked was the campaign site. Each and every one of us, all of you have used a campaign commercial list to determine and the walk list in the neighborhood or whoever it might be. Those are readily accessible. If you knew me well enough i might give it to you but the point being that is vastly different than the registration component and certainly vastly different than the election day component of equipment. So i think you have to understand that forefront to get into the subject. Theres no one minimizing with happened at the them accredit national convention. I know i havent and my colleagues and that makes no difference if you are red state, blue state or purple state but the bottom line is maybe its just our knowledge of the system that gives us this feeling of somewhat overconfidence because i think this is a good ring that we are going through. But we all remember the year 2000 when the world was going to end at one second after midnight. Im still using batteries that my wife filed for that event. That does not mean that we did not have reason to believe with studies that we should have been prepared. We went through that gyration and when the School Board Goes out on the football game, if you were sitting in the stands you know whats going on and guess what . There are other people keeping track of those statistics at the same time. Its the same with the election system. If one component goes down we have various components that come in. It doesnt create a nuclear war and i cant speak to what happens in the ukraine. I can only speak to what happens in the United States and i will tell you the election systems in the United States just like many other things in this country in spite of maybe what we think is the best system in the world. Is it foolproof . Absolutely not and i would also tell you theres no such thing as a perfect election. Anybody who tells you that doesnt know what they are talking about because anytime you have 10,000 machines that play and 15,000 people from 65 things are going to happen. Thats how you handle it then thats how you documented and move forward. So im very confident in it with the caution lights on. Theres no disrespect to anyone who believes otherwise. We are looking at it. It has forced us to do so but im deeply concerned that i can speak to my democratic colleagues and my republican colleagues that have been on Conference Calls over the last several weeks of this issue. We are in unison. This is the worst situation we could be talking about as we enter this election. We are going through chaotic election process where voters are more disgruntled than ever and we are adding to that dispensation. Participation. In a very negative fashion and i feel very confident in saying i speak for all of my colleagues that we are deeply concerned with the rhetoric going on right now from the National Press and we are not trying to minimize it. We are doublechecking but theres little that could be done in eight weeks. We just need to stay the course and have confidence in what we are doing and again im very confident that on november 9 you are going to wake up and you are going have unofficial results of who won the president of the United States. Keep in mind its unofficial. We go through that audit in every county, every parish, every state postelection with the official and you go to your electoral college. Thank you mr. Ibrahim abraham. Thank you mr. Chairman thank you all for your testimony. Mr. Said to you emphasize that voters should feel confident in our Voting System and they certainly have heard a lot of messages about the importance of that confidence here today and how it will lead to greater participation and certainly thats good for democracy. I think just getting information out to the public with the Voting Machines themselves are not connected to the internet is going to hell. Theres a misconception about that. I am from oregon and we all vote by mail in oregon. We have done that for more than a decade. The very secure processor that also makes it very easy for oregonians to vote. The secretary of States Office mails paper ballots to each and every registered voter couple of weeks before the election along with the voter pamphlet with the information about the candidates and initiatives on the ballot so they have plenty of time to not only studied the issues that fill out their ballots and get them and to be tallied by the local election offices. There are privacy and secure measures each step of the way. I was a trained election observer years ago and it gave me a lot of confidence to see each step of the way in to watch that tally happen at the Elections Office. So i wanted to ask you a little bit about are there lessons to be learned from a state like oregon that does use boat id mail and paper ballots for everyone and with a focus on the two different issues. Theres a voting record and then there is what happens with the ballot and that tally at the voting machine. If you want to talk a little bit about those lessons that can be learned from that system and then i also want to ask i know this is concentrated work in development for the Voting Machines that you are now i understand working to identify systems dealing with the Voter Registration system. And before you respond both of you i know that her wallace mentioned something about the possibility of a select the disenfranchising of voters by deleting them from the database. Its really easy in oregon to check whether they are still the database and getting the ballot early means there would be an early notice that maybe there was a problem assuming somebody did get through a very secure system. Thank you. Oregon and washington have that mail balloting in their states and there are lessons that other states are learning from that. Not every state has the same and other states of rich different decisions about their population and thats entirely appropriate that states like california and arizona and some other western states offer the option of becoming a permanent male voter which you have to check a box and after that you receive the ballot for reelection. Colorado has experienced and california passed a summer bill that is a hybrid of sorts that every voter gets a ballot and they can choose to mail that ballot in our drop the ballot off at a site or go went early to an early voting site as mr. Wallace mentioned or they can go on election day to a voting center. I dont mean to interrupt but to clarify and organize someone wants to vote in the Elections Office on election day they can stand in the booth and vote. Anybody can do that. Some people dont because its easier to mail it. I think the states are learning from that experience and trying to figure out whats best for their state. Oregon and washington and colorado and other states and their particular systems. Also importantly brought up the notes between the Voter Registration system and the Voting Machines and tabulation devices themselves and particularly with mail voting its very important because the voter lists are the way to deliver a ballot to someone because thats able to generate the mailing to the voters. Of course the states where they dont get ballots, they are usually receiving cards as a reminder and a question earlier about chaos i think was a very important question. I think there have been a lot of systems in place to avoid chaos in the last 10 to 15 years. One thing thats true now as particularly in a president ial election its going to be very hard to avoid information about when the election is and whats going on. In fact im guessing a lot of people would like to get a way from information about the election so whether its the work that facebook is doing pushing information about election day and how to find your polling place or google doing the same way with other Tech Partners in states partnering with those entities to make sure the information gets out, thats all a great protective measure to ensure that if the voter does run into a problem or might think they might have a problem they can make sure they are getting it. C briefly talk about what this is doing with the action of living machines. Your question involves the lifecycle from registration all the way through guidelines for the Voting System. The voluntary voting guidelines that we work with involves the Voting Systems themselves but i think we have a decades long history of security as the management of risk exercise and i think the states have taken that very seriously with Election Officials in this state suggests that they are managing risks to the Voting Systems into the registration systems in a way that incorporates the best practices that nist has been promoting for a number of years. Icy my time has expired could thank you mr. Check. Thank you ms. Bonamici and mr. Loudermilk is recognized for his question. A very important issue and rightly we should be concerned about the integrity of our election system because we are only as good as the integrity of the selection system. After spending 30 years in the i. T. Business this is something that is very important to me and an area that i do understand at least from the tech logical sigh. Another area we have to be very conscious of is the federal involvement because typically whatever we get involved with doesnt run as well is that the state is doing it themselves so we are very conscious of the role the federal government plays and is very limited especially in an authority stance. I understand we do have things we can do as far as setting recommended standards but recently the secretary of Homeland Security has reported saying the dhs is considering whether the state electoral apparatus should be designated as Critical Infrastructure. Is this appropriate but in your opinion . Is a policy decision that is way above my pay grade so i can have an impact that i can party for that. Do you have any idea what the benefits or disadvantages would be of declaring visas Critical Infrastructure . I cant speak to that. I know nist provided a significant benefit in partnership with the error on the development of the Cybersecurity Framework for improving the cybersecurity of Critical Infrastructure that is receive a lot of attention and accolades but thats not limit to Critical Infrastructure. Any organization of any size in and any sector is free to adopt that framework. You are working with dhs to help the states understand the critical nature of their Electoral Systems . We are partnering with dhs and the department of justice on trying to understand how we can ensure wide dissemination of best practices and minister pahlavis and as was mentioned earlier a request to dhs for assistance is not predicated solely on whether you are designated as Critical Infrastructure. That request can be made without hesitation. It does include the request, minder standing if it includes respect to scanning of systems for example but only upon request. So would be like a stress test on the system . Are we applying Lessons Learned from the president ial commission on enhancing National Cybersecurity and making these recommendations . For the states . It has not reached the stage of finalizing recommendations. Those are not teen inc. In these guidelines. Sort of in the reverse in the sense that the commissioners are actually taking a look at best practices and fielding discussions with the i. T. Industry and the stakeholders around the country to try to develop the best possible recommendations for the benefit of this administrator in the next. So nists stance on this is to work within the framework of the federal government to come up with recommendations that the states may or may not implement and the flexibility to where they could be customized to the states individual networks . That is correct. Secretary how do you feel about that . I do not think critical of the structures needed at all. As was indicated by mr. Romine we can go to Homeland Security now we can get those tests by fbi. We have a committee and as a matter fact the secretary has been active in this process with several of us. It is one of the Committee Members we have appointed on nests to serve on Homeland Securitys committee into best practices and the like are you most states are corporate in with their local fbi agents when needed and you know again i dont mean to be flippant but do we want to create a new tsa for elections in this country a new Postal Service . I just dont think we need that. The constitution says very vividly accepted the states in a time, place and manner in which we conduct elections. Its a constitutional issue and i understand from the rhetoric thats not the intent but to go and put the National Elections along with the Banking System and the electrical grid in my position is way overrated, unnecessary and we can accomplish the same goals. Its not that we dont want the support and assistance when we needed that we can accomplish that in a far less intrusive way if we keep things on the past now and again i think the answer is new equipment to improve the systems. We are working on trying to get a system where you can vote anywhere in the state just like was represented earlier so Critical Infrastructure would be an absolute and i think i speak again, dont know of any secretary of state who has voiced an opinion that they want to be part of that. Do feel that nist is doing is beneficial to you . Yes. Do you feel in any way what is happening right now with. No. Thank you. I yield back. Thank you mr. Loudermilk and the gentleman from new york mr. Tonka. Thank you mr. Chairman welcome to the palace and thank you for your information. Mr. Becker of the commission on Elections Administration recommended audits and voting equipment be conducted after each election as part of a comprehensive audit pro grant. According to verified voting approximately threequarters of voters in november will be using Voting Machines with paper records of their vote and i just share concern perhaps about the potential for mishaps or potential hacking that Voting Machines with no paper trail. Can you please describe the role auditability plays in elections in individual voters casting their vote . Thank you. We of course are its ability is important. Its very helpful when there is a permanent record that should need to be reviewed for some reason and in fact even if you are not sure whether the county is you can discover that and that is what i did postelection audit does. In 2014 about 32 states offered, had a requirement for postelection audits and i will be honest some are better than others. There are very good standard practices were states take random precincts across the state and check the paper count against the electronic count. Theres even something called the risk limiting audit where you have a number of ballots you have to count to ensure the results as the election gets started and these are practices that are put in place in many states. What we are seeing its easier to audit the system when you have a paper record that the voter has reviewed and more voters are going to be paper than we have seen since hava was at it. States like florida that had used direct recording devices have switched my am an early voter but this is the first president ial election since hava where maryland will be using a paper ballot. I have recommended for years and along with the president ial commission that postelection audits are a good idea and having a system that allows for full and transparent postelection audit temp paper appears to be one the best for that and the best opportunity to ensure the election result are reflecting of the people. Some may think you and secretary shepard would you please describe what you have in place in louisiana in terms of postelection auditing and how would you. Other states overall . Well we do have a postaudit function. Now we do not have a paper ballot system. We are looking at that when they go out for rsv rsvp but our screen on hava it pops up and gives you everything, every person you voted for in the position he voted for to give you one more opportunity to rectify that if you want to change it or if there was an error. Pc a lot on highly sensitive machines an elderly person may be dragging a hand in it inadvertently hits the button below for a lady with long fingernails sometimes will have a problem. She will have the opportunity to rectify that. We audit at the end of each day on early voting to ascertain the correctness of the vote on the bow and sheets so to speak. There are paper ballots that you are devising an audit process for. What whether some of those factors in the audit that you see as essential and have you looked at other states . We have actually gone out to denver, the county of denver has a similar situation that is now being used in california and other states with a paper ballot. The majority of folks want to bring that ballot in and put it into a box at a site. We have looked at that system and we have looked at the printing of a paper ballot instead of on the screen and going to a lockbox. I would be personally against the voter taking that ballot out of the precinct. I think there is one state that does that but overall to answer your question i think the systems are sound but everyone has to remember every state is different. That is the uniqueness of the system. A lot of similarities but each state is very unique in their elections. Some may have a week of early voting in some may have 30 days and some states can do early voting. That is the prerogative of the state. Thank you very much mr. Chair i yield back. Thank you mr. Tonka. It john penn from mr. Davison is recognized from ohio, im sorry. Thank you mr. Chairman. Dr. Wallace or testimony addresses the possibility of inserting nowhere and Voting Machines themselves. Can you elaborate on how malware can be loaded onto machines that are not connected to the internet and further explain what it means each and every voter machine has to be manipulated or is there different way where you can hack one machine and that would transmit about two other machines in the precinct. Again even though they are not connected to the internet. Before we had an internet we have computers with drives and are computer viruses that could spread from one computer to another. Electronic Voting Machines, some of them use memory cards and some of them have these battery packs. Some of them have local area networks. Studies conducted by the state of california the state of ohio in the state of florida found security vulnerability could take advantage of these engineered viruses where one compromise voting machine and then in fact eventually an entire fleet of machines for an entire county. So its accurate to say that just because something is not connected to the internet that does not have a vulnerable vulnerability to cyberattack . Being disconnected from the internet helps but is not a panacea. Perhaps as secretary of state u. Can talk about i spoke with our secretary of state about their protocols but perhaps you can elaborate on how would you or how do procedures protect against that risk should Something Like that occur . I think its important to remember that we never linked machines together. I know there are some systems that are being touted like a wifi in a multiple precinct site where you have wifi. That to me is a little scary but when you consider the concept of each individual machine that is delivered by my office now we are topdown system. So we are vastly different. Into that lapto the laptop and a closedcircuit send to my office. So, i mean to my knowledge no state interlocked machines so the concept of getting them in one machine with one cartridge and you miraculously change all 10,000 across the state is ridiculous because you have to go into each machine individually and have the programming. So you have one card that goes to one machine. You mentioned a case study in ohio. Maybe you can mentio could menth that vulnerability is. There was a similar study in california and each of the studies found ways that regular workers go through their standard procedures and standard operations to be used to transmit viruses from one to another. The election day you remove the memory card to collect the vote totals and can spread a virus and there are other details that vary from machine to machine and. Host does it increase or decrease that risk . It depends how it was built. Ive been working to try to design something new where this wouldnt be a problem. The reason why is they generate paper backups that could be audited against any electronic results. The machine itself has memory and it prints a tape that stays secure inside of the machine and you can audit any one of those, so it is a good system that has been tested a lot and will likely be front and center. Doctor romine, you said in your written testimony that they partnered to develop science, tools and standards necessary for the viability and usability and security of the voting equipment for both domestic and overseas voters. How do you measure these improvements, how do you quantify them are there quantitative or qualitative measures . They are both. They are both. I dont have the details on the measurement. I would be happy to provide those to you. I think the issue to a large extent than has been listening to the accessibility community, the human factors, the research that we have been able to do demonstrate certain changes that can be made to improve the accessibility and usability of the Voting Systems and we have documented those in various reports. I can give you pointers for the way in which the systems have been improved. My apologies my time has expired. Ms. Edwards is recognized. Thank you mr. Chairman and to the witnesses. I apologize i had to step out for a bit but i came back because it is an important subject. I just want to be clear do you concur in the belief from the department of Homeland Security that it was the russian state actors that hacked into the attempted arizona and also the party hacking that occurred earlier in the year . I have no information on that. The only thing i know is the dnc issue. I dont know if theyve ever determine where it came from. I dont have any specific information. You believe they are capable of making that determination based on the signature. I dont have any information to the contrary to support. I only know what ive read in the press. In fiscal year 2015, you received about 1. 5 million in appropriations from the eac that is down from the budget of two to 3 million in the previous couple of fiscal years. Do you think that is sufficient for you to be able to provide the kind of certifications you need in the systems . We dont do certifications we do provide support through the development of guidelines and we also provide assistance in the voluntary Laboratory Accreditation program, the Testing Laboratories that do test equipment for certain states that choose to do that. Obviously you can do more with more, but we believe that the current budget we are receiving is adequate to continue to provide expert advice in security and interoperability ad security and interoperability for the Voting Systems. In part of your testimony, you indicated that i think it was your testimony that the technologies that we were using for these Voting Systems is now about a decade old for these systems. Can you share with us what you believe if you had analyzed it what would need to be an updated version that would enable us to keep track of the Technology Development . There is a rash of purchasing the new equipment with a funding model that came through as a result of that. Weve already seen some state go to a Second System after using the dollars. I think in talking with the state, there is a great desire to be able to Leverage New Technology that will improve access as well as integrity of the systems that would also be cheaper to maintain a hand i dont have a specific dollar figure if we were to replace all the systems nationwide, it is definitely in the billions. But to encourage systems that are more componentbased that he was more offtheshelf components that are easier to swap in and out so you dont have a system that has a 10yearold touchscreen you can update as it happens i think i would bthat would be a huge adve to the officials and if they had the resources to do that, you would find them to do some exciting things. I apologize that was your testimony. I apologize. Working for four years now to try to design a better machine and our intent is to use offtheshelf hardware with customs hardware to the extent we can for that reason. When you buy a giant touchscreen computer from hewlettpackard and insert your Favorite Company you can get cheaper foreign key support and replace the machines whenever you need to and that helps reduce the maintenance and ongoing support costs. Doesnt it increase the vulnerability . The design of the systems first and foremost produces a paper ballot so no matter what goes wrong you have these ballots to see and verify and Everything Else is gravy. As a conclusion i want to thank the secretary because i think in your testimony, you indicated the secretaries of thf state across the country have confidence in this election and that is an Important Message to convey so we can make sure that we dont put al with all this tk depressed voter turnout so thank you very much. We are very concerned about the rhetoric and if i could add on the cost issue i do have just one louisiana currently we have roughly 10,000 Voting Machines that cost would it cost 5,200 each, so that is to replace them by todays dollars if you could get the machine. If we went to a system similar to what was indicated to you, overly simplifying the concept whether it be proprietary or storebought less than 300 each. Now you do need two to three per machine areas for the hardware cost for us in louisiana, 152 million on the replacement if you could get it, roughly 50 or 60 million. A third of the cost. And 75 of it is in the programming cost. The hardware is only ten or 11 million. The gentleman from illinois. I want to thank the witnesses for being here today. In my state of illinois, we had a lot of changes in the last several years. We now have the same day voting registration, 40 days of early voting extended grace. , absentee voting has a lengthy period of time, and couple that with some of the issues we had particularly in chicago with issues related to the voting i guess in terms of educating election judges and looking at the methods particularly as it relates to the integrity of voting on election day and as we look at the potential hacking of machines is there a good model out there that has worked in terms of how we educate folks and i would also mention i was the assistant attorney and we would go out as prosecutors and be there at the voting booth and a lot of times we didnt know what were looking for or what we were supposed to be doing. Secretary, can you maybe shed a little bit of light on a few examples of what we need to be doing in terms of educating and working with our folks at the poll . The training is paramount that came out to all commissioners or poll workers whatever you want to refer to them as. We do a strong component and assist with that and have a very unified videotape we use so we have consistency across the state, but we do have the training and certification and require them to get certified annually. That is a benefit because the better the experience. We also have people in larger precincts for questions promoting that let individuals take a look and actually vote that on the phone to use as a guide to have a better experience in the voting booth and the other thing to me that is the strength of the poll workers and the voting boards in the counties with regards to the subject we are talking about today, we all know theyve been there a long time. If you could think about the greatest deterrent both democratic, republican poll workers together do you realize someone would have to go against that 80yearold lady thats been there i dont think thats going to happen whether democrat or republican and toomey that is one of the hidden jewels in the system you have the best stateoftheart equipment or whatever we have youve got people on the ground looking at the process. Its fundamental and its the same way we did it 240 years ago and i think thats something we need to recognize in this whole debate. What you go through in louisiana, are you confident that type of education and training is consistent across the country . That i couldnt speak to. It is dominant across the country but i wouldnt say that every state does it that way with all these changes weve seen recently with voting and how we vote coming and i went through the litany there, what does the future of the voting look like . What we learned today is all 50 states will be voting differently coming and its hard to make a broadbrush statement. I think that there will be a lot of hand marked paper ballots and a lot of Computer Technologies available and some states are tt are voting by ballot and thats okay. Thank you mr. Chairman. I not recognize the gentleman from virginia. I think in your comments stated and wrote the 20 states in this Electronic Registration Center found that went up 30. How do we motivate the other 30 to be part of it and is there any suggestion that we would ever require that . The Electronic Registration Center is a data center to the states voluntarily choose to join and they share information to show when its out of date so they can notify to make sure they get the right information and also reach out to all the people that are eligible to vote and to protect them to the easiest way to register. It was founded in 2012 so its only 4yearsold and now 20 states so i think thats pretty good for pre k. 4yearold but certainly we are working very hard with the states including virginia was one of the founding members to see more states join and many others are spreading the word and that is reducing cost and increasing integrity because they are not sending mail to people that are no longer there. The administration did recommend that systems and that has been a tremendously positive influence and i think by the time we get to the election we will be at more than 30 states as i talk to those around the country. In the testimony you talked how the requirement that mandates states is only 32 states right now and you wrote the mere possibility of the recount o for the audits acts aa deterrent. So what do we need to do with the other 18 states that dont have this post audit reconciliation of paper and electronics . I am a big fan of reconciling when you have both. Many of the states that isnt an option because you dont have paper records like the entire state of georgia votes without any paper record so there is no way to do a meaningful audit. I would love to see the sunset of the machine and replace them with the next. There wa was the mentioning of e 396 million of authorized. Is that enough to replace the old machines . I am not sure if we could do this on a shoestring or do better to spend more money and do it properly i dont have a good answer for you today. Many of you wrote about how the machines are connected to the internet. If they are not connected to the internet, they are at the point of time in the tabulation and i think someone else pointed out they are usually connected to the database 365 days a year. Itis that actually a strength e can talk about or when the most common question ever asked of me is when are we going to be able to vote on the internet and my answer is i hope never because the world is evil thing and we see it everything gets hacked into and thats why i am so adamant to make it much more difficult. But the day we go on the internet, all bets are off. I want to cathy dot there are a couple of states that do allow the return of an overseas military ballots by the intern internet. Alaska being one and i dont remember the other three. That is a small percentage of the overall vote but they do allow for the return. But i will say this in defense of that it is a secure military you dont just send them an email and they have to get access and they have the ability to open the file up and do something with it so it is a little bit different but certainly under the argumentative discussion we have today it could be vulnerable. On this requirement of reconciling paper and digital, is this a suggested standard or should it be . Part of the system guidelines that we work with was a strong recommendation that there be in audit capability and certainly paper records to provide a robust way to do that but it doesnt mandate specifically. I now recognize myself for five minutes. I just spent two days in baton rouge. I came back with the representative and came back with them and he had the same expression to me. I represent 36 districts in texas and we had but i had never seen anything like this, 30 inches in some spots and a Population Center like that. I would like to ask you a question. You said in your testimony that i am happy to report there is no evidence the ballot manipulation ever occurred as the result of a cyber attack. And on the other hand, if the paperless electronic Voting Systems were attacked we would be unlikely to see evidence of thinthe machines or the system i just want to hear both of your opinions on this matter. Im pretty simplistic. I ask a simple question and i do not profess to be an expert that icon at the derivative of saying if you are not on the internet with voting, how do you hack into the machines. I dont know much more than that but if youre not on the internet out in the cloud how do you hack individual machines with cartridges . Thank you. The example we can look to to understand this is the virus that was engineered to damage the Nuclear Facility in iran that was also meant to be secure and wasnt connected to the internet, yet somehow it was able to do its job. We dont know many of the details but its quite clear where there is a well and a budget and a way i dont know whether that nations adversaries have chosen to make that investment but i know that it is technically feasible and thats why its important to take the medications into the steps against them. Thank you very much. Next question would be for you. Is it possible for someone to conduct a cyber attack while pretending to be russian, chinese, north korean to falsely assign blame have you ever come across any instance of such. The issue of the Cyber Attacks broadly speaking is a wellknown problem and nationstate actors will pretend to be others for the purpose of trying to throw off the attribution so im not privy to how we have this attribution. I have to assume the people who said that know what they are doing. And then one more for you, considering the arrangement of the vulnerabilities and this is what you said a second ago, the range of the vulnerabilities that exist from Electronic Systems do you think that more states will return to the paper ballots and can you explain how its the more secure option . There seems to be a trend if you consider the four states in five states now and in many cases its not for the cost reasons. You have to factor that in. I will say this, you have to have some other protections and i think that oregon and some of the others do but ive also said the best and easiest way is right here on my hand. When i mail out a paper ballot, i have no idea who votes that the ballot. I may be able to verify the signature that i can tell you that we are there and a couple cases in louisiana with a small jurisdiction where the individual campus goes and knocks on the door and says can i help you fill out the ballot and they do. The point being you have to have some checks and balances in the system even if you verify the signature with electronic machines so i always contend this is the easiest way to prevent fraud in the system and it doesnt mean that its wrong to do it because im respectful of the states and how we do it but in the entire subject manner, we have the 100. 10 years ago and i think this would set the stage with the dollars and states in this country at this time we have 396 million of the voter appropriated dollars reportedly still out there. I gave you an example of what it would cost to replace the systems for 394 million may go a long way and if not completely retool all 50 states with the assistance from the federal government. But we can put away your on top of layer and as long as you can write a check, we will do it but at some point, youve got to use practicality and again, i myself and i think i speak for all 50 of us, we are very confident of the system we have. We have the trifecta back up audits and the like and in the worstcase scenarios ivworst cd here today, i am still very confident you may not have the results november 9 of the catastrophe hits that if you are a little patient we will get you the result of and you will have a new president of the United States. That is a good answer. I know im out of time, but what do you consider the chances of the states going back to the paper ballot . If for no other reason they are very expensive as the secretary told us earlier and for that reason if nothing else we are moving to paper sort of by default. The gentleman from illinois. I think all the witnesses for the testimony and i have questions because some other ideas came to mind. Let me ask a couple questions so i better understand. Everyone does it differently in the idea of not having the machines directly connected to the internet makes sense but for example, if you do have a voting machine than usually at the end of the day when they closed and ththe clothes andthe votes are e those communicated from the polling place because i would expect that they are done often times over some sort of connection to the nest and then the other part of that is i go online and have the results coming in to see the results they are displaying so hopefully it isnt a lack of understanding here but arent there some connections that are going on . Mac i can tell you if you voted and i can reconcile the state. Even in the transmission of those results even when you referred to there was a delay. There is a reason why we have that delay. To be able to detect interference in that process. Even if it had occurred, delay in in getting official results, keep in mind on Election Night the Election Nights are unofficial. We know that from been elected. The news media is out there declaring winners before the polls are even close. Our job is to make it accurate and effective. Its good to hear, is that the common way it is done everywhere . Yes, pretty much. To my knowledge is way it is done. I cant speak to every place but in the places i know of the actually physically transport the cartridges or memory devices with the accounts that occurred in the precinct to the county office which is often a frustration for people who are looking for election results. If they hit traffic or Something Like that there will be a delay in getting those results. And at that point or many of those have duplicate cartridges as well. So some old this is not compete completely foolproof. The problem with his voters get frustrated because there is a delay in in getting it because theres a physical transportation of the memory. I think hopefully that helps alleviate the concerns that people do have. It is not being transmitted electronically in a way that can be hacked into. One other question i had, the paper tapes and i certainly agree our great idea, how often, at what point would there be a check of those against the electronic numbers . It usually dictates, it usually dictated will buy the closest of the election. Usually a challenge or some major malfunction. Typically it is triggered by a challenge by candidate, someone wins by ten votes or loses by ten votes and challenges that in requires a recount to be taken. We also very public with the certification of our machines, as you as a candidate or as a campaign can watch us certify those before hand and also when we reopen those machines to recertify, candidates are allowed to come in or representatives to actually watch process and watch that matching go on. I gave an example, testified last week at the eac on this subject and if you can bear with me a minute it probably is a good representation of your question. I watched with Major Networks with an individual claiming he had a handheld device that said he could put early voting cards into them but as many times as you want to. I dont argue the point that you can have a piece of machinery like that. You do it at gasoline pumps and the like. But what i did question was in the early stages and never brought in anybody who brought in an election to dispute that. You have to allow for an early voting site that someone is going to sit there and keep injecting a card how many times are going to vote. We have have time limits in most states. At the end of the day, even if you have that piece of equipment you still have the programming of what engage that card. At the end of the day if there were a hundred people that came in to early vote by signature next to your name and we had 106 votes, we are going to be able to determine fight that number on that card that you dont see, that you voted six times. We dont do how you voted but we know you voted six times. So we will catch it. I am for chicago the. Im from louisiana. So lets clean that up. We no longer throw ballot taxes in the mississippi river. We have a big lake to do that. Thank you very much. I youll i yelled back. Yes sir, thank you. I now recognize the gentleman from illinois. Reporter thank you all for being here. This is such an important subject. I dont know if many more things more important than making sure that our ability to vote is protected and that we feel confident that everything is being done to make it open and accessible to everybody in using technology to do that and making sure that we are protecting information and protecting that confidence that our polls are accurate, are voting booths are accurate and being abused in any way. I want to thank you for being here, thank you thank you for your work. It is clear the nature of our increasingly connected world has opened up new poll abilities which was on perceived and brought about great new things that we can all agree and improve our lives and functionality of our democracy. It does it in ways that we can Exchange Goods and services with others as well. A year ago i had a chance to visit with a group my colleague and i saw many of the innovative ways they are integrating technology into their services. They have online voting in many elections in most forms of bureaucratic paperwork are submitted online and more easily searchable for that. While this is encouraging i also realize realize that estonia has as many people as New Hampshire or maine so there are things they can do differently then we as a country of almost 330 Million People can do. Our states need the flexibility to innovate in the federal governments role should be assisting but not passing down new Unfunded Mandates which i hear so often from my constituents and from my local government officials on the challenges they face. If i could adjust my first question to doctor. Regarding the recent Cyber Attacks on the Voter Registration in illinois and arizona, why would an individual Organization Want to hack into states Voter Registration information. Are they looking for the same kind of information and other data breaches in the Retail Sector or just personal information . What is the purpose behind these attacks . There many different motives to describe. If were talking about our garden variety, Identity Theft, they just want to have the information in the database. If we if were talking about the nation state actors, their motive could be to get information, but a lot of information is available through other channels. It could be to tamper with information. We have talked at length about the sort of chaos that could potentially cause. Specifically with tampering, would it be possible to add voters or delete registered voters . If its a database on the computer is simple possible to do all of those things. I wonder if i could ask you is the database part of the technical guidelines. [inaudible] the voluntary Voting Systems guidelines are principally for the Voting System himself. However, we do have other guidance that my organization has developed over the years to protect Information Systems of broadly and would fall under that category. I think yes, separation there is a legitimate way of trying to prevent certain kinds of interactions. So that separation is happening,. Was actually happening in the states is something that im not privy to. Also, from what is know, what kind of guidance for protecting Voter Registration databases were in place in the two affected states that i mentioned earlier . Illinois and arizona. Will this consider updates to include water registration databases . We will be considering that with regard to our partnership with the eac to provide guidance to the states and municipalities for protecting Voting Systems with their broader remit perhaps its one way to look at it. The guidelines that we have in place for it systems have been developed over a number of years. They involve integrity checks, Identity Management issues and other things that can protect information. So the Cyber Security framework that i alluded to earlier helps organizations to craft a way to manage risks in the space. Again, my time is almost up so thank you for your work. Please let us know how we can be helpful going forward. With that i yelled back to the chairman. You sir, i now recognize the gentleman from texas, mr. Weber. Thank you gentlemen. I want to do something before we get into this election discussion before we get into this election discussion today regarding the earlier comment of one of the members on the other side of the isle that she was appalled that there was no republican outrage over the russians apparent hacking of the d triple c. I would note that there is probably the same amount of outrage from the democrats over Hillary Clintons dumping of a bunch of emails and destroying evidence in a federal investigation. Having said that, in full disclosure, i wasnt election clerk and election judge and a precinct chair a precinct chair for about 16 years in texas. The in missouri county. When we have good oldfashioned paper ballots. As one of the few who raise my hand when we said we want to pass resolution encouraging electronic voting. I said i said i dont i like the paper system, i dont trust the internet now is back in the nineties. It seemed as if we have come full circle. Youll all say that there some states considering going back to paper ballots. So heres a question for i guess all of you, one of one at a time. Well start with you, what first of all how many states have paper . I think theres only five states that are completely without paper. There there some states in the middle that have a mix depending on the county of paper non paper system. What stays in your opinion has the best system . I dont have insight into the system that are being used. So you have not formulated an opinion in that regard. I dont have the data. Fair enough. Now if you say louisiana, im just saying,. It well the best system for which the people of that state feel comfortable in voting. Touche. Because, New Hampshire, i mean you can just think of the righty that we have had across the board from the east coast to the west coast and oregon. Just totally totally different constituencies, totally different comfort zones. And some people still like going to vote in the neighbors garage. And if thats what they want to do, then that, then that is good for that state. So, i mean that is the best answer i could give you. I would not, no i would not say that we are the best. Although a few years ago they had a set number 18 which would surprise he. Because i used to always say if you interview people in the streets of new york on latenight Television Show they would never mention louisiana as the top 20 but were there. Theres not a lot, thats correct, but i think that is probably, i know that is a politically correct answer, but out of respect for all of my colleagues and all of the states. You have to make that decision. I would also be diplomatic here. I think if you asked most Election Officials throughout the country most would say that the technology they are using, none is on the ideal system yet. Theyre looking for something new to come around. So you dont have an opinion about that. I think the particular state with work being done in Los Angeles County to come up with a system based on offtheshelf components thats largely sensible is going to be instructive to the entire field. Well. Im going to the horn of three different states where i enjoy what theyre doing. I like californias use of risk limiting audience where you can audit paper and compared to electronic you results. I like what florida has to wear they got rid of the paperless electronic Voting Machines. My. My parents live in Fort Lauderdale and they now vote in the later laser print printer on demand so they can have early voting and vote centers. Florida is now doing remarkably good stuff. Ive course have to Say Something good about texas. In Travis County we are building a really great system and it could potentially be applied in many other places. Are you from Travis County . No i live in houston and grew up in dallas. Okay so let me just also say here, having been the recipient of when a lot of those ballot boxes were carried, missouri county is a big area and apparently reiger up its like 40 miles north of the county seat. As an election judge and the general election and we would always take her democratic counterpart in the general election, take them down and turn them into the county. Ive been on the receiving end when i took 45 minutes to an hour just for the drive time and people are wanting the results. What, the last question, is that right mr. Sherman . What is the most critical time of a cyber attack . I would say a cyber actor who knows what they are doing is acting months to years in advance. Because they dont necessarily have access. Im saying if they are going to affect the november election coming up, is that something done the night of, the week before . Are you saying years that they get into the system years. You get in way in advance and then you have whatever effect youre trying to have. If your goal is to create chaos than you want your affect late. And it all depends late. And it all depends on what youre trying to do. Okay. I yelled back. Thank you. I appreciate that. I want to thank the witnesses for their testimony and the members for your questions. And the record will remain open for two weeks for additional written comments and written questions from members. With that that this hearing is adjourned. Thank you. [inaudible] [inaudible] [inaudible] [inaudible] coming up on cspan2, the u. K. Brexit secretary talks about negotiating shins leading up to the exit from the e. U. Then to stop tickets gulping. Senator dick durbin on immigration issues. After that, a look at immigration and the republican party. Wednesday, british Prime Minister tresa manson the house of commons for question time. Watch live at at 7 00 a. M. Eastern on cspan2. Veterans Affairs Secretary Robert Mcdonald testifies wednesday about implementing recommendations of the veterans care report. Watch testimony before the Senate Veterans Affairs Committee five at 2 30 p. M. Eastern on cspan three. The due case new secretary of state for exiting the union testified on tuesday and preparations for the transition and the role of parliament during negotiations e. U. The British Parliament Committee Heard from david davis. This is an hour and 15 minutes. Will call to order. Welcome to the session on foreign affair session. On gaining information into the brexit exit. So youre very welcome, i know this is your second gig in two days and that you have told the house of the European Union yesterday on it was a particular pleasure. Which i hope to repeat today. Is that the reason you chose to sit at that end of the building . I did not even do the scheduling. Between your clocks in my office. I dont imagine it was with our clocks. You made some pen a decision to go there first. But that is the general hook that i want to take into my next question which is to examine your assessment of the legal and parliamentary implications of the brexit. Can we confirm that there is going to have to be an actual act in order to leave the European Union . There there has to be some legislation, no doubt about that. There are various stages, firstly with dealing with the european

© 2025 Vimarsana

vimarsana.com © 2020. All Rights Reserved.