House Judiciary holds hearing on election security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] the House Committee of the judiciary will come to order without objection the chair is authorized to declare recesses of the committee at any time we welcome everyone to this morning's hearing on securing America's elections I will now recognize myself for an opening statement yesterday the Director of National Intelligence testified that quote the greatest challenge we have as a nation is making sure to maintain the integrity of our election system close quote I agree our democracy was founded on a government elected by the people for the people in free and fair elections today our election is the very core of our democracy are under attack special counsel mullahs report in no uncertain terms detailed how a foreign government attacked our 2016 elections the Russian objectives were clear deepen distrust and discord in our society secure the election of one candidate for president over the other and in so doing undermine confidence in the integrity of our elections and damage our nation's standing in the world there is no evidence that Russia affected the actual vote count of our elections but Russia did successfully steal thousands of documents from American citizens that it used to influence public opinion it also accessed voter data and gained other valuable intelligence which it may seek to exploit in the future in short as special counsel Muller emphasized in his recent press conference Russia's attack quote deserves the attention of every American Russia's attack was not an isolated incident nor is Russia the only foreign power attempting to influence our elections we live in a world with agile persistent enemies who are constantly evolving their methods of attack as FBI director Christopher ray warned to make no mistake the threat just keeps escalating and we're going to have to up our game to stay ahead of it despite concrete evidence confirmed by the heads of our intelligence agencies president Trump is used to acknowledge dressers attack let alone publicly denounce it or outline clearly how he intends to deter future interventions to the contrary the president has openly declared that he sees no problem with foreign influence in our elections more troubling there have been reports from multiple senior White House officials including the former Secretary of Homeland Security the organization tasked with leading our election security efforts that the White House failed to adequately inform Americans about continuing influence efforts and instead directly stymied attempts to investigate or even discuss the attacks in our elections more troubling still we now have evidence that the President of the United States asked the foreign leak asked a foreign leader to interfere in our next election the president is not only refusing to defend our elections against foreign attacks but is actively soliciting such intervention that is unacceptable and it puts our nation at great risk you must not let foreign attacks go unpunished or undeterred and we must make the investments necessary to withstand any future attacks the Judiciary Committee is tasked with the duty of protecting the right to vote for every American that includes not just equal voting rights and access to the polls but also confidence in the accuracy and security of our election systems we will protect that sacred right we will not let anyone not even the president attempt to undermine the integrity of our democracy today's hearing will help carry out that duty to ensure that we understand the extent of the scope of the threat to our to 2020 elections and to identify appropriate steps for deterring detecting and defending against those threats I am pleased that last week the Senate finally approved a bipartisan spending bill to safeguard voting systems but much more needs to be done u.s. elections are not built of isolated parts the existing infrastructure is a vast ecosystem that includes voter registration vote casting vote tabulation election night reporting and auditing systems each of those components is vulnerable to attack and that's with any echo system if any one component part fails if there's a flaw in one piece of the technology it can jeopardize the entire process as former Secretary of Homeland Security jeh Johnson explained the integrity of our election outcomes on the national level dances on the head of a pendant securing our election system therefore requires securing each of its component parts this begins with ensuring that we can verify all votes through post election orders to certify that each vote is accurately counted which will help maintain trust and transparency in the election process we must also secure our voter registration databases voting machines and voting systems a report published this spring found that in at least 40 states voter registration databases and machines were instituted more than a decade ago outdated systems are difficult to maintain subject to serious flaws and vulnerabilities and are vulnerable to more vulnerable to attacks from the outside our adversaries are agile and technologically advanced we must be - you must provide states with the resources needed to secure their systems and update their critical infrastructure in addition nearly all states and territories rely on outside vendors in some capacity but of those states and territories roughly 92 percent rely on just three vendors these vendors must be regulated to ensure that all of their products meet minimum election security requirements finally state and local officials responsible for administering elections our democracy's frontline defenders must have the resources and cybersecurity training necessary to protect our voting systems we must also develop better tools to share cybersecurity and threat information among state and local officials and the federal government in 2016 according to the intelligence community state election officials were not sufficiently warned or prepared to handle an attack from a hostile nation state actor we must ensure that each component piece of our election system is sufficiently integrated equipped and ready to handle any attack from any actor going into 2020 and beyond in short that challenges facing our elections are serious evolving and multi-pronged there are no easy answers I know that ranking member Collins agrees with me that the threat to our elections is a threat to the American Republic I thank mr. Collins attention to this issue and I am pleased to say that our staff jointly selected the witnesses here today these witnesses will help us understand further the extent of the scope of the threats we face and the vulnerabilities in our systems that must be patched their testimony will help guide this committee's efforts to ensure the integrity of our elections that I have thanked and I thank them for appearing today I am confident that working together we can address the imminent threat to our elections and protect our voting systems going forward our democracy depends on you the ranking members been detained and I will recognize him for his opening statement after he arrives without objection or other opening statements will be included in the record I will now introduce today's witnesses Debra Plunkett is a senior fellow for the defending digital democracy project at the Harvard Kennedy School Belfer Center for Science and International Affairs and an adjunct professor of cyber security at the University of Maryland's Graduate School miss Plunkett previously served as deputy director and then director of the National Security Agency's information assurance Directorate she also served as a director of the other national security council under both President Clinton and President George W Bush miss Plunkett received a Bachelor of Science degree from Towson University an MBA from Johns Hopkins University and a Master of Science in national security strategy for the National War College Cathy book var is the acting secretary of the Commonwealth of Pennsylvania she also serves as the elections committee co-chair for the National Association of secretaries of state as the association's represented by the election infrastructure sub sector government Coordinating Council that's a nice title previously this book far served the senior advisor to the government of Pennsylvania on election modernization as executive director of lifecycle of woman care and as chief counsel for the Pennsylvania Auditor General this book far also worked for many years as a poll worker and voting rights attorney his book fire received a Bachelor of Arts degree from the University of Pennsylvania at a JD from American University Washington College of Law well the gentleman yield she was my student are you back I will assume she learned well table Bert is the corporate vice president of the customer security and Trust team at Microsoft Corporation where he works to formulate and advocate Microsoft's cyber security policy globally including advancing the digital Geneva Convention the tank Accord and the defending democracy project mr. Bert joined Microsoft in 1995 and has since held several leadership roles of the corporate external and legal affairs department including leading the company's litigation group from 1996 to 2007 and more recently leading the digital trust team prior to joining Microsoft mr. Bert was a litigation partner at Radel Williams a law firm in Seattle where he worked on voting rights cases mr. Bert received a Bachelor of Arts degree from Stanford University and a JD from the University of Washington Law School where he graduated magna laude we welcome all our distinguished witnesses we thank them for participating in today's hearing now if you would please rise I'll begin by swearing you in and raise your right hands please do you swear or affirm under penalty of perjury that the testimony you're about to give is true and correct to the best of your knowledge information and belief so help you God thank you let the record show the witness is answered in the affirmative thank you and please be seated please note that each of your written statements will be entered into the record in its entirety accordingly I ask that you summarize your testimony in five minutes to help you stay with it that time there was a timing light on your table with the light switches from green to yellow you have one minute to conclude your testimony when the light turns red it signals your five minutes have expired just plug it you may begin chairman Nadler ranking member Collins and distinguished members of the committee thank you for the opportunity to testify before you today my testimony focuses on potential security vulnerabilities of our election systems and recommendations to better protect our democratic processes and systems from cyberattacks we must take bold decisive and expeditious steps to address cyber threats and then assume RF are insufficient given the rise of attackers capabilities all known threats must be addressed in order to better ensure secure and trusted elections bad actors whether nation-states or loan criminals focus on gaining unauthorized access to systems that provide the best opportunity to achieve their goals including influence destruction profit espionage coercion or just fun and fame attackers can make their attempts from across an ocean or from down the street we must treat election security as imperative for safeguarding our democracy intelligence leaders warn of ongoing and escalating interference attempts by multiple foreign actors who view our 2020 elections as an opportunity to advance their interests at the expense of American democracy in the United States elections are complex and decentralized the United States has over 10,000 election jurisdictions these jurisdictions vary by technology and processes recognizing the variety of election jurisdictions is central to developing and implementing strategies to improve election infrastructure security while elections operations can vary significantly across jurisdictions there are fundamental similarities in some infrastructures many election systems are built using general purpose technology and commercial off-the-shelf software while this means they are often subject to attacks popular in other sectors it also means experts have identified some best practices to mitigate many of the risks the key is to make sure these solutions are kept up-to-date at Harvard the Belfer centers defending digital democracy project produced a state and local election security playbook which identifies ten best practices that apply to all elections jurisdictions which I'll briefly summarize today the first is to create a proactive security culture most cyber compromises start with human error a strong security culture makes a big difference as to the success of a malicious actor the second is to treat elections as an interconnected system any digital device that touches election processes must be safeguarded device security management should be centralized and streamlined the third is to require a paper vote record it is essential to have a voter verified auditable paper record to allow votes to be cross-checked against electronic results and the paper record must have a vigour rigorous chain of custody the fourth is to use audits to show transparency and maintain trust in the elections process auditing should be embedded at points in the process where data integrity and accuracy are critical the fifth is to implement strong passwords and two-factor authentication while strong passwords are important two-factor authentication is one of the best defenses against account compromised number six is to control and actively manage access where users should receive the minimum access required to perform their jobs when someone no longer needs access it should be revoked number seven is to prioritize an isolate sensitive data and systems so that you know which systems should be properly protected number eight is to monitor log and backup data which enables attack detection and system or data recovery after an incident number nine is to require vendors to make security a priority detailed security specifications should be written into acquisition documents and then ders must be required to notify officials immediately after becoming aware of a breach and finally number ten is to build public trust and prepare for information operations transparency and open communications will counter information operations that seek to cast doubt over the integrity of the election system in conclusion election systems are our critical infrastructure to protect them them the federal government must provide the requisite guidance and support by allocating resources to upgrade election systems to the highest security standards ensuring information exchange between federal state and local entities is seamless instituting security standards that vendors must follow for election systems or components and encouraging a culture of security by keeping the American public fully informed on malicious actors behaviors and intentions and the government's efforts to stop them thank you for the opportunity to participate in this important dialogue today chairman adler and steam members of the committee thank you so much for your leadership on election security as chief election official of pennsylvania i have the privilege of working with dedicated election officials across the commonwealth in all 67 counties to make sure that all of our elections are fair accessible and secure for all eligible voters as has been discussed the issue surrounding election administration have become more complex and complicated because of security issues as we know foreign adversaries are continuously trying to influence our elections the key to thwarting this effort is to make sure that we are building our cyber walls faster than those that are trying to tear them down election security is a race without a finish line and our adversaries are not slowing down we need to make sure that we are meeting and exceeding those technologies and making sure that we invest at all levels substantial and sustained resources alongside the great majority of states we urge the federal government to provide additional election security funding but also infrastructure and we want we need to look at this like we look at other ongoing initiatives so we don't we don't do once and done appropriations for other types of security for health care for education we look at these as ongoing investments and that's how we have to look at our elections nothing is more important than the security of our democracy there have been great advances over the last many years as discuss the eis GCC the election infrastructure sub sector government coordinating council say that five times fast has been a great collaboration among federal state and local officials to secure elections and it's working to formalize and improve information-sharing communication and protocols to make sure that our local and state election officials can respond to timely timely to threats the great thing about eis GCC is that it has a wide range of members so from you've got 29 members 24 of them are local and state election officials but it also includes critical federal partners like DHS EAC NASA the election center and the International Association of government officials other key partners in this fight are DHS National Guard center center for internet security who have been incredibly strong partners making sure that we have risk and vulnerability assessments shared intelligence tabletop exercise and extensive communications but there's more that we could do so the one of the things that I'd love to see the federal government being more involved in his vendor oversight tracking foreign ownership making sure that we're getting background checks making sure that there's a good chain of custody across all voting and elections components we also need to strengthen lines of communication in both directions from federal state and local for example when there are local incidents reported to our federal partners the federal partners need to make sure that the state election officials know so that we could timely respond to those those incidents on the Pennsylvania landscape we've had some great successes over the last year and a half that I've been very proud to be a part of we've really had a very we broke down silos we knew is really important to have an integrated approach to election security and it's been incredibly effective we have an interagency work group that involves IT professionals security law enforcement Homeland Security elections and emergency preparedness we meet regularly and work together to make sure that we are working together as a front to make sure we have the most secure and accessible elections in Pennsylvania we've provided tabletop effort exercises and we were the first state in the country to accept DHS's offer of free vulnerability assessments to States one of our big successes over the last year has been our transition in Pennsylvania to voter verified paper ballot systems I'm happy to say that where is a year ago we had 50 counties across Pennsylvania that had no paper trails as of this November there will be 52 counties that will have broad verifiable paper trails so a huge flip great success and a credit to the county election officials for all their work I'm also happy to say that we have a post-election audit workgroup as discussed by chairman this is a critical piece of our elections is making sure that we're auditing and instilling confidence in our voters about the confirming the results of the election the right to vote is a fundamental right and every voter must be provided equal access to the polls and a deep seeded confidence in the security and accuracy of their votes our democracy and bolstering our confidence and that democracy is worth every dollar thank you very much Trevin Nadler ranking member Collins and members of the committee thank you for the opportunity to testify today on the important topic of how emerging technology can contribute to the security of our elections my name is Tom bird I'm the corporate vice president for customer security and trusted Microsoft my team includes our defending democracy program which works to protect democratic elections from cyberattack around the world we know that skilled and well financed adversaries have and certainly will continue to attack elections in the US and in other countries all in the pursuit of their goal of undermining citizen confidence in democracy defending democracy and our elections are important to Microsoft so we spent the last year working on what we as a technology provider can contribute to this effort and I'm pleased to inform the committee that this week we released free open-source software development kit called election guard simply put election guard technology can enable the most secure and trustworthy elections in the history of the United States how does it do this when a vote is cast it is immediately encrypted so that it can't be seen or changed the voter then receives a tracking number and when the election is complete the voter can go online and check to see for the first time in history that their vote was in fact counted and unchanged election guard more than that also enables anyone voting officials the media third party watchdog organizations to build a verifier application that will let them confirm that the tally is correct and unchanged all of this can be done without ever decrypting individual votes through the use of homomorphic encryption a well-established technology that can count votes without ever decrypting the underlying data election guard is designed to work with many of the voting systems in use today including electronic ballot marking devices or hand marked paper ballots read by optical scanners and we have on our roadmap making it work with other forms of Elections we've made this technology free and open to everyone Microsoft is not making any revenue from election guard we've been working closely with all the major US election vendors encouraging them to build systems with election guard and we're excited to report that their response has been uniformly enthusiastic but there is a significant impediment to the rapid adoption of this and other new voting technologies the complex and outdated federal election machine certification process this process is more than a decade old and it's too slow and too burdensome to enable voting officials to respond as quickly as needed to our agile adversaries unfortunately this means that new machines using election guard likely will not be certified in time for use in the 2020 national election this certification process also hinders basic security hygiene today if a voting machine is updated with a minor security patch from a trusted vendor it will have to go through a full recertification process this creates acing African descent Evora lection officials and vendors to deploy security patches leaving our elections vulnerable we're pleased that the election assistance Commission is in the process right now of revising these certification rules and we have to ask all of you to encourage the Commission to adopt soon new rules that enable rapid in agile deployment of new security technology and basic security hygiene while we and others in the private sector can contribute technological advances to secure the vote there is of course an important role for Congress we agree with Ms Plunkett's written testimony regarding the urgent need for long-term sustainable funding this is critically needed to enable election officials to plan ahead to purchase new equipment rather than letting outdated systems remain active and to invest in cybersecurity training and staffing that we expect of all critical infrastructure providers we live in a world with agile enemies who are persistent in their efforts to interfere in our democratic process our citizens deserve to be able to cast their vote with confidence that will be counted without manipulation we believe election guard is breakthrough technology that can help achieve this goal we remain committed to working with government civil society the technology sector to take even more steps to ensure that every vote is counted and every voter has confidence in our free and fair elections the stewardship of our democracy requires nothing less thank you and I look forward to your questions thank you I thank all the witnesses for their testimony will now proceed under the five-minute rule with questions I will begin by recognizing myself for five minutes I'd like to focus initially on one component of our election systems that I find particularly concerning voter registration registration databases the Mullah report concluded that on approximately June 2016 the Russian intelligence organization GRU compromised the computer network of the Illinois State Board of Elections and gained access to a database concerning information on millions of registered Illinois voters unquote miss Plunkett in this case the Russian hackers successfully breached the databases but they fail to alter or to delete voting records my question to you is if Russian hackers had changed voting records including the leading voters from the databases you described a specific possible impacts that could have had on the election if they had altered the databases it would have been devastating had they altered the databases and altering in this case could have been changing records that could have been deleting records which would have made it in some cases impossible for voters to vote to register to vote voters could have been turned away they could have inserted voters erroneously into the database that could have prevented provide an opportunity for those who shouldn't be voting to vote so it would have been devastating had that happened thousands or tens of thousands of voters might have turned up at the polls and it turned away because there was no record of their registration that's thousands of non-existent voters might have voted that's correct thank you Miss Plunkett the House passed appropriations bill contains 600 million dollars in funding for States it also includes accountability measures it requires that funding cannot be used to purchase non qualified voting machines the Senate's version has only 250 million dollars with no accountability restrictions your written testimony emphasizes the need to reduce to replace rather paperless machines and implement robust post-election audits using paper ballots now we saw in 2000 how one counties failure to properly maintain its Chad's or none Chad's held up the entire country and one County's dereliction could again conceivably hold up the entire country's election national election now I was just I understand why some states or counties might not want to spend the money necessary to update their election machinery so they can't be hacked but I was astounded to read recently a couple of days ago in fact the states are still buying spending large amounts of money on on voting machines that are electronic that do not have paper trails that are unaudited and vulnerable to hacking so my question is aside from the obvious necessity of appropriating money to update our election machinery so that we have hack-proof machines that cannot be tampered with from the outside and that cannot and that leaf paper trick that leave order to both trails between these paper trails do you think that we should that the federal government should mandate this because after all the federal elections are our premise on accurate counts in every state and county should we mandate as well as providing the funds for modern election technology so that we can be sure that no foreign actor is in fact hacking in fact phoning up our vote and perhaps even doing so and leaving no trails that you do it later so what was me to make a comment about federal and state roles and responsibilities but what here's what I'd say sir it is incumbent upon every state to institute the appropriate security measures and make sure that their technology is the most robust available in order to protect the democracy in their election and votes and I believe that there's a role for the federal government in this space that starts with requiring that vendors follow a certain security standards in the production and delivery and maintenance of the equipment that these states are using so to go that would thereby standardize at least the security of those systems everything from you know auditing in database management to go on the backend should something happen to the systems report obviously if we if the federal government mandated that only proper machines could be made then new purchases would only be a proper machines in the five seconds I've got left is any of the other witnesses want to comment on whether they think it necessary for the federal government to mandate that existing machines be replaced in time for the next election so that we can guarantee an election on UNAC tative from Moscow or someplace else we think as the election assistance Commission is revising its standards for certification there's an opportunity there to inject standards for the security of devices to be certified and I would caution though that we must be careful not to specify specific technological solutions because our enemies move very quickly we need to be agile in response but to have basic security guidelines that are part of that certification process would be in advance in the current state and would help us secure our elections Thank You chairman I just want to say that I think you've mentioned a lot of the areas that we need to invest you talked about voter registration systems you talked about I think you talked about sensors intrusion detection sensors and all kinds of other things so what I'd like to see is that we we define a continuum a number of different things that are critical priorities but allow the states who know best what's the most critical need in their state to decide what the best use of that fund those funds are thank you very much my time has expired the gentleman from Colorado Thank You mr. chairman mr. Burton I'm interested in in the election guard technology that you were talking about earlier and one of the interests I have is that the United States wasn't the only country that Russia targeted in the last decade it's clear that Russia tried to impugn the integrity of the bragg's that vote the Scottish independence vote had been involved in in Spain with the Catalonia in pendants movement will Microsoft make election guard available to our allies foreign countries or something similar so that we can try to make sure that democracies across the world have elections that are considered by their people to have integrity yes that's absolutely our plan congressman as you may know our account guard service which we offer for free to help protect campaigns against being hacked we've extended that now to 26 countries around the world and we intend to do the same with election guard technology as well it is a free open-source project so any vendor in any country is free to take that technology and build it into election systems we work to expand our protections to all democracies committed to free and fair elections and mr. Birnam one of the things I'm interested in is is exactly you've used the word agile a number of times and I'm assuming that there is a distinction between hardware and software when you're talking about agility and I'm wondering if you could just explain that well when the Chairman talks about and rightfully you know updating systems I think we're in large part talking about hardware I want to make sure that we have hardware that's compatible with whatever the software is that we need to be agile with yes it's absolutely important that both hardware and software be the most secure current engineering and there's work to do frankly on both sides of that but most importantly for most of these systems it's the ability to update software as I mentioned in my my written testimony we just announced recently that we are going to provide free security updates to Windows 7 election voting devices because we discover that there are many of those devices still in operation around the country even though that's decades-old technology and it it reaches its end of life this January for most customers but because of the importance of securing our vote we are providing for free those security updates through the end of 2020 the challenge though is as I mentioned earlier with current regulations it's actually very difficult and burdensome for local officials to even apply security patches to their devices so we need to work on both the software and hardware side of the equation to ensure that we can be agile in adopting the best technology to defend against these attacks so for for old folks like me we we think that if it's not on paper it's not secure and it's not believable and I just want to open this up for the young folks on the panel here if you have an opinion on how we how we convince the American public because that's really the audience in this case is making sure the American public understands we're doing everything we can to make elections credible how do we convince the American public that something that we can't see that that exists out there somewhere is just as good as a paper ballot and and being able to see something on paper if I could start off and at least I'll claim to be young at heart congressman um there are two really important things we can do to help establish that trust and one which you've heard about from others which we absolutely endorse at Microsoft is the existence of a paper backup at least that can be used in risk limiting audits and in fact our election guard technology supports an advanced form of risk limiting audits which enables voting officials to audit the outcome after the vote and show that it wasn't tampered with so that's one important thing is the application of audits and the maintenance of at least a paper backup so that you always have that as a resource to go to but again if we can get to a world where the election guard technology is broadly adopted that provides a whole new form of voter trust because now voters will be able to for the very first time actually see that their vote counted and wasn't changed today I'm from Washington State we can't I have no idea whether the ballot mark was ever actually counted or not with this technology voters will know which should help establish voter trust thank you and mr. chairman I don't often do this but I wanted to thank you for holding this hearing I think this is beneficial I think it has very little to do with partisanship I think it's important for everybody on all on both sides of the aisle and all around the country to make sure we have this integrity so thank you very much gentleman's time has expired the gentlelady from Texas Thank You mr. chairman let me add my appreciation for this very crucial hearing as well thank you to all of the witnesses let me ask one question from each of you with a yes or no answer do you think it is important for there to be governmental involvement in a regulatory structure in review of the technologies as we move toward the upcoming elections as quickly as possible mr. Plunkett secretary brockner look far yes and mr. Burt yes I do let me ask Miss Plunkett with respect to the 2016 election and the Russian GRU officers compromised a computer network of the Illinois State of the Board of Elections and gain access to a database containing information on millions of registered Illinois voters the Russian GRU officers were able to steal data of thousands of US voters before Illinois was aware of the hack if Russia had succeeded in all these efforts can you explain how attacking voter registration software and electronic polling stations can impact an election certainly since the foundation of the voter system begins with read the registration databases which validates that a voter is is eligible to cast a vote should that database be altered in any way whether it be destroyed or deleted or additions made to it it could jeopardize the ability of a citizen of the legitimate system citizen who has the right to vote from voting and would certainly alter the outcome of the election because it would prevent those who should be able to vote from casting their votes in essence it would undermine the very basis of our democracy that's correct mr. Bert you've mentioned the election guard we are all fascinated by that it's outstanding technology but in your marketing to the entire world I'm not sure what kind of litmus test you're going to use to determine whether or not it is a democratic government and what is the potential of innocent democratic governments now giving technology of that level of sophistication to be utilized then to hack into the system what are the protections and the firewalls on your system if by chance you sell it to an enemy all right enemy congresswoman we're actually being quite deliberate and careful about the countries to which we expand our our services but let me be clear about election guard it's an open source project that anyone can access and that actually leads to the security because as people find any flaws or security flaws in the software it can be updated what's important to understand is that this technology is not capable of being used as an offensive weapon it what it does is secure the vote what it does is ensure that votes are encrypted and can't be changed or altered and it ensures that the vote can be verified and that the count can be properly verified by individual voters and by any third party so to the extent that this technology is deployed even in countries that we would not consider an ally it just means that their votes are going to be more trustworthy the ability to breach or to hack into the votes of another country that's correct let me ask the secretary and book VAR what is the importance of having a variety of technologies that states can have access to then the limited number of vendors that we already have in terms of protecting the election process so I think one of the one of the that we have decentralized systems have their advantages and disadvantages but having the variety of technology is definitely an advantage because the likelihood of the ability to breach all the different technologies is certainly harder than if you had one uniform across the board so it's key to keep the diversity of our system you only have I think someone mentioned three and so having us be able to certify or legislation that deals with expanding that opportunity would also enhance the security and safety of elections let me you're all lawyers and in the past election 2016 we've determined that there are a lot of foreign operatives do you think it's important to have legislation that indicates that if you elected official or a candidate are approached by a foreign adversary that you need to report that immediately to an organization agencies such as the FBI is plunk it I'm just asking everybody crosses across the board yes yes as well Bert certainly I ask unanimous consent to place into the record a chart 23:53 I am can an effective deceptive campaign spoofing attack be deployed through user search engine requests I'll repeat it can an effective deceptive campaign spoofing attacks be deployed through use a search engine requests you just answer the question Bert the time of the gentlelady has expired the witnesses may answer the question yes that's possible all the more fulsome answer would take a considerable period of time in terms of how that would work and how we can defend against it I agree yes all right thank you are you mental ad yields back [Music] gentleman from Florida Thank You mr. chairman I'd like to associate myself with the comments the gentlelady from Texas and gentleman from Colorado that election security issues must be viewed as a bipartisan endeavor for us to be able to make progress and all voters deserve to have confidence in that process I must say it was a little disheartening that the Chairman began the hearing by taking a bunch of partisan shots at the president I don't understand how that is helpful to the work that we're doing here and really thinking in terms of the value of elections most broadly I fear that the greatest risk to our democracy may not be hacks or interference with the vote it may be the efforts by radical Democrats to try to impeach a president who was duly elected that seems to undo elections a lot more than hacking but alas back to this important work of the committee I wanted to thank congresswoman Murphy as the lead but also our colleagues on the Judiciary Committee mr. Deutsch and mr. Burke Ursula Powell from Florida for co-authoring HR 3529 and this bipartisan legislation requires the head of department of homeland security to notify state and local election officials in the event of some intrusion or hack and so my question is really to any of the members of the panel to speak to the utility and importance of real-time coordination in the event of an intrusion and how you might see state and local officials working cooperatively and proactively with the federal government in such an endeavor I'd love to take a crack at that Thank You congressman I it's critically important that collaboration at the state local and federal level and we saw it in Pennsylvania last year in November of 2018 s election we were connected across the country to other states into the federal government getting real-time information about things that were being seen in other in other states and we could not only take stuff for example there were attempts to hack into you know to send DDoS types of interruptions in other states IP addresses were identified passed along to other states we then in turn were connected across the state to the 67 counties could pass along those IP addresses they could block it proactively before having to help so that it was literally in action collaboration that protected our elections so and we that kind of thing both before during and after is critical in order to make sure that we have the most secure elections possible congressman if I may in 2018 under the the direction of director Krebbs from sisse there was a war room established at the federal level to which technology providers state and local officials were all invited we participated in that and that was a good step forward but what you suggest is absolutely critical I agree that the the more efficient we can have communication between all federal agencies who are aware of attacks in real time with state and local officials and also leading technology providers who stand ready to assist with this effort of protecting our elections the better it can be so we need to improve and expand on that rapid real-time sharing of threat information at the time of the election and and before then I agree with both and I just also add it's critically important and I think a good role for the government to create the environment where information sharing can happen without restrictions in a smooth and precise and expeditious manner such as said everyone who needs the information can get it and it's presented in a usable fashion and I would not limit that to state and local and federal as I has already been stated vendors you know they're very good threat intelligence organizations that are that are that are doing a great job in uncovering good information that needs to be a part of this dialogue that is incredibly helpful advice especially when I think about the experiences in Florida where you know hackers masquerade as the vendors so they would seem to be an important part of that community and that's very helpful I would also observe that there there seems to be some confusion in Florida as to the extent to which any hack could lead to voter manipulation in future elections not based on changing the tallies of the votes but by potentially manipulating someone's name I'm Matthew Lewis gates ii but if and changed my name to just Matt Gaetz on the voter rolls potentially I would have a hard time having my vote counted and so this may be a broader question then then you're able to answer but I am interested and I think the Judiciary Committee could perhaps partner with others on the utility of blockchain technology to enhance the security of elections because in an immutable decentralized ledger I would think that such a manipulation of the voter rolls themselves would be less likely I would seek any comment anyone would have I appreciate the chairs indulgence I think there's great there is certainly the opportunity for blockchain to be relevant in this space but if we think now about the American public in their understanding of voting and voting systems we are talking about paper ballots as a backup and generally people understand that blockchain technology is very complicated and is untested I know it's being tested in West Virginia as I understand it so I think there's possibility but it's not something that I think is ready for use for a general or primary election thank you madam chair and thank the witnesses for your appearance today and for your testimony miss Plunkett the Center for American Progress recently reported that quote voting on paper is the most hack-proof way of conducting elections and you agree with that to unite today yes I do and what about you miss bug farm absolutely at least with a paper record I should say mm-hmm and mr. Brue well I would say that we actually believe that election guard provides an even more hack-proof way of voting but paper as at least a backup or as a primary because the technology would support either is important to maintaining the security of our elections mm-hmm so when we talk about a paper ballot we're talking about a hand marked paper ballot is that right miss Plunkett it does not necessarily have to be hand marked but it should be there should be a piece of paper involved if the paper involved is produced by a touchscreen voting machine and that piece of paper also has a barcode along with the races that the voter voted on and this paper that the machine produces with the barcode is given to the voter who can then check it make sure that it reflects accurately what choices were made by that voter and then that piece of paper is then scanned into a counting machine which counts not the actual choices made by the voter but the barcode on top that's the kind of paper ballot are you talking that you're talking about I don't know about the barcode PSA so I think I can answer that so for example and that's where audits come in right so for example we're developing a process in Pennsylvania where I guess the question that I'm asking if if it's the bar code that's pet that is counted and not the box that is identified as the one that was checked by the voter how does the voter know that the barcode which is counted actually reflects the choices that the voter made or those devoted just simply had to depend on the barcode to accurately reflect how can how can we get around that if if we're counting the barcode and not counting the hand marked paper ballot so most most systems whether they're him are paper ballot or ballot marking devices use some form of mark for the tabulation process whether it's a barcode a QR code or timing marks which some of the ham mark paper ballots use so there's basically triggers in the tabular and then the audio and you're able to actually count the hand mark palette by hand exactly that's what the audit or a recount would do would look at the plaintext language on that and it can compare the tabulation numbers compared yes with the hem and mark valid is the is the way that produces an auditable trail but the ballot that is counted by the barcode and is not hand filled out it's just simply a further extension of the mechanics of the computerized voting if I'm a congressman so in the context we are talking about the barcode that paper still shows the specific individual votes which the voter in a well-run system has had an opportunity to verify the check marks in the boxes so now you've got um not the ones that are counted I understand what I'm saying is even if it's not hand marked if it's marked by the Machine but the voter has verified those boxes now you have a paper ballot that's verified that we use for County how does the voter verified the barcode or the counting mechanism that's really reflects the choices that the voter have made yes so that is part of the audit process that can be performed by looking at the tally against the audited subset of ballots that's that's selected for the audit looking not at the barcode in this case but looking at the boxes that are checked so the audit system provides me let me just save this then isn't it clear that a hand marked paper ballot that is then fed into a counting machine which counts that tally along with the other voters and then at the end of the voting process if a if there is a recount then you can actually count the paper ballot the hand marked paper ballot by hand and compare that to the tally that was produced by the counting machine doesn't that provide the most effective way of auditing the results of an election I would say that it's not important whether the ballot was hand marked or marked by a machine as long as the voter gets the opportunity to verify that what they see on the ballot is what they intended before they deposited in the ballot box either way whether it's my hand marking or the machine that checks the box you have a clear representation of the voter intent and in fact in the machine check box sometimes that's clearer as you know with hand marked ballots there's often disputes about what a voter actually intended with the marking depending on the system and I think the Jim thank you madam chair I'm if I have time I'm gonna come back to this but mr. Burton your written testimony you mentioned you talked about future threats and one of those was deep fakes and synthetic media being a future threat I'm an old state party chairman I understand how in the last 10 days of a close election things escalate extremely quickly just why is this such a threat and what what can we do to free to deal with it on the front end I mean I've seen some I think our colleagues they did one yesterday and another word to say other than creepy and they look absolutely legitimate so well congressman that's exactly why it's such a threat we know that our adversaries among other things engage in disinformation campaigns in which they attempt to take the extreme positions on social issues relevant to the campaign and they try to incite conflict among the American electorate they seek to discredit candidates or positions through their disinformation campaigns and we should anticipate that they are going to become more sophisticated in their efforts synthetic media or deep fakes as its called regularly the technology that enables that both in terms of audio and video is advancing rapidly and as you point out it's now possible with the most advanced technology to really create videos that appear to be entirely realistic there's a lot of research that's going into detection technology how to detect these deep fake videos and show that they are artificial and not real but at the end of the day the technology to create the videos because of the way the artificial intelligence works will always be ahead of any detection algorithm so the opportunity for our adversaries to use this technology to try to influence a campaign or an election is very real and today as it stands right now we don't have a great answer to that other than to educate the American public that it's going to be even more important now than it's been in the past that they consume the information that they use to make election decisions from sources they believe are credible and there are a number of services out that try to rank and rates various sources to determine is this a journalistically credible source or not but in today's world that's going to become even more important thank you I get criticized for a lot of things I say so I'd prefer that it not get criticized by things people make up that I say but moving into that I mean as far as a defense defense to that as we're going forward is probably I mean if the technology is advancing faster than the detection of it it probably behooves us as a body and whoever else is doing some of these things to figure out a way particularly with platforms and things to be able to have immediate immediate removal and those types of efforts would that probably be I mean just as we're moving forward and going towards this there has to be a I mean we have to have a way as a Congress or as a government or just as an election to be able to deal with these things yes in the short term I think using available detection technologies working with the social media platforms and the others to try to identify those that are originated from adversaries which is you know cybersecurity technology we can deploy those are gonna be the best things we can do for this election cycle we and others are investing in a number of different efforts to try to come up with better ways both to detect and to identify legitimate sources of video and audio so that over time we will have a better approach to solving this challenge but it is going to be a real challenge for us in the 2020 elections then going back to the encryption stuff and how does the broader election or encryption debate potentially affect encryption and election guard I mean if a government has a backdoor access its a backdoor that I mean potentially could be exploited I mean and that creates could create a built-in I mean weakness and imbalance how do we balance law enforcement and the ability to do that with cybersecurity so this is a broader question that goes beyond the election context in the election context the encryption that we build into election guard would never have a backdoor there would be no purpose to have the backdoor and it actually would reveal voter specific votes which you don't want to do for a variety of reasons in the more broader context this is a very nuanced discussion there was a recent paper from the Carnegie Institute that I thought was very well done in in talking about the broad range of issues relevant to encryption law enforcement access protection of of dissidents for example the legitimate uses for encryption why that's important and one of the things that paper said which we absolutely endorse it's important to get very specific about the problem you're trying to address and look at that problem and how to properly balance all the competing interests as to that problem there is no general approach to encryption that doesn't create way too many problems so we need to be very specific look at those specific things and then balance the social issues to find the right result and then that's going to be some work that we all have to do the technology industry together with government the gentleman has expired the gentleman from Rhode Island Thank You mr. chairman thank you to our witnesses it's very useful and important testimony one of the things that I'm particularly concerned about is the regulation of vendors as you are aware a large percentage I think it's 97 percent of states and territories use vendors in some capacity from the computers they use to access information to the servers that house information the management of databases that contain information to cast and tally votes websites and software used to display information results to the software that creates ballot design helps transfer information across systems and three vendors in particular control over 90% of this process of those three over 60% of American voters cast ballots on systems owned and operated by a single vendor and despite the incredible impact of vendors on our electoral system there seems to be very little regulation over vendors that really ensures election security and as a result of that I think we've seen some very serious issues with vendor security so my first question really is for each of the witnesses is should we consider regulations at the federal level and creating some standards for vendors and if if so why not why not I absolutely agree that believe that we should because elections and election systems are a national security threat and for national security threats that has been the approach of the US government it is to develop federal standards and in this case with the federal security standards for election equipment that range that really run the gamut from how the environment in which the software is developed and ensuring that it's developed in a secure manner input and appropriately protect it straight through to the implementation and maintenance and then the responsibility for reporting any any vulnerabilities that are discovered even after that software and hardware is deployed I think it is absolutely should be done and I believe it's a role for the federal government I agree on every level and you know we have the election assistance Commission which does certification but as you probably know CAC has been underfunded but they also were unable to update their standards the voluntary dbsg standards for a long time it didn't have a quorum so for example in Pennsylvania we had to we stepped in and last year when we knew we had to certify a whole bunch of voting systems we actually created our own more stringent security standards because we didn't want to rely on the outdated ones so it would be much more effective if the federal government were having stronger oversight both to standards and then to oversight of for example we talked earlier about the foreign ownership background checks and making sure that there's chain of custody controls over every component of the voting and election system and to make those standards requirements not voluntary correct and Congressman if I may add I think we're all in agreement on that with the one caveat that it's important that the standards not dictate any particular technology technology or technological solution because that then sticks the states and local governments with a particular solution if that becomes vulnerable then it would take too much time to change so they need to be generalised standards so that there are there can be innovation in terms of the technology approach that's used to meet those standards that make sense in addition to the establishment of mandatory standards are there other things Congress should be thinking about with respect to the role vendors play in our electoral process and the integrity of our elections one thing that is another one of the of the future threats that I think the vendors can be playing a more significant role is the the risk of ransomware under ransomware attack especially on the voter registration rolls this is something that director Krebbs from sites have pointed out a few weeks ago after this whole rash of ransomware attacks we've seen on small municipalities around the country ten in Texas alone relatively recently the risk that our adversaries will use that same malware inject it into the voter registration devices and basically you'll show up on the day of the election and the entire database will be locked up and you can't see it that's a significant risk so vendors need to work with their customers to help them understand how to establish defenses how to have and build into the system backups that are offline backups and do tabletop exercises so that state and local officials know how to restore those systems very rapidly so there's no interruption the voting process in the event that everything else that we do to try to maintain security is unsuccessful thank you I want to thank you mr. chairman for holding this really important hearing there's nothing more fundamental than protecting the right of the American people to have their voices heard and they're booked their votes counted in our elections and this requires strong leadership from everyone at every level of government and I really thank you for conducting this hearing thank you the gentleman yields back the gentleman from Texas Thank You mr. Chairman I appreciate you all being here I noted that the chairman said basically that he was astounded to find County still buying machines with no paper trail miss Plunkett were you at the NSA back in 2000 2001 yes I was do you remember who mandated that every county or parish in America buy electronic voting machines and there was no requirement for paper trails because that was more expensive do you remember who mandated that no I do not well that I was working for the state and county as a judge and counties were outraged that they had an unfunded mandate by this Congress that some people here were in Democrats intimidated Republicans because of the votes in Florida even though there were fifth graders tested and none of them had trouble with the butterfly ballots and such apparently people that were trying to vote Democrat had a lot of trouble with them so there was outrage there was demand for electronic voting and the federal government Congress mandated and it was very very difficult for counties many counties to come out of the financial burden that this Congress put on them and so if some of them have had trouble recovering financially for the poor finally got mad and went and bought an apple it was a Mac it was the best thing I ever did about dozen cents but when I was in Congress I wanted a Mac and I got one but Microsoft System is what things are based on here it screwed up my computer and they said look you just can't have a Mac if you're gonna communicate with other computers around it so I just didn't know it and I understand that your job is security and Trust with Microsoft so maybe they hadn't told you but is there any backdoor into election guard that Microsoft might have in order to fix or deal with some problem in the system absolutely not congressman there is no as you know well not only did as far as I know but it was my team that did the engineering work on this election guard and so I'm confident there is no backdoor the other thing I would say again is we are making it an open-source project so the source code is available today on github for anybody to look at and we actually encourage hackers to try to hack into it so that we can find any security flaws and fix them and one of the problems since really we're all very concerned about election security no matter how good your system is it can't do anything about a county that hires a vendor as my colleague you're just bringing up and the vendor at the end of our early voting on Friday before the election on Tuesday takes the 48 flash drives from the 48 precincts owned and plays with them until Election Day your system can't help with that kind of problem correct actually congressman the election guard technology the way it works actually provides security and trustworthiness even if you have a vendor or an election official who's been compromised or has some Allina tent because the vote gets encrypted the moment that the voter votes on it and has never defends it after that yeah so it's protected against any of those kinds of attacks on and then phishing if it's protected against that kind of then accounting may not want to use your system if they need a vendor to take them home and play with them but I'm concerned that each of you think it is possible to rig an American election and if that's the case I just warn you that in President Obama's eyes that would make you a non-serious person because he said no serious person out there would suggest somehow you could even rig America's elections and I would encourage you since traditionally dead people vote nearly a hundred percent Democrat did you figure out a way to secure our graveyard so people don't keep turning out and voting in our elections my times experiment the gentleman's time has expired the gentlelady from Washington Thank You mr. chairman and thank you all for being here it's really I think very important the information that you're giving to us as I've come to learn more about this issue I've been quite stunned that the United States is currently the only major democracy without a centralized agency governing cybersecurity and although we have multiple federal agencies that have some role to play in protecting elections there's no clear place that a local county that's concerned about hacking can go to I read this recent UK report that explains that there are single centralized cybersecurity agencies at coordinating a tional security in Australia Canada and New Zealand but the same report notes that in the United States international cyber security efforts must go through multiple US agencies including the NSA DHS and the FBI and so I'm really interested in this idea of centralized and cohesive coordination of our nation's cybersecurity to better protect from foreign and domestic threats mr. Burt I want to thank you for your work and say how proud I am that Washington State is Microsoft's home state and that I have the honor of representing many many many Microsoft workers as my constituents and I think you have brought up some really you've done some really important work with the election guard technology I'm curious I know you just released it is it actually in use anywhere yet are we using it in Washington I guess is the most relevant question no it's not yet in use anywhere because as you say just released it for public use just in the last few days we are working with all the major election what we're working with all the election vendors they're all very enthusiastic they're in the process now of evaluating the technology and thinking about how they could build it into new offerings new devices and so we need both the election vendors as well as state and local officials to understand the technology think about how they can use it to secure their election and we're out you know actively helping explain and educate that we do expect that either later this year or certainly in 2020 there will be we're working with a number of partners on some at least pilot elections where we'll be used for a certain precinct or in a certain location so that we can actually test the technology make sure that it's working as expected in hopefully in the coming months and certainly by 2020 thank you that's what I was wondering is perhaps if we were pilot testing it and in Washington in your testimony you talked about imposing a culture of cyber security including training and I was also struck by the fact that many of the existing voting systems we're using Windows 7 in your testimony you talked about or in your written statement you talked about that how do we and maybe this is a question for you but also for you misspoke fire how do we make sure that we are providing the support and incentivizing in some way States and local counties to update their technology because we can have the best stuff and we can put it out there but if people don't continue to update we're gonna have this problem but do either of you have comments on that well I think you've heard a number of comments that addressed that already today from the testimony I would say we basically endorse the the comments from both of the other witnesses which is among other things a set of consistent federal standards on security for elections would be useful useful guidance but you also need to a sustained durable long-term funding solution so that state and local agencies are nuts not stuck because of financial considerations with outdated technology this is just too important to our democracy we need to make sure that we have the most secure systems possible in every state and local election is it just about money though or is it is it also about you know people's fear of how to use technology not perhaps having their technology officers in place either of you there's a role really for lots of different pieces of the puzzle here so from everything from we were sorry about that we were talking earlier about how it would have been great if the new systems for example in Pennsylvania that we just certified over the last year they should it would have been great if they were never made with Windows 7 so that there was an earlier you know sort of prevention measure in place that just involves regulation at the front end but then you know I think at the county level and at the state level to end at the federal level to have easier certification so when there is the transition in the upgrade of technology we need to be able to make sure that those systems can be in use without being out of play for a while so there's a lot of different levels of it you mean made with Windows 7 as this because things have an operating system within them but what do you mean by that so that's their operating system base so for example it would have been great if all of the systems that were even being made over the last year were already Windows 10 somewhere somewhere they were updated as they were being put out correct and the counties you know so we there were negotiations in terms of the money piece there were negotiations with the vendors to make sure that they weren't going to charge for the upgrade but it would have been better if there was never a need for upgrade because they had been made with Windows tend to begin with thank you the gentlelady yields back the generally the gentleman from Virginia Thank You mr. chairman and I'm grateful to you and for holding this hearing today it's it's an issue that has been in need of examination for some time and I'm hopeful that after dey's hearing will be able to act on some of the excellent ideas that have been discussed this morning and many others that have been put forward by members on this committee while the responsibility of carrying out elections is one mainly for local and state governments the federal government does have a critical role to play as has been discussed it's a fact that other countries are trying to interfere in u.s. elections Russia most notably and we must remain vigilant to ensure that foreign adversaries cannot meddle in our electoral process new threats will never cease and our nation must stay on the cutting edge to ensure our elections remain secure our laws guarantee the American people just in fair elections and it's our duty to carry out that mandate and resist all forms of tyranny that threaten our freedom I have listened with interest it seems like we're moving in two different directions one toward less technology paper ballots one toward more use of Technology decentralization blockchain I'm curious about real-time testing of blockchain in West Virginia this book for your neighboring state West Virginia had apparent success in in the midterms and using blockchain to allow deployed overseas service members to vote have you explored any similar initiatives in Pennsylvania and what have you done to ensure that overseas deployed service members can vote so we have not explored directly we are I think across the country we're very closely talking with Virginia with West Virginia and watching how this goes I think it did seem that the first run of it was successful but I think like we all know there's there's a lot of risks with using untested technology so I think that's going to be something to watch over time in the meantime we are sorry we are effectuating an encrypted email process that's going to be used for the first time I'm sorry I lost my voice but that's going to be used that's going to allow instead of having to access a website encrypted emails for delivery of the ballot to the voters and that's kind of our next act wait to protect the boat overseas of overseas voters Bert your technology seems to election guard seems to utilize both ends of the spectrum there you you're having a paper ballot back up but but exploring open source solutions do you still are you researching efforts to replace paper ballots design and create additional software efforts that could replace paper ballots or you of the mind that you should always have that paper ballot backup so our view is that whether paper ballot is the backup or primary either way the election guard technology can help provide this level of security and end-to-end verifiability we've designed it so that it will work with paper ballots in either way but our position is that today it's important to have a verified paper ballot backup at a minimum to use for risk limiting audits and have it available in the worst case so that you can do a hand count if necessary so we think and our technology supports that as well so we think it's important if I just may comment quickly on blockchain our researchers who look really carefully at election based technology do not think blockchain is a great solution for a nationwide election we're very interested in the West Virginia experiment will continue look at that but it has a very specific focus which it may be useful for for the most part there are two big problems with blockchain it's a distributed ledger and you really need to have a leader which we have leaders now with the state and local election officials who establish what the rules are for voting and for who's on the ballot is not so there's challenges with watch chain technology inherently and furthermore an imagination wide level it would not maintain the degree of security and privacy in each individual's vote that is critical to our national elections you've been working globally on this effort have you seen in other countries any evidence that of hackers and whether you're working in other countries on those issues has led directly to denying hackers an option to penetrate election infrastructure so the work that we've done globally so far has been with our account guard service where we monitor nation state actors attempting to hack into the accounts of candidates or others involved in election process including third parties academics and NGOs and what we have seen is that there are attacks in many other countries we saw it in a number of the ones that chairman have there referenced in his opening statement we saw it as well in the French presidential election following ours in 2016 so this pattern of conduct by the Russians but potentially by other nation states as absolutely continuing in multiple different countries thank you witnesses tell me the gentleman has expired the gentleman from Maryland mr. chair thank you in 2016 Vladimir Putin assess the Russian posture of visa vie other countries he realized he could not defeat liberal democracies militarily or economically but he convened the equivalent of a Manhattan Project for electronic subversion of the cyber elections and the social media of democratic countries and so from prior hearings I've learned it was a three-pronged attack part of it was on the social media there was an effort to inject racial propaganda and other kinds of ideological poison into Facebook and Twitter and so on - there was a direct effort to hack into the DNC the d-triple-c Hillary Clinton's emails we're aware of that and had testimony about that and the third part was to go right to the state boards of Elections to try to get into the those systems and I want to ask a couple questions about that I understand that they made their most progress in terms of the Illinois system actually got into the voter registration database although they were not able apparently they tried but they were not able to nullify the existence of voters on the database what might have happened that they been able to do that and how secure are we against that - in a similar attack in 2020 miss book fire so the way it's been described to me is what they did was kind of like you know if you're a thief and you go around a neighborhood and you try to figure out which houses have unlocked doors or windows which are the easiest to break into and when they're locked you move on to the next one so they scanned a bunch of states found most of the doors windows locked and moved on to the next and I think that that's why we were successful at not having a worse situation it could have been as has been discussed previously it could have been devastating remember the National Association of secretaries of state correct how secure are the states already are we people ask me all the time how ready are we but we don't have one system we have at least 50 systems right or 51 systems all over the country I think we are absolutely in a much better place than we were two years ago and I think the designation of elections is critical infrastructure was a big start to that I think we still have a ways to go and that's why I'm really interested congressman on making sure that we don't focus entirely on voting systems voting systems are really important but we need to be funding we place them at of voter registration systems intrusion detection systems making sure that the counties have the cyber protections the passwords the you know multi-factor authentication those are just as important as the voting systems and we need to you know recognize that MS Plunkett would we be safer in protecting our presidential elections which are obviously the biggest magnet and target for foreign actors would we be better off if we had mmm one national popular vote in electoral system for president or are we better off using the current electoral college system where we have a state-by-state voting and we've got to protect all those different systems what's most important is that we have the right protect whatever whichever system we would choose to use what's most important is that we have the right security protections in place and with the right security protections in place either work equally effectively I believe okay and mr. Burton but I was very cheered to to hear your testimony are are you telling us that we essentially have a technological fix to the problem of security of the actual voting systems themselves yes congressman we think the election guard technology once it's implemented in devices and those devices have been adopted will provide a high degree of security and more importantly will provide this end-to-end verifiability which will enable individual voters and voting officials to be able to trust the outcome with the ability to have audits as a backup to add a layer of verifiability and trust in the system and it will promote a lot more confidence in the reliability of the results yes ultimately it would provide a much greater degree of confidence in the outcome in part because individual voters for the first time will see that their vote actually was counted yeah I mean all of you have emphasized that our electoral integrity is a matter of national security and if you think about it well why does Vladimir Putin and Prime Minister warband in Hungary in Duty erté and all the authoritarians and dustpans the dictators want to destabilize our elections it's because they want to destroy people's faith and confidence in democracy they would like everything to be about authoritarian despots who just make deals around the world and go and corrupt each other's elections and interfere in each other's governments I yield back thank you gentleman yields back the gentleman from Pennsylvania Thank You mr. chairman I'm mr. bird thanks for coming in today and thanks for all you're doing to make our election safe and protecting democracy I just wanted to see if you'd like to speak about why Microsoft got into the election space and just generally speak say there's anything where you want to elaborate on election guard absolutely and this goes to a number of the questions about how we got to where we're at today we need to keep in mind that our foreign adversaries efforts to intervene in our elections is a relatively new phenomenon and the process for certifying devices and so forth there's an older phenomenon so this is something that the entire election community is reacting to in a relatively short period of time from Microsoft this started in 2016 during the Democratic National Convention when our security team saw that a group that we call strontium and we now know from the Muller indictment is a rational organization operated by the GRU the same group when we saw that organization registering a bunch of fake Microsoft domains domain names websites that look like they were Microsoft but really were not and because of the timing we immediately took action and ultimately actually went to court and we've been in a battle with that same organization now over several years in court where every time they register fake domains or use them to try to steal credentials we go to court get an order we take those down and direct all of that traffic to our own sinkhole at our Digital Crimes Unit so we're in a constant technological battle with that organization it started then and then as we fast forward over the next year I had a conversation with our president my boss Brad Smith and we talked about the obligation we have as a company a company based in a democracy founded in a democracy to help protect however we can those democratic institutions and our voting process has a core democratic institution and that's when we founded our defending democracy program which we're going to continue to invest in in advance in coming years I think you get mr. bird I really appreciate how you're doing and with that I would yield the remainder of my time to my friend and colleague from Florida thank the gentleman for yielding mr. chairman I initially have a unanimous consent request that HR 35 29 the bipartisan election security legislation I referenced earlier be entered into the record without objection thank you I want to return to this issue of paper ballots versus blockchain technology and I know that we all like they have a lot to learn on that mr. Burt do you view watching technology as potentially being more applicable to the voter rolls and the maintenance of the rolls and ensuring that there's no manipulation of those into the actual vote itself or would you the technology as applicable or inapplicable to those two silos of election data separately so I think you do need to evaluate those two things separately because they really are different problem sets right so you need to look at the problem set and what you're trying to address and there's two different problems that's between voting where we don't think blockchain is a great solution for a nation and the wide election and the voter registration rules where to be honest it's something I need to go back and talk to our read our our experts about whether it's a potential solution offhand I'm not sure that it is because again you don't really want in the context even of a voter registration girl you don't want distributed a distributed ledger you want a ledger with a leader why is that because you want to have someone who has the decision-making authority about what's a legitimate registration and what's not and in in a distributed in distributed environment that's being determined by everywhere every other participant in that environment now there may be a way to make blockchain applicable to the voter registration process to help with this security issue I want to go back and talk to our experts but offhand I think it's probably not the right technological fit and again I'm not asserting that it is it's just very interesting meat to me that it seems to be less susceptible to manipulation because in the event you had the circumstances you described where someone was attempting to Mabel ate the data instead of us relying on one supervisor of elections a Department of State or even some of these joint task forces that I think we very productively discussed today you would have potentially thousands of different nodes and and capabilities to be able to diagnose that manipulation my concern now is if you can essentially flummox a Supervisor of Elections you can manipulate the voter rolls and as I sit here today having received a briefing that I know my Florida colleagues receive I'm not certain that in my state there wasn't some manipulation of the voter rolls and no one's been able to reflect that certainty to me and so I'm just trying to kind of democratize the oversight of that system potentially and so again I don't I don't expect anyone to be an expert on this I think we've got a lot to learn about it but I reject the premise that only a piece of paper gives us a sense of a lack of manipulation I don't disagree with that congressman and if I may have time has expired the witness may answer the question Thank You chairman let me go back and we come back come back to you and and answer the question more specifically about the blockchain and voter registration rolls whether that or some other approaches the best means of securing those rolls thank you I yield back the gentleman yields back the gentlelady from Florida thank you so much mr. chairman thank you to all of our witnesses for being here I am from Florida and I represent Florida and I do agree with my colleagues earlier statement from Florida that every voter regardless of their party where they live their zip code is Irv's to have their vote counted so thank you very much mr. chair for this very timely and important by hearing mr. Burke I just like to ask you have you faced any obstacles at the federal level with implementing election guard and if so what happen again we have not faced any obstacles at the federal level to implement election guard now that the technology is actually out and available for inspection and deployment and we expect to have continued conversations with a number of Representatives federal government where we will explain the technology and how it works but I don't anticipate actually any federal level resistance because I think we are aligned with the federal interests especially those of sisse and others responsible for our election security and if you could state again what's the timeline of implementation so the technology is available right now for implementation and devices the timeline is complex and that is a bit of a problem it's complex for a number of reasons some that really government can't do much about because the vendors have to inspect the the technology determine whether they want to put it in devices that has to be a demand from state and local vendors for the technology which we think there will be based on our conversations so far but then once those are available there has to be the funding at the state and local level to be able to deploy the new devices that implement the technology and all of that is subject to this currently outdated certification process that takes too long it's too burdensome and it's too hard and those rules are being updated right now by the election assistance Commission but we need to make sure that they're updated in a way that provides much more agility and flexibility so you've got all of those pieces that need to come into alignment or confident they will we're confident we'll have some pilot elections utilizing this technology no later than 2020 but the sooner that it can be deployed in order to see our elections the better my understanding is that certain of the breeches in the 2016 election when they were going to ordered or looking to see which windows are unlocked and doors over not immediately detected so my question is what signs should election officials be trained to look for on Election Day to ensure that there are no undetected attacks either of the first and most important is to have a baseline of what normal looks like and every election jurisdiction needs to know what normal operations looks like so that they can then have the appropriate monitoring place should there be any abnormal activity whether it be a flow of data that looks unusual a disruption of data that looks unusual a login from an unusual someone who should not have access from an account that should not have access so knowing what normal and having that baseline and then being able to monitor for any abnormal activity is the most important thank you and I would say every level needs to be trained in this so but the but starting from technology right the intrusion detection systems should be in every single County in the country and every municipality that runs elections I think that's one of the most critical components for protecting our elections from year forward and I'd love to see resources from the federal government to make sure that that happens so we don't have voters and under-resourced counties with less security than others but then poll workers and you know my first job in elections was as a poll worker and making sure that we have the support and training for the poll workers to be able to recognize not only signs that are problematic like people not being in the voting rolls but knowing about provisional ballots we haven't mentioned provisional ballots yet once in this hearing we actually have a provision that allows when people are not in the voter rolls to still vote but sometimes poll workers don't remember to do that or don't know to do that so they need to be adequately trained every voter can get a provisional ballot and then it can be checked later so if that person is eligible they should never ever be turned away thank you so much yield back mr. chair gentlelady yields back there are four minutes and 20 seconds left that a vote on the floor we have a series of number of votes on the floor the committee will stand in recess but will reconvene immediately upon a cessation of the votes on the floor so please I ask the members of the committee come back as soon as the last vote is cast the committee stands in recess [Music] [Music] you you the gentle lady from Texas is recognized Thank You mr. chairman and thank you for the patience of our witnesses as they waited for us while we registered our votes and that's what we're focusing on aren't we voting so thank you for being here election security is all about voter confidence and participation the more confident voters are in the integrity of election systems the more confident that will feel that their vote has been counted and that their voice has been heard and that and of course this directly impacts your future participation I listened with great interest to some of your testimony and I've looked at your written testimony and I want you to start with you mr. Burke and quickly I don't need I heard you explained the the system that you have and I just want to make sure that anyone watching is clear is yours a software system or a software system in machines and an audit a system - or all of the above one of the above ours is a software system that needs to be incorporated into the voting system that is used by utilized by the state or local voting officials and it supports multiple different forms of voting system so you can have electronic ballot marking device you can start with handwritten and marked ballots that are then scanned we support those who are working to support others that are not as widely used but it's basically software that needs to be incorporated by vendors into the voting system itself verification that the user can the voter can can go to online that will simply just verify that they voted or can they print something at home if through your software system so the system when they vote when they go to the polling place and they vote they get a piece of paper that has the code they can then enter the code in later and they will see they will get verification that their vote was counted they can't see their vote this is really critically important they can't see who they voted for they know who they voted for but what the system tells them is your vote was not changed and your vote was counted and it's important that they not be able to see their vote because otherwise they'd be could could be coerced into voting in a certain way you could sell your vote this is an important that's correct that's actually you know there's no paper trail there is a paper trail in the sense that our system supports the creation of a verified paper ballot so you vote that's encrypted but you also get a paper ballot that the that the voter can look at and say yes this is correct you deposit that in the ballot box that can be used for risk limiting audits even for hand counts if necessary although it shouldn't be necessary well I'm thinking a lot of people in my district they don't have a computer at home don't have a laptop don't have a way of doing any of that so what are we to do with quite frankly the usual targeted populations when there are some of this you know misinformation you know hacking it's usually a lot many times minority voter precincts that get attacked so what would we do then for the person who doesn't have access to a computer or Internet to be able to go through that process so our system is based on polling place voting whether it's hand marked ballots or using an electronic voting machine the election guard supports going to the polling place to vote so you don't need to have any technology in order to vote to verify and yes in specifically about verifying that you voted correct it's actually sort of happened to me once I voted and I thought I had done everything and then they came in to the car to get me and said you know I was a sinner at the time they said senator you're you're it didn't go through and I said what do you mean it didn't go through so I had to go back in and essentially vote again it made no sense to me that I had to do that and I think that happens probably more often than not so I'm just concerned about the the populations who don't have access to that computer to verify that in fact our vote was counted totally understandable the good news is that you can do the verification in our system with a smartphone and in most populations smartphones have penetrated much further than laptops my sister did not have smartphones they just have the the one did you go to the flea market or a story what do they call the click headphone sure flip phones don't have the smart phone those are more costly they go in there at cricket phones they go there and get one months at a time we're talking about people that are paycheck to paycheck they can't afford one like mine yes I understand congresswoman in the verification does require some access to a system whether it's your neighbor's phone your phone go to the library and access a computer to get that personal verification now keep in mind that's a new advance of the technology but to do that verification and see that your vote was counted with our system you will need access to something whether it's a smartphone a public computer some device that lets you see yes my vote in fact got counted well thank you everyone out of time and I yield back Thank You mr. chair a two yields back the gentlelady from Pennsylvania I thank you very much I miss book bar I wanted to thank you for your work in removing barriers to voting in Pennsylvania for everyone who's eligible to vote in particular I wanted to thank you for your attention to modernization of Pennsylvania's voting system and things such as just two weeks ago rolling out the ability to request absentee ballots online I know my three children who do not live in the district anymore when they're at school appreciate that ability you've also paid a lot of attention to our young voters and I know particularly high school registration can you just tell us a little bit about what what you've done there governor wolf started a couple years ago the governor civic engagement award and it's been a tremendous success in Pennsylvania encouraging students in schools to register eligible voters to to vote and it's been a terrific both the competition from school to school and from students to student but also their engagement in voting which as we all know probably a lot of us started our civic engagement early and it really research shows when you are engaged early you probably become lifelong voters and that's critical to our democracy okay turning more to what's at hand here there's been discussion about needing to improve lines of communication between federal state and local agencies can you explain a little bit about that absolutely so you know one of the things that we talked we've been talking about a lot in as we develop these conversations around election security is the importance of continuity of operations or coop planning and it's one of those things that I think a lot of areas like emergency management and law enforcement have been doing for a long time but the election sphere it's relatively new and one of the critical components of effective coop planning is to know who to call at the moment you need to call them because the last thing you want to do when an incident happens is figure out who the right person is to call so the more clear clarity we have about who at the federal government is is the the call to make at Incident X Y or Z the better would be for the counties to not to have to figure it out at the moment and we're doing a lot of work with the counties to develop those coup plans but we need that to come from the federal government as well to make sure we have central centralized lines of contact if you have one piece of advice for Congress as we debate the appropriate vehicles to legislate and to fund this what would that be I think I'd have to go back to our conversation about diversifying the types of election security that's implemented across the country so there's been a lot of attention to voting systems we is a very important thing to transition to paper records but as we discussed earlier so many other components of this process or at least as critical so we need to allow funding to go to voter registration database databases intrusion detection systems making sure that we have layered defenses to all our networks phishing and security training and multi-factor authentication and coup planning all those things are equally important and I I'm most worried about thinking that one solution is going to fix everything we need to give the states the ability to decide what their most critical component components are and as I understand it that involves both work in helping establish best practices that the federal government can help push out and then providing funding to achieve those best practices exactly okay thank you I yield back thank you gentlelady yields back the Thank You chairman for hosting this important hearing today it's one of the most pressing issues facing our nation thank you to the witnesses for not only appearing today and sharing your expertise but for taking such a leading role in protecting the integrity and security of our elections at all levels of governments much appreciated our nation came under attack in 2016 the special counsel described Russia's efforts to interfere in our elections as quote sweeping and systemic unquote they deceived Americans hacked into campaign email accounts hacked into the very systems and databases that conduct our elections at the state level we know that the same kind of attacks continue to this very day Federal Bureau of Investigation director Christopher ray stated that quote this is not just an election cycle threat it's pretty much a 365 day a year or threat unquote and despite that this White House has done nothing it joins the Senate and sitting on its hands in the fight to defend our democracy it's a real travesty and I hope that this hearing and legislative efforts we can begin to turn the time unfortunately my home state of Arizona it's voter registration dad but database was one of Russia's tart their attack wasn't successful but it shows the heightened importance local officials must place on election miss Plunkett you mentioned in your written testimony the importance of an of the integrity of voter registration databases and a poll books when it comes to the use of a poll books for voter registration rosters and ballot on demand printers do you agree that it is a best practice to use encrypted communications in all circumstances when data is transmitted or received yes I do do you think of a circumstance if there ever a circumstance where election officials should transmit or receive data on these devices in a non encrypted manner I cannot envision in the circumstances such as that thank you Miss Plunkett you also mentioned that the steps the federal government and state governments must take will cost more than two billion dollars not all states are adequately investing election security some including Arizona are cutting election security funds what type of outcomes and risks are states that don't take this issue seriously exposing themselves to well they're exposing themselves to the potential for their election outcomes to be corrupted invalid not accepted not trusted by the populace that they represent and ultimately the impact of the perception could be much worse than the reality which would mean people would not come out to vote thank you for that answer and this is a question for all of the witnesses some elected officials use USB devices to transfer data from one device to another is it best practice to use those devices only a single time to minimize the possibility of malware or to use those devices repeatedly I would go with yes that it is certainly a best practice there are some circumstances where as long as there's effective reformatting that that might be effective but I think using new ones is I would say the best best practice mr. Bert I would caution that USB devices are a known vector for the transmission of malware which can be installed at the time of their manufacture so even using new USB devices or anything other than a very highly trusted source and increasingly that would mean of American manufacturer if you're using it in an election in the United States is a challenging thing to do you can try to scan that device can try to try to make sure it doesn't have malware on it before it's ever used but that would could be a very costly and time-consuming practice so the use of USB devices is something that we would say you should be very cautious about doing it even once because the malware may be present on that device when you first use it Thank You Blanca have your thoughts on that subject matter I would go so far as to say that unless there are no other alternatives the use of thumb drives should be prohibited thank you very much I yield back gentleman yields back the gentlelady from Pennsylvania Thank You mr. chairman thank you for holding this important hearing I want to associate myself so as not to be repetitious with representative Stanton's remarks of the gravity of the situation as well as as the chairman at secretary book var as you said and you're not alone in saying this nothing is more important than the security of our elections nothing in this democracy is more important than that and so I'm glad we're talking about these issues and secretary books are of course I'm delighted to see you here from Pennsylvania I thank you and governor wolf for your service particularly in the area of election security I was I'm thinking back to Muller coming in and telling us and telling the world that certainly we our elections were interfered with in 2016 and if I recall him correctly he said and it's going on 24/7 that interference continues can you describe some of our vulnerabilities as of 2016 and maybe lay out some of the vulnerabilities that you still see so I think the good news and going back to you know what we talked about earlier is the the good that arose from what happened in the past is that we are with the declaration of being critical infrastructure it's provided us with a lot more resources and so you know one of the things that I really you know think is critically important across the country as well as in the state are are these collaborations that we've been talking about so I think the lack of collaboration and intersection of resources could be a vulnerability if if it's ignored and so for example we found in Pennsylvania as we started to have like tabletop exercises and really improve our collaborations a lot of times in the counties the election officials didn't even know the emergency management personnel and that's crazy right so in in 2018 the primary was almost like a real-life tabletop exercise I don't know if you recall but there was a tornado that crossed the state literally on primary day and so we had to have trees were down polling places were blocked electricity went out the intersection of the emergency management law enforcement and elections was critical is critical so I think one of the vulnerabilities is not feeding that well and it's again it goes back to the coop planning too but then I also want to make sure that our counties have the resources they need to have really advanced intrusion detection systems effective plan a training of phishing and security and all that and every advanced sensor and you know protection layer defenses of their network so those are the areas that I would really focus on supporting the local counties and municipalities would be one of the areas I want to direct most attention and the issue of certification I guess of the equipment itself what is the delay there how could we streamline that either you or any of the witnesses the issue there is that the standards that are the guidelines that are gated by the election assistance Commission are more than ten years old in fact their most recent modification of those guidelines there's not a single election system that's ever been certified under those most recent guidelines and they're ten years old so what the election assistance Commission is doing right now which is revising those guidelines is critically important and but they need to move quickly they need to move with expeditious activity because this threat as you pointed out congressman is 24/7 it's happening now it's going to happen through the 2020 election cycle so we need the EAC to adopt new guidelines for certification quickly the current ones are don't adequately address security and they take too long and they're too burdensome so we need to streamline that process make it faster and one of the really critical things for all state and local election officials is we need to make it very easy to apply security updates that's a key defense to these adversaries from every vendor and so we need to be able to put apply security updates quickly expeditiously without so much but um bureaucracy so that we can respond thank you very much and this will just be by way of sort of a rhetorical statement and and I was struck by something you wrote in your testimony's Secretary book bar you wrote that election security is a race without a finish line that our adversaries are continuously advancing their technologies and we must do more all the time so we know that we can't see a finish line for this and we have to identify the threats I have to wonder what conversations all of you have had to have with your your own organizations based on foreign threats but now the news of this past week domestic threat to our election it couldn't be a more grievous grave time none of us is pleased with the the news of the Ukraine conversation by the president of states and an attempt to interfere in a future election so I pray you all for your work help us do better at our work to protect our elections and I yield back the gentlelady yields back this concludes today's hearing we thank all of our witnesses for participating without objection all members will have five legislative days to submit additional written questions for the witnesses or additional materials for the record and with that without objection the hearing is adjourned [Music] [Music]
Info
Channel: Fox News
Views: 573,559
Rating: 3.7346296 out of 5
Keywords: Fox News Channel, FNC, Fox News, News, Latest News, Top stories, Chairman Nadler, nadler, jerry nadler, nadler live, jerry nadler live, house judiciary, house judiciary committee, house judiciary committee hearing today, house judiciary committee hearing live, congress, congress live, elections, election security, US elections, Fox news live, fox news live stream, live stream, fox live, Live updates, live video, Live news, fox live stream
Id: yM0oyvLx0RQ
Channel Id: undefined
Length: 183min 0sec (10980 seconds)
Published: Fri Sep 27 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.