Hearing: Election Security: Voting Technology Vulnerabilities (EventID=109687)



you you you hearing will come to order without objection the chair is authorized to declare recess at any time good afternoon and welcome to a joint hearing of the investigations and oversight and research and technology subcommittee's ranking member Norman and I had such a good experience working with research and tech last month during our transportation hearing that we thought we should do it again so it's great to be here with chairwoman Stevens and ranking member Baird so thank you both I appreciate it we're here today to talk about election security in the various technologies and best practices that support it and I want to start out by acknowledging something good the experts tell us that the United States has in fact made enormous progress since 2016 towards protecting our election infrastructure I applaud the secretaries of state the election officials the poll workers and the systems administrators across the nation who have already been working to defy election interference New Jersey for example is investing in a whole range of activities right now to prevent interference including a pilot program for voter verified paper trails but I remain worried about the enormous risks our election system still face heading into 2020 and I have been really concerned about how attacks on our election system affect the American psyche we have all seen anecdotes in the press about counties and states across the United States where experts learn after the fact that an election system has been hacked it is worth pointing out that we don't always see election systems actually being breached when they are targeted sometimes our systems work the way they're supposed to and keep intruders from doing harm and we should find comfort when we learn of a crisis averted but for the most part we don't these stories in the news allow us to see just how high the stakes are they allow us to see how many ways there are to manipulate the system these stories make the American people feel uncertain and our peace of mind our faith in the electoral process is another casualty of interference there are a few things more central to the American covenant than the safety and security of our elections we're citizens from all walks of life can cast their vote and know that it will be counted our four adversaries know this the last two election cycles saw foreign interference in our election systems that tried to shake our faith in the US election system and in our fellow Americans when I was in the Navy I was a Russian policy officer and I saw firsthand how the Russians work to sow division here we know the Russian intelligence service has already attacked our election infrastructure across a number of states and we have every reason to believe these attacks will escalate during the 2020 cycle the methods that foreign and domestic actors use to corrupt our elections are growing more sophisticated every day when it comes to cyber security the threat is constantly changing it is our responsibility in Congress to help States armed themselves with advanced adaptive strategies to prevent detect and recover from intrusions on a lighter note I am delighted to welcome a special guest in the gallery today miss Bianca Lewis Bianca just finished the seventh grade in Phillipsburg New Jersey she is a coder and an inventor who runs her own blog dedicated to her adventures in steam that's science technology engineering art and mathematics Bianca was also one of the young hackers features at an exhibit that was hosted at last year's Def Con technology conference in Las Vegas called roots asylum at Def Con Bianca and other young people were able to exploit models of Secretary of State websites to delete content and change the voting results displayed while the websites at Def Con were models and not part of any real life voting systems they were designed with some of the known vulnerabilities that real-life hackers have abused in recent years I thank Bianca for being a leader for girls in tech and computer science and for helping shine a light on cyber security and election infrastructure it is so rewarding to see that the next generation is thinking big and I'm glad that you and your family could be here today from New Jersey I'm also pleased to welcome the distinguished distinguished witnesses on our panel three of whom contributed to the very important recent report from the National Academies on securing the vote thank you all for being here today so the chair now recognizes mr. Norman for an opening statement Thank You chairman Alma Cheryl and chairwoman Stephens for meaning this imported hearing and thank you for each of the witnesses for taking the time to give your testimony this morning we're here today to review the security of the United States election system technologies and discuss research to ensure the security the integrity and the accessibility of America's election systems today we're hearing today's hearing provides an opportunity to learn how the federal government can support state and local governments as they work to secure elections through research technology standards and voluntary guidance without burning some federal mandates the 2000 presidential election highlighted problems with punch card and lever voting systems and brought to light new concerns about election integrity to address these concerns Congress enacted the help America Vote Act of 2002 or better known as hava hava provided money to the states to replace antiquated voting systems established the United States election assistant commission or EAC and required the National Institute of Standards and Technology to provide technical support to the EAC to develop voluntary guidelines for voting systems my home state of South Carolina recently decided to upgrade voting systems and serves as an example of how the process should work South Carolina officials conducted a lengthy evaluation of several options and ultimately determined that upgrading to a ballot marking device was the option that best met the needs of our state and this is how it should be state and local officials figuring out what is best for the community as federal policymakers we must remember that administration of Elections is inherently a function of state and local governments we should listen to our local election officials and provide the reasonable support necessary to bolster the security of election systems and to efficiently and effectively administer elections throughout the United States this require requires a flexible and a dynamic approach to security that can be molded by jurisdictions across the country to their specific needs a one-size-fits-all approach is simply impractical and unworkable I welcome the chance to hear from state and local election officials as we consider the issue of election secure system security and look forward to their perspective on what role the federal government can play in ensuring that they have the information and support necessary to harden their election systems against present in any future threats we will also hear today from representatives of academia the private sector and the federal government which provides us with the opportunity to learn more about technologies and innovations that will approve America's election systems today as well as research underway they may bolster election and system security in the future it's hard to imagine a issue of greater importance to our democracy than the security of America's election system and while I appreciate that this committee continues to approach critical issues of national importance in a bipartisan fashion I would be remiss today if I didn't take the opportunity to highlight how partisan politics on the part of the House Democrat leadership has once again fail to proceed through regular order specifically I'm disappointed but you know quite frankly I'm not surprised as this is just another in a long list of political stunts by leadership sudden decision to move HR 2720 to the so called securing America's Federal Elections Act to the floor this week with our consideration by this very Science Committee which rightfully received a referral on the bill House Democratic leadership instead chose to rush this bill to the floor in order to satisfy far-left progressives with yet another messaging bill that thankfully has absolutely no chance of being considered in the Senate as today's hearings will demonstrate the science committee has a crucial role to play in the consideration of any legislation that Trulli aims to improve the security of America's election systems that being said I look forward to a thoughtful and bipartisan discussion today of how we can approve the security of America's election systems now and in the future I want to thank each of our witnesses from being here and thank you madam chair for convening this all-important hearing and I want to thank the Hyatts who are here from my home town who have played a part in two elections in South Carolina for being with us today madam chairman I yield back the balance of my time thank you the chair now recognizes chairwoman Stephens of the Subcommittee on research and technology for an opening statement Thank You chairwoman Cheryl it's great to be here talking about election security and voting technology vulnerabilities and we're certainly so grateful that we have the leadership in the House of Representatives willing to take on the severity of some of the election security breaches that we experienced in 2016 some of which have been long overdue and the current administration has has failed to address so good afternoon and welcome to this hearing certainly the elections of 2016 showed us how vulnerable our election infrastructure can be to foreign adversaries who interfere in the very foundation of our democratic process and this has begun a national conversation on the security and integrity of our US elections most election authority rests with the states but as mr. Norman recognized Congress created a federal role in election administration and security with the help America Vote Act of 2002 known as hava and under have the National Institute of Standards and technology's nest which the subcommittee that I have the privilege of chairing on research and tech has oversight over NIST was tasked with providing technical assistance and research to inform the development of voluntary voting systems guidelines to be recommended to the action Assistance Commission the EAC have uh provided hundreds of millions of dollars to States to buy new voting equipment but some of those old machines are still in use today and states not having being or not being required to implement the voluntary voting system guidelines in the purchase of new voting machines we're left with a gap only 38 states and the District of Columbia use some of the the parts of the federal testing and certification program for purchasing new voting equipment with more than ten thousand election jurisdictions in the United States there is certainly no one fit no one-size-fits-all solution to election administration and security in addition most election administrators are well intentioned but lack resources awareness and technical expertise q the federal government at the time of how voting technology was assumed to mean only the voting machine itself today depending on the jurisdiction a voter may be able to register online to vote and have their name and address confirmed through an internet-connected electronic poll book or a poll book at their polling site in addition to casting their vote on an electronic machine unfortunately many Americans still cast their vote on machines with no paper record I know we will hear from our experts today that all with all the conveniences that the internet and the 21st second first century technology provide paper ballots are still the most secure but even if we implement paper records everywhere we are still left with the new security challenges posed with online registration and a poll books as a champion and a believer of 21st century technology I am also still a champion for the analog skills that move us forward in fact every point of internet connectivity in the election system including software development and updating introduces a vulnerability security must be a priority at every step of our cherished democratic process free and fair elections are paramount last year the National Academies issued a consensus study report titled securing the vote protecting American democracy this report included several recommendations for improving election security including the need for national standards for a poll books voter registration databases ballot handling procedures and audits finally the report included a strong statement that the federal government has a responsibility to invest in research to protect the integrity of elections which is part of what we are here today to discuss I certainly could not agree more and I am glad to know that in addition to NIST the National Science Foundation carries out computer science and social science research that could be applicable to election systems there needs to be more coordination we are fans of interagency work here on this committee and a more robust dedication of research dollars for this purpose the 2020 elections are not far away I look forward to our witnesses insight on the academies report and other important recommendations for this committee to take up thank you and I yield back thank you and the chair now recognizes dr. Baird of the Subcommittee on research and technology for an opening statement Thank You chairwoman Cheryl and chairwoman Stephens for convening this day's hearing to review the security of u.s. election system technologies voting is a fundamental right of every American citizen and ensuring the right to a safe and secure election is the responsibility of every member of Congress without security integrity and accuracy in our electoral process the foundation of our nation in fact our democracy is weakened I look forward to hearing from our witnesses this afternoon about how the federal government can support state and local governments in ensuring safe and secure elections through research technology testing audits and voluntary guidance as we all know under our Constitution the federal system election administration is and should be the responsibility of state and local governments our founders believe the government is more transparent responsive and accountable when it's closest to the people which is why the Constitution gave the responsibility of our elections to the states to this end Congress's role is to empower state officials to strengthen the security of their unique election systems and effectively administer elections not to try to dictate a one-size-fits-all the help America Vote Act established the federal election assistance Commission and requires the National Institute of Standards and Technology NIST to work with the Commission on technical voluntary guidelines and voting systems these voluntary guidelines are an important tool for state and local elected officials to ensure the functionality and accuracy of the state's unique system they allow the testing of voting systems to determine the basic functionality accessibility and security capabilities they also offer flexibility which is important given the variation of election infrastructure from state to state I look forward to hearing from dr. Roman from about the most recent iteration of voluntary voting system guidelines which is expected to be released soon I believe it's also valuable that this committee has the opportunity here what new and evolving challenges States are facing and how states are using federal resource to overcome unique challenges including how and if these guidelines and protections are being effectively adopted I expect the secretary mean xeric stand mr. Kelly will have particularly good insight into these challenges there's no doubt that there is a need for improved security of our elections we know that at least 21 states have targeted by foreign state actors prior to the 2016 US election and we know that Russia undertook disinformation campaigns on social media in that same election this is troubling but we must also acknowledge that no votes were changed in the 2016 election and the 2018 midterm elections were secured with a record number of voter participation we must examine what we can learn from these past elections and improve upon them we can make progress on this issue I won't again thank chairwoman cyril and cher woman stevens for holding this hearing and i hope that we will be a bipartisan look at the challenges of election security as my colleague ranking member norman noted this matter has not been addressed in a bipartisan manner thus far of this Congress but I hope this hearing will illustrate how progress can be made in keeping our nation's elections secure and free from interference thank you and I yield back thank you dr. Barrett if there are members who wish to submit additional opening statements your statements will be added to the record at this point and at this time I would like to introduce our five witnesses first we have dr. Charles Romine is the director of the Information Technology Laboratory at the National Institute of Standards and Technology or NIST and dr. I'm not sure if I should offer you congratulations or condolences I hear this is your 20th time testifying before us so welcome again mr. Neal Kelly is the Registrar of Voters for Orange County California mr. Kelly is also a member of the National Academies of science engineering and math Committee on the future of voting this committee contributed to the publication of the 2018 National Academies consensus study report titled securing the vote thank you for coming today dr. Latanya Sweeney is a professor of government and technology in the Department of Government at Harvard University's Institute for quantitative social science thank you and then dr. Bennell Oh is a senior cryptographer at Microsoft Research dr. Bennell Oh also contributed to the National Academies securing the vote report and to introduce our final witness I recognize congresswoman horn of Oklahoma's fifth congressional district thank you madam chairwoman I am honored today to be able to introduce not only not only our elections secretary but also one of one of my constituents from Oklahoma City and I'm honored to be able to join you on this subcommittee today on such an important issue secretary Palsy ryx has served as the secretary of Oklahoma State Election Board since 2009 and as in that capacity as our chief election official he also serves as the Oklahoma the Secretary of the Oklahoma Senate by way of a 19-13 Oklahoma law that requires the Secretary of the Senate to also serve as the secretary of the education or the Election Board originally from Claremore Xerox has worked as a senior aide in the Oklahoma State Senate chief of staff and press secretary to a member of Congress from Oklahoma as a radio station music director and announcer Xerox is a member of the National Association of election directors and the American Society of legislative clerks and secretaries and is a past appointee to the Oklahoma Capitol Preservation Commission he's an alumnus of Oklahoma State University in Stillwater and and finally especially as related to this to this hearing today I am proud of Oklahoma's election system because of our paper our paper ballots and a number of other security features that allow us to know the security and veracity of our elections which is one of the things that we are talking about here today so the work of secretary Zarek's and the staff of the Oklahoma State Election Board has been very important and I'm glad that you could join us today and look forward to your testimony well thank you I know I feel guilty I didn't give the rest of you the great intro but as our witnesses should know you will each have five minutes for your spoken testimony your written testimony will be included in the record for the hearing when you all have completed your spoken testimony we will begin with questions each member will have five minutes to questions the panel and let's start with you dr. Roman chairwoman cheryl ranking member normandsharon stevens ranking member baird and members of the subcommittee's i'm charles Romine the director of the information technology laboratory at the Department of Commerce's National Institute of Standards and Technology or NIST thank you for the opportunity to appear before you today to discuss our role in what NIST is doing in election security for more than a decade as directed by both the help America Vote Act of 2002 or hava and the military and overseas voter empowerment act NIST has partnered with the election assistance Commission the EAC to develop the science tools and standards necessary to improve the accuracy reliability usability accessibility and security of voting equipment used in federal elections for both domestic and overseas voters under hava this provides technical support to the technical guidelines development committee which is the Federal Advisory Committee to the EAC in areas such as the security of computers computer networks and computer data storage used in voting systems methods to detect and prevent fraud protection of voter privacy the role of human factors in the design and application of voting systems the remote access voting including voting through the internet this technical support includes intramural research and development in areas to support the development of a set of voluntary voting system guidelines referred to as the VBS G or the guidelines the guidelines are used by accredited testing laboratories as part of both state and national certification processes by state and local election officials who are evaluating voting systems for potential use in their jurisdictions and by manufacturers who need to ensure that their products fulfill the requirements so that gave me certified the guidelines address many aspects of voting systems including determining system readiness ballot preparation and elect definition voting and ballot counting operations safeguards against system failure and protections against tampering ensuring the integrity of voted ballots and protected data during transmission and auditing almost immediately following the adoption of voluntary voting system guidelines 1.1 NIST established a set of public working groups to gather input from a wide variety of stakeholders on the development of the next iteration of the guidelines the VVS G 2.0 this approach pulled in subject matter experts across the nation with 994 members across seven working groups within the working groups the cybersecurity working group has grown to 175 members and engages in discussions regarding the security of US elections guidelines 2.0 addresses these evolving security concerns it includes support for advanced auditing methods as well as enhanced authentication requirements and mandates two-factor authentication the system integrity section in guidelines 2.0 ensures that security protections developed by industry over the past decade are built into the voting system other security issues to be resolved beyond those mentioned in the guidelines include the need for regular and timely software updates and security patches networked communication is another important security issue currently under discussion many election jurisdictions rely on public telecommunication networks for certain election functions such as reporting results to state agencies and media outlets on the night of the election these connections however brief are a significant expansion of threat surface and their security requires further study this participates in the DHS election security initiative of federal partner roundtable and kicked off the election profile of the cybersecurity framework effort in March of 2019 NIST will hold workshops in July and in August to identify election processes and assets that need protection threats from foreign control of technology vendors available safeguards techniques that can detect incidents and methods to respond and recover the election profile will serve as a one-stop cybersecurity playbook that matches cybersecurity requirements with operational methodologies across all election processes from voter registration through election reporting and auditing the profile can be used by secretaries of state state and local election officials to identify and prioritize opportunities to improve their cybersecurity posture NIST expects that an initial draft of the election profile of the cybersecurity framework will be available in the fall of 2019 NIST is continuing to address election security by strengthening the VVS G for voting systems such as vote capture and tabulation and by working with our government partners including the EAC to provide guidance to state and local action officials on how to secure their election systems including voter registration and election reporting systems thank you for the opportunity to testify on NIST work regarding election security and I'll be pleased to answer any questions that you may have well thank you very much and mr. Kelly good afternoon chairwoman Cheryl chairwoman Stephens ranking member Baird ranking member Norman and members of the Subcommittee on investigations and oversight and the Subcommittee on research and technology my name is Neal Kelley and I'm the chief election official register our voters for Orange County California thank you for the invitation to speak today I'd like to address four specific things the key findings of the National Academies of Sciences engineering and medicines consensus study report securing the vote protecting American democracy the best practices used in Orange County including use of paper trails with voting machines electronic poll books and risk limiting audits barriers states and counties encounter in the pursuit of enhancing election security and how I believe Congress can further assist states and counties with securing election system technologies as a member of the National Academies Committee on the future of voting I have submitted the report highlights for federal policymakers along with my testimony today I would also like to share the insights I have gained as an election administrator in the two decades following the 2000 presidential election numerous initiatives have been undertaken to improve our election systems although progress has been made old and complex problems persist and new problems emerge aging equipment number one the targeting of our election infrastructure by foreign actors a lack of sustained funding dedicated to election security inconsistency in the skills and capabilities of Elections personnel and growing expectations that voting should be more accessible and convenient as well as secure complicate the administration of elections in the United States working together NIST and the election assistance Commission have made numerous contributions to the improvement of electronic voting systems by providing critical technical expertise the voluntary voting system guidelines otherwise known as V VSG developed by the EAC in collaboration with NIST are particularly important nevertheless despite the critical roles that these agencies plays play and strengths and strengthening election infrastructure there is currently a very limited pool of ongoing financial support while one-time funding has been historically allocated election cybersecurity is known to be an ongoing challenge that will require a constant effort to better understand threats and vulnerabilities the National Academy report recommends that the EAC and NIST the architects developers and shepherds of the VVS G continue the process of refining and improving the VVS G to reflect changes in how elections are administered to respond to new challenges to election systems as they occur such as the threat of cyber attacks and to research how new digital technologies can be used by federal state and local governments to secure elections our report further recommends that a detailed set of cybersecurity best practices for state and local election officials be developed maintained and incorporated into election operations and that the VBS G be periodically updated in response to new threats and challenges electronic voting systems that do not produce a human readable paper ballot of record are a particular concern as the absence of a paper record raises security and vulnerability issues because of this our report recommended that all elections should be conducted with human readable paper ballots we also recommend the use of risk lamenting audits an r-la is not considered to be a performance audit as it seeks to ensure accuracy that the reported outcome would be the same if all ballots were examined manually and that any different outcome has a high likelihood of being detected and corrected the National Academy report also recommends that the use of the Internet or any network connected to the Internet for a voter to cast a ballot or the return of a marked ballot should not be permitted there is no known technology that guarantees the secrecy verifiability and security of a Marc ballot transmitted over the Internet voter registration databases are also vulnerable to cyber attacks whether it is a standalone or is connected to other applications presently election administrators are not required to report any detected compromises or vulnerabilities and voter registration systems and our report recommends that states make it mandatory for election administrators to report these instances when it occurs to the Department of Homeland Security the EAC and state officials as the 5th largest voting jurisdiction in the United States Orange County California is in the fortunate position of being able to allocate resources and staff to support pilot programs and determine best practices for the use of paper audit trails voting machines and electronic poll books on the matter of election security in Orange County we remain closely connected to our local fusion center and to information sharing and analysis centers in addition I routinely invite security experts to conduct audits and testing on our systems to identify vulnerabilities and to propose solutions electronic poll books must meet high level security requirements to be used in California and my office has placed additional requirements on potential electronic poll books solutions data must be encrypted while in transmission and while at rest nevertheless not every election office has the resources that we have in Orange County there are hundreds if not thousands of election offices we're only a handful of dedicated staff are on hand to run their jurisdictions elections to share the knowledge and experience wrap it up quickly please going quickly I released the 2018 election security playbook for Orange County elections and I've attached that to my written testimony thank you and thank you I look forward to your questions thank you I appreciate it dr. Sweeney Thank You chairwoman Sheryl ranking member Norman chairwoman Stephens ranking member bard and members of the committee I'm not going to read I presented a written testimony I'm not going to read from and instead like to give you just some highlights let me first tell you a little bit about myself of a PhD in computer science from MIT I'm a professor of government at Harvard University and I was the former chief technology officer of the Federal Trade Commission for the last 20 years my research mission has been to scientifically investigate and reveal unforeseen consequences of technology and its impact on society I put names to health data that was supposed to be anonymous and that's cited in the preamble of HIPAA and it led to a new field of study called data privacy a documented adverse racial discrimination and online ad delivery that's led to a new area of computer science study called algorithmic fairness I trained students to be the same type of technologists to work in the public interest and my students have improved practices at CMS Facebook Airbnb just to name a few in 2016 we get we gathered together 50 computer scientists and social scientists and civil society organizations and said what are the most pressing problems they made a list of 75 we then asked them to tell us which problem did they think was the most important for us to investigate for the year they said elections it was January 2016 and we began doing just that we found different kinds of problems around misinformation campaigns and things like that on the internet they got there were broad brought to our attention eventually though we began realizing how broad the election system is the surface area of it is huge every one of those boxes has its own nature of a vulnerability and we are only and the rest of my talk is only going to talk about what's in that upper left corner it was motivated by what happened in Riverside County during the primaries in 2016 in which Republican it was a closed primary Republicans showed up and instead of getting a Republican ballade they got everything but many hundreds of them got everything but a Republican ballot there was no break in there is no database breach it just seemed like somebody changed all these records through the own online system and so this idea that you could just change the voters address which changes their polling place which could disenfranchise voters not in a primary but just in the general election and there are other ways to that that if you impersonate a voter and you could go online you could make a big difference whether you wanted to make a local Chuckle impact on a local election whether you want to shave points off of an election or whether you wanted to disrupt the election altogether so that gave us a set of research questions and we dug in we found 35 states and the District of Columbia had a website in which a person could change their voter registration online these were not always voter registration websites many of them were also from the Dean for the Motor Vehicle Division as well as you can see the problem here is how does the state know who you are in the case of Delaware using this system it was the first name last name date of birth and zip code but there are many places where I could find the name date of birth and zip code of people who live in Delaware they had an alternative that used the driver's license and date of birth is another example from Alabama this is the summary for all of the state all the websites that we found and the information that they require most of them will require some combination of demographics like name or date of birth or maybe address some of them require some government-issued number local Social Security number a part of it or a driver's license number none of them necessarily required all of them or they were the same second question though is where would you get this data and we found no shortage of the availability of the data you could buy voter a list directly you could buy voter lists and brokers that have a lot of the information some voter lists were just posted freely online popularly surveyed about 500 popular data brokers to get ssns and other kind of information and we went on the dark web and found that you could find a disturbing amount of information also including all of the service the Social Security numbers of Americans at the time eleven of those websites had captures these ways to try to figure out who you were but in 2016 every CAPTCHA including the Google capture you see at the bottom could be automated to be defeated so with people who had virtually no experience with about one page of Python code you could automate an attack and the cost of doing that including the virtual machines to do it and to wait it's time turn if I wanted to shave 1% of the voter information off of the voters from that from those locations it would be twenty four thousand dollars across all of them if I use name sources it drops a ten thousand if I was willing to also use dark net information as well we're not saying that it did happen we're just saying that this is a possible to happen and it's a real vulnerability Homeland Security had recommended this kind of vulnerability assessment we're happy that we were able to participate and we are updating now as to what has been the response I better stop there thank you thank you mr. Z Rex thank you thank you very much and I do want to thank my representative miss Horne for the for the kind introduction I am her constituents oh I think that's a prerequisite when here but but thank you very much for that I also want to thank the full committee ranking member mr. Lucas who is also from Oklahoma who who ensured my invitation here today so share women Cheryl and Stevens and ranking members Norman and Baird also chairwoman Johnson of the full committee and distinguished members of the subcommittee's I want to thank you for the opportunity to testify today my name is Paul Zarek's I'm the secretary of the Oklahoma State Election Board and the chief state election official different from many states Oklahoma has a voting system that is uniform and statewide owned and controlled by the State Election Board our system uses paper ballots that are hand marked by voters and counted by accurate reliable precinct based optical scanners and no matter where you are in our state voting is the same we have the same style of ballots the same voting hours the same standards and regulations and the same accurate optical scanners in my written testimony you can read much more about Oklahoma's election system and procedures including our relatively low costs the bipartisanship of this of the system this in the speed with which we are able to count ballots and certify results in my opinion Oklahoma's uniform system helps make it more secure easier to maintain more efficient more cost effective and more equitable to voters across our state in my written testimony you can read about our security features of the system but we are very proud that our system is auditable and verifiable at my request my state legislature passed a new law this year that authorizes post-election audits beginning in 2020 but as an election official I do want to say although I want to make voting and voter registration as convenient and as accessible as possible we as election administrators and policy makers must be cautious about sacrificing too much security in the name of convenience I will say in 2017 when I learned from homeland security that Oklahoma was unsuccessfully targeted was one of the 21 states unsuccessfully or at least we were unsuccessfully targeted we have taken a number of steps to improve election security for example our systems are actively monitored and protected by our state Cyber Command we joined several federal and state agencies to create an election security working group to enhance communication and information sharing we are members of the of the I sac which is the election infrastructure information sharing network we work closely with state Cyber Command nasod and social media sites to help protect against misinformation campaigns and our County election boards are now required to notify the state if physical intrusions or cyber incidents occur in their counties now speaking only for myself I do want to offer some recommendations the the VVS G which is mentioned earlier should remain voluntary and should contain broad-based goals that States can determine how best to implement these standards though must be flexible so that they can adapt to changing threats and technology academia should work closely with current election administrators so that its recommendations are viable in the real world of election administration all of us in this room should take great care so as not to unnecessarily alarm the public or cause distrust in elections especially when discussing theoretical threats without noting actual protections that exist against those threats under our federalist system the states should continue to administer elections in our country I do not believe that election administration should be federalized and that I believe that mandatory standards and certification procedures should not be forced on the states the federal government should make technical assistance best practices voluntary standards and intelligence available to the states sustained federal funding for election security or for upgrading voting systems can be very helpful but excessive mandates could cause States to refuse those federal grants and when possible I think intelligence regarding election security threats should be declassified quickly and shared with state and local election officials and I do believe that that every state should use voting systems that are auditable and verifiable but that states should determine the best methods for auditing their elections in closing my biggest concern is an election official is protecting the public's faith and confidence in the integrity of our elections if citizens lose faith in our elections then we risk losing our very representative Republic physical security and cyber security are a great concern but the easiest way to disrupt our elections and what we've already observed is for our adverse adversaries to sow discord and spread misinformation I encourage federal policymakers to keep in mind that each state is different and that imposing a one-size-fits-all mandates on the states for election policies or security procedures could be disruptive and expensive and could unnecessarily create an adversarial relationship at a time when a cooperative partnership is needed and with that I thank you for the time thank you dr. Bennell Lou thank you and good afternoon chairs ranking members other members of the subcommittee's I very much appreciate the opportunity to speak before you this afternoon my name is Josh Bonello I'm senior cryptographer at Microsoft Research my 1987 doctoral dissertation at Yale University was entitled verifiable secret ballot elections so I've been working on election technologies for an embarrassingly long time I also had the privilege and pleasure of serving alongside Neil Kelly on the National Academies recent report on securing the vote and appreciate that experience as well there are thousands of election jurisdictions in the US over 8,000 by most counts and most are very small with very limited resources threats come from nation state sponsored adversaries in many cases this is an asymmetric battle and while we have certainly a responsibility to harden our election infrastructure to the extent that we can we should recognize that we cannot realistically make our election infrastructure impervious to attack well we cannot guarantee that attacks can be prevented we can guarantee that they're detectable and the National Academies report recommends pursuing to technologies that enable auditing that enables us to detect any attacks on our infrastructure one is called risk leavening auditing the other is in the end verifiability risk limiting audits or an enhanced form of traditional audits managed by and overseen by election officials ideally together with and cooperation with members of the public they use advanced statistical methods to make the auditing process more effective and more efficient and they have been piloted in many jurisdictions probably about a dozen jurisdictions around the u.s. in recent years in the end verifiability is something entirely different it's a public means of auditing it's a method that allows any jool after an election closes at any time to conduct an audit there's no need to wait for election officials for judges to issue court orders candidates members of the news media interest groups and even individual voters can check for themselves that the votes have been counted correctly any and all tampering can be detected not just external tampering but even insider tampering due to faulty equipment or improper actions by election personnel end-to-end verifiability effectively answers the question how can I trust the results of an election when I don't trust the people or equipment on which the election has been run this is not a new technology it has actually been around for decades that seeds go back to the 1980s but it is evolved during that time and improved and become more efficient and more practical and more friendly and is ready for wide scale deployment to the time when I believe we most need it just over a year ago Microsoft announced its defending democracy program and as part of that just last month Microsoft announced its election guard system Microsoft is working with partners including Columbia University and a Portland company called galois to build a free open-source software toolkit that enables both end-to-end verifiability and risk limiting audits this is not intended to replace existing systems for counting votes it goes alongside it makes it possible to have an auxilary verifiable count that is verifiable by anybody at all we are working with many vendors to promote the adoption of this technology and seeking jurisdictions for initial pilots the technical details will be released shortly and the toolkit that enables this will be available later this summer there are however regulatory challenges to making this happen and the NIST and EAC guidelines that are in existence today are somewhat old and and dated they do recognize new technologies they're not very flexible so we very strongly support and encourage the adoption of the new DVS g2o guidelines that are in draft form and hope they will be adopted very soon there are numerous other challenges facing our election infrastructure technical financial educational and others and Congress in collaboration with States can help to provide consistent funding sources and address many of the challenges we face thank you very much I look forward to your questions well thank you before we proceed I would like to bring the committee's attention to statements we have received from the Brennan Center for Justice the Center for American Progress and verified voting we've also received letters to the committee from the national election defense coalition and common cause these documents highlight priorities that members of this committee should consider as we look to assist States in their election security efforts without objection I will enter these documents into the record at this point we will begin our first round of questions and I'll recognize myself for five minutes so first I'd like to start if I could with mr. Kelly in 2018 my home state of New Jersey received a hava election security grant of nearly nine point eight million dollars so with this money I'm happy to report we plan to purchase a number of voting systems that use a voter verified paper trail audit I'm sorry to report that New Jersey does not have that at this time and to conduct a number of pilot programs with new systems so what advice would you have for a state that decides to scale up their post-election audit pilots to a state wide application well thank you madam chair for the question I would have to go back to the discussion on risk lemming audits and and using that as really the benchmark for audit ability post election in California we use to auditing functions right now one is the 1% on it which audits 1% of the precincts that the ballots that are cast within California and then the second is the option of conducting a risk living audit opening that up in a statewide function like we are in California I think is the proper way to go be as it does give you that extra look and comfort at auditing functions a post election when even if you're manually counting the ballots this gives you that extra added security and assurance that those audit that the ballots are counted correctly so when you're looking at ramping up an auditing function I think wrestling audits is certainly the way to go and there are so many states and counties and jurisdictions right now that don't utilize any auditing function let alone or is Lemang on it thank you very much and dr. Sweeney with the money we received we're also making plans to allocate funds to implement any necessary changes to the statewide voter registration systems I know NIST and the National Cadi academies have a lot of recommendations for how to do this and given your experience examining vulnerabilities in a broad swath of voter registration systems what do you think are some of the most important first steps that New Jersey can pursue with these funds well there's a lot of my colleagues on the panel have really focused a lot on traditional computing cybersecurity kinds of threats break-ins ways that the data can be tampered with changing the flow of the data the example that I gave is not a break-in it's the opposite it's the fundamental problem we have in the United States about identifying citizens or identifying Americans or and it's on how do we go about doing that when so much of the data on Americans is so publicly available in the the study also gives us a hint at what was the best answer Texas was the most difficult of the states and it's because it used driver's license number but it also used the number that was printed on the surface of the driver's license itself it wasn't enough for us to stop the attack but it limited raised the cost because the only place you could get scans of actual driver's license to get those numbers was on the dark web they want to that those extra numbers weren't available elsewhere so that gives us a sense of a way forward intrusion and also introduced detection would be helped I would just say one more thing to New Jersey and that is the idea of independent assessments are really important if if we we went through this with health care if you if you build a system and you say this is what my security people say is good and you test it you're testing what you built it for what we do is in the reason you do independent assessment is the things you never thought of it's the surface area you can't possibly think of and the second part of that is whether or not New Jersey then if if if a deformability is found is how we're robust is the response by New Jersey we learned in the healthcare industry that if the hospitals just try to pretend it didn't happen to reassure everyone that that's not nearly as good as a hospital who says oh I had this owner ability we fixed it up now we're ready to go that kind of robust response is much more trustworthy so I would recommend that approach thank you very much and then dr. mind I have some straightforward questions for the record for you does this currently have the legal authority to develop technical guidelines for electronic poll books I thank you for the question under the help America Vote Act our the work that we do with EAC is constrained to voting systems which are defined more narrowly however we do have a broad mandate for cybersecurity for a broader number of systems and in the competes act we have we have more authorities there for cybersecurity in those systems thank you and what about for voter registration database that baits databases and local election websites that would be the same the same answer not under hava but under other authorities that we have we could do work there and same answer for election night reporting systems and ballot reconciliation method of growth all right well thank you very much thank you all now I'd like to sorry turn it over to ranking member Norman for five minutes Thank You Cheryl and Cheryl secretary is there the substitute amendment to HR 27:22 appears to contain several provisions that pertain to the administration of Elections as opposed to election security to me it appears that these elections administration provisions are a federal overreach that really encroach upon the function of state and local election administrators and their job what are your thoughts about the bill and as an example it looks like the bill requires paper ballots to be printed on recycled paper produced in the United States and is that your read of the bill and what would a mandate like that mean for Oklahoma well in in general let me say that when when I was working with one of my home state senators and I apologize for mentioning a member from from the other body but mr. Lankford when he was working on some election security I told him many of the same things I'm about to tell you that I do believe that it's important to remember the differences between different states the recycled paper for example I personally it is in the bill I did read it there I'm not exactly sure what the security purpose of that is I know that with our current voting system it cannot use recycled paper because the the sensitivity of the scanners and when if we were required to use recycled paper it would actually run the risk of causing false readings what do you in your opinion do you think the election administration provisions of the bill reached too far into the administration of elections which really is inherently a function of each state I in in general I think broad guidelines are better and and and leaving specific decisions are better in the hands of the state ok mr. Kelly you briefly discussed VV SG 2.0 and how it is structurally distinct from previous iterations of the V vs G's specifically you indicated that the new structure is aimed at providing high-level principles and guidelines on functions that are incorporated into devices that make up a voting system from the from the perspective of state local election officials do you think the high-level approach taken by the BBS g2o provide a more workable and implementable set of guidelines when compared to the previous iterations yes sir thank you for the question actually from the standpoint of security reliability usability and accessibility I definitely believe that the principles and guidelines are high level they are certainly a good road map for heading down that path but they're not in the weeds they're not the test assertions they're not the requirements so as it stands those principles and guidelines in VV SD to dotto I think are light years ahead sir of where we were okay and secretaries Eric's based on your experience do you believe that a high level approach is more workable and implement implementable and is this the right approach in my opinion yes I'm very supportive of the VV SG 2.0 guidelines that are out there although I'm not speaking for the National Association of state election directors nacet I am a member and I know that they have expressed concerns about a second part of that where I know the EAC is seeking to vote on the actual testing standards and and you know I my concern there is that with with what we've seen in the past with a lack of a quorum at the EAC you run the risk then of getting stuck as we currently are without update standards thank you and dr. remind in layman's terms can you describe what the election profile to the cybersecurity framework is how it functions and how it stands to help state and local of election officials fortify their election systems yes sir the the cybersecurity framework that was spearheaded by NIST and is now being adopted around the world is a high-level document that is applicable and scalable to a wide variety of different sectors of the economy for example in order to be maximally useful to a specific sector in particular the critical infrastructure sectors that include now the election infrastructure certain tailoring needs to be done to the cybersecurity framework to make it maximally effective and that's what we're actually working on right now so it's essentially making sure that we make decisions that are predicated on the needs of a particular sector great thank you so much y'all have been very responsive and thank you for your questions I yield back Thank You mr. Norman that the chair will now recognize herself for for five minutes of questions and certainly we were capturing the nuance here and and how important the Rd is and the trustworthiness and the honesty and the integrity of our election systems I I represent a suburban district in southeastern Michigan and after the 2016 election Michigan replaced its aging voting machines and basically every county in the state spending 40 million dollars in state and federal money to do so and it's one of at least four states along with Florida Illinois and Wisconsin that used those cellular modems to transmit unofficial election results and Michigan officials have said that the state's election machines are not connected to the Internet eliminating a major hacking risk our Secretary of State Jocelyn Benson has implemented a security of Elections Commission a first-of-its-kind Commission that's coming into formation this year she's a newly newly won secretary of state who's come in and put in that that Commission so Michigan voters are using paper ballots that run through an optical scan voting system and as we've noted this week the house is considering HR 272 to securing America's Federal Elections Act which would require paper ballots and manual counting by and or optical scanning systems which is sort of a nice springboard to what we're doing here today which is digging into the technology talking about the Rd relying on your expertise this is a really robust panel so and there's obviously some you know ongoing debate about the use of modems and Internet connectivity and elements of the election system NIST has named this as one of its open areas one called open areas still being considered and it's ongoing efforts to update its voluntary voting system guidelines and so dr. Roman can you just tell us where NIST is headed with this will this give us an affirmative finding about whether voting systems should avoid wireless and cellular modems and minimize Internet connectivity thank you madam chairwoman first I'd like to mention that the the VB SG that got the guidelines that I've described are not solely NIST guidelines but we're in partnership with the EAC and with the with the T GDC which is the Advisory Committee so there's a number of people involved in the in the guideline development but certainly in the principles document in VVS g 2.0 2.0 we talked about some of the concerns regarding internet connectivity for example or actually in VB SG 1.1 we talked about those concerns we've had guidelines in the past about you you talked about the paper ballots about auditability we are not in in the guidelines that we put out we're not specific on the way that you can obtain auditability we just try to ensure that auditability is available with regard to cellular modems or any specific technology we don't get into that level of detail but we do talk a lot about the importance of Internet connectivity for voting systems as being a challenge to be managed doctor but no would you say that the general opinion of the computer science community as to whether the risks of Internet connectivity and wireless access can be adequately mitigated I think the consensus is that not at this time there has been a good deal of exploration of use of Internet technologies associated with voting equipment and there have been some studies looking at possibilities of how this might be done and I believe the consensus is it would be premature to apply any of those technologies today and dr. Roman you know each fiscal year ness receives you know about the one to two million dollars in appropriations transferred from the EAC budget to conduct its voting research if I have that right and testing work required you know under have' and these annual funds have been declined even as needs have grown how many NIST staff work on the NIST voting system project we have five federal employees in my laboratory four of those are part-time one is full-time and then we have approximately four contractors working with them that's the extent of our our capacity currently to address these issues and under those circumstances how do you prioritize your voting technology efforts given limited resources and constrained staffing well I'd like to point out that the the activities that we have in cybersecurity are considerably larger than this one effort and many of the activities the research activities that we engage in are applicable in some ways to voting systems and in particular to the more traditional systems like the voter registration systems which are much more similar to the mainstream IT systems so so we do leverage a lot and I just like to say we're very proud of what we do with the resources that we have we're part of you too and we're also proud of your fabulous description of NIST and your opening testimony we must have faith in our government we must have courage we must stick to our principles for the people by the people I don't even say bipartisan I talk about the things that bring us together as a body and with that I'm gonna yield back and I'm gonna call on my fabulous colleague dr. Jim Baird for his five minutes of questioning thank you madam chairwoman was that part of my time you were using or not anyway you know dr. Rowe mine when you look at your knowledge and your experience and the number of times you've been here maybe I should just allow you to decide what question you would like to answer but I'm not going to do that here's a question you know in past testimony you mentioned the importance of collaboration with stakeholders in the realm of Elections and to be successful in creating voluntary standards voluntary standards how often does NIST meet with election officials with the industry outside technical experts and advocacy groups and what's been produced as a result of these meetings in your opinion thank you for a question that allows me to brag about NIST a little more I appreciate that very much we meet the the subcommittee meetings I talked about and the and the various task groups have meetings virtual meetings bi-weekly in some cases weekly the level of engagement is high the amount of participation is high the work that we're doing on the development of the guidelines and in the cybersecurity profile that I talked about the cybersecurity framework profile is a testament to the productivity of those of those activities we work collaboratively with the Department of Homeland Security and obviously with the EAC in in tackling some of these challenging issues with regard to security of many kinds but security of our election systems in particular on the industry front we have strong collaborations one of this one of the secrets of NIST is because we're non regulatory I like to say aggressively non regulatory we have a very strong working relationship with industry in many many different sectors of the economy and and certainly we have strong relationships with with the election vendors as well thank you dr. zerks in your written testimony you described how a fish in Oklahoma's election system is and you state that the efficiency of Oklahoma's voting system is by design how can we at the federal level of government ensure that you get what you need to bolster the security of Oklahoma's election system without reducing the efficiency that your system has designed to achieve I'm very proud of our system as I mentioned earlier it's paper-based it is auditable it is verifiable we use optical scanners we have since the early 1990s that's that's when we first developed our statewide uniform system in my opinion the the the best thing that Congress can do is to help ensure that we have the resources from you know various federal agencies for help one of the things I'm very proud of is the working relationship that we have with local federal and state officials Department of Homeland Security both state and federal FBI our state Cyber Command they they and others are all part of an election working group that we have and I think making sure that those various entities and agencies have the resources to work with their their local and state election officials is very important thank you and I have one more question for you if you're in your closing remarks you said that the federal policymakers should keep in mind that each state is different and that imposing one-size-fits-all would be disruptive expensive and could create an adversarial relationship between state and local officials at a time when cooperation and partnership is very much needed so how can we best help States improve the security of their election systems without encroaching on their constitutional prerogatives and at the same time ask any other things that you might consider important well I thank you for the question you know Oklahoma is is different from other states my state has a little over two million registered voters I believe mr. Kelly's County has about two million registered voters I have counties in my state with fewer than fifteen hundred registered registered voters that are that are staffed by one County election board secretary and one staff person and and I think you know you have to keep in mind that as you're looking at election legislation the broader that you that you make any requirements the more that you leave to local and state election officials to decide how to implement those the better week and we can make it work for our state's I know that I believe in Oklahoma we know more how to run elections in our state then you know someone from Washington DC or maybe a college professor from another state for example thank you and I'm out of time so I'm sorry I'd only have questions for the other three of you but thank you for being here thank you and the chair now recognizes mr. Tonko for five minutes of questioning thank you madam chairwoman and thank you for holding this hearing and thank you to our witnesses for joining us election security goes to the very heart of America's ideal of government of the people by the people and for the people we need to look no further for evidence of this fact than the widespread well-documented and ongoing attacks of America's adversaries on our election systems our enemies recognize the power of our elections and we must do the same today is primary day in the state of New York and I am reassured that New York State has been taking election security seriously I'm deeply concerned about the u.s. intelligence reports that 21 state election systems were targeted by Russian hackers during the 2016 election cycle I agree with special counsel Muller that all Americans should be concerned about the multiple systemic efforts to interfere in our election this must be a wake-up call for all of us assuring the principle of one-person one-vote requires balancing security and accessibility and developing election technology it is crucial that the technology be both secure and accessible for blind Americans or people with other disabilities that can make it harder to vote an election infrastructure there may be places where security and accessibility seem to compete with one another so mr. Kelly is this the case are there places where the needs of blind voters or voters with disabilities are at odds with some of the efforts that have been undertaken to modernize election infrastructure thank you sir for the question and I think at times in the past that was the case I think with technology and where we are today we do have the capability to produce paper ballots that can be used by voters with disabilities and can be verified by the voters with disabilities and I would say the one area where they probably still intersect which is a little bit difficult is the remote transmission of ballots to individuals who are voters with disabilities that's an area of concern that I think we need to keep an eye on and security is very important in that regard but I agree with you sir we can't lose sight of making sure that it's accessible at the same time so that technology gap that you just identified is that resolvable or I believe it is I think we're at a point now where we can transmit the ballot directly to that voter it can be verified and marked and print it out and then mailed back so there's no transmission of that ballot over the internet or over any network so I do think it's solvable yes sir thank you and doctor bunola did I say that correctly it's been alone ben'll oh thank you based on Microsoft's work with election officials what do you believe is the current cyber security posture and readiness of the average state election office and is there even an average or any are things all over the place I think it would be hard to define an average of any kind states are and local jurisdictions are certainly working to try to improve things but there is certainly a lot more that can be done and you're hoping that with consistent funding new technologies new a new regulatory environment will be able to enact better systems with better technologies that can better protect the American voter and mr. Z reacts what are the election security concerns they keep you up at night going into 2020 it wouldn't when I'm looking at there they're really three potential threats that we face one is misinformation that has happened it I think it continues to happen obviously cyber intrusions and I haven't heard anyone yet today mentioned physical security you know you could have physical security threats at polling places or at election offices but but all three of those things are things that we should be concerned about and and in my opinion should work together state and federal officials finding common ground about how to move forward Thank You mr. Kelly what about you I would just add to that I definitely agree with what he's saying cyber physical but I would also add social one of the things that keeps me up at night is how well-trained are my election staff to make sure they're not clicking on links they shouldn't be clicking on okay that's really in the weeds I know thank you and mr. Kelly helped us understand how the paper trail works and why it is important when you talk about establishing a paper trail and all voting jurisdictions what does that paper trail look like and why does it need to be readable by humans yes sir so I'll just give you a quick example in California we're required to have a paper trail in our electronic voting booths and that paper trail prints out the voter can look at that and see what their selections were before casting their ballot they don't take that with them but it's included as part of the official record the reason that's very important is because that is the official record when you go back in a recount or an audit you're looking at that paper record you're not looking at the cast vote record or the electronic portion of that ballot cast so it has to be human readable so anybody looking at that can determine what are the true results here thank you thank you very much with that I yield back madam chair thank you and now the chair would like to recognize mr. Alderson for five minutes of questioning thank you madam chair good afternoon everyone and thank you all for being here dr. rue of mine my home state of Ohio is requiring all 88 counties to request a risk assessment from the Department of Homeland Security by next month can you speak to how the suggestions miss lays out in the voluntary voting system guidelines can mitigate common mistakes found in DHS's assessments I'm not sure that I would that I can do exactly that what I can say is the guidelines that we promote through the EAC are intended to guide election officials to understand what the priorities are the DHS program of assessment is is an independent activity that I think is valuable to many localities in trying to determine whether they have adequately protected those and and thought of all of those particular issues okay thank you next question is for dr. dr. Bennell Oh does an intend verifiable system like has been suggested by some replace current technologies or can it be used alongside them to ensure integrity in our election system it can absolutely be used alongside and to end verifiability offers an independent pathway by which voters can check for themselves that the election results are correct it doesn't need to replace current systems at all it can be an entirely separate in parallel thank you very much for your answer madam chair I thank you to the gentleman from Ohio and at this time the the chair would like to recognize mr. Baier for five minutes of questioning thank you madam chair very much and thank you very much for holding this long overdue hearing last Congress I repeatedly asked our former chair to hold hearings on a Lexington security after all of the reports about Russian interference and now certainly our fears have since been confirmed they've been verified and and I'm really so concerned that the Trump administration and the Senate Majority Leader refused to take action in May 2017 President Trump announced the bipartisan presidential Advisory Commission on election integrity and appointed Kris Kobach as his chair despite what we now know about his concerns about his investigators connection to white supremacy and the foremost artists of the Commission was to investigate voter fraud this is the step that mr. Trump took after making the unsubstantial Flynt claimed that three to five million people voted fraudulently in the 2016 election and it appears the primary purpose of this commission was just to try to support that contention that he has somehow won the popular vote in one of his only accidents the Commission asked States to send in all their voter registration lists including personal information like Social Security numbers in return the Commission mostly received us lawsuits and then Trump decided to disband it mr. Kelly as an election administrator and a general expert with a lot of experience how frequently do we see actual voting fraud where individuals actually cast fraudulent votes well thank you sir I can I can speak to my jurisdiction only and in Orange County there have been very few prosecutions for voter fraud in general I will tell you the majority of those have been under voter registration so individuals who are out registering individuals to vote they may change information on the voter registration cards we have not seen any instance of in-person voter fraud where someone would show up in a polling place and present themselves as somebody other than who they say they are it's mainly been in the voter registration side in the last 15 years I would say there's about five to six instances that have been prosecuted yeah and in 40 years to do in politics in Virginia I could remember exactly one instance that at least made it to the newspaper and that was a former state senator who moved between his last elects and voted one place and then forgotten voted the other place he pled guilty and was left can any of our panelists explain to us concisely the difference between voter fraud and election fraud is there let's move on well I have a dr. Bennell Oh given what we learn today about the information about the security and vulnerabilities and data how much risk would there have been if the states that complied with the commissioners request and sent in all that data including Social Security numbers it's very hard to say much of the data I believe that was requested was public but certainly there were were non-public data that were requested the more hands that that touch sensitive data the the more exposure there is and transporting it is always a somewhat risky endeavor but it can be done well it should be done well mr. Kelly mr. Syriac you're both on the front lines do you feel you've received enough resources to be fully prepared for the 2020 election no sir I think we've made tremendous strides in the right direction but I think that funding is always an issue I will say that I am grateful for the funding that we have received because we've been able to start securing new systems in California and that will be a leap forward for 2020 but I would never sit here and tell you sir that we're a hundred percent sorry X thank you thank you for the question you know in the election business we never have enough resources no matter no matter which particular issue you're talking about I think but in general I'm very grateful for the for the federal funds we've seen received we just as we were with our initial hava funds have been actually a little slow to spend the security funds that were granted last year we have we've actually begun by spending our state match first and and and while we do have a list of items we were provided the election assistance Commission we're actually reviewing those with with our state Cyber Command because there may be some additional changes that would be more cost effective given the limited dollars but I I would repeat what I said in my opening statement sustained funding is better and the fewer the mandates the more likely you are to get state purpose participation in the grant process well thank you very much thanks for being here this afternoon madam chair I yield back thank you to the gentleman from Virginia at this time the chair would like to recognize mr. Gonzalez for five minutes of questioning thank you madam chair and thank you everybody for being here today on this incredibly important topic to mr. Zarek and mr. Kelly you both have unbelievably important and critical jobs in securing our democracy and I thank you for your service to your states and by default to our country we in Ohio have an outstanding Secretary of State in in Frank LaRose and I share mr. Xerox opinion that I have no interest in dictating to him how to do his job I trust him I voted for him as did many Ohioans and and I think it's our responsibility at the federal level to empower you to do your job as effectively as possible and specifically one area where I think we can do a better job at the federal level is helping on a cybersecurity standpoint dr. Bennell oh I want to start with a question for you one thing we hear and on the Financial Services Committee on that committee and across industry is if you don't believe you've had a cyber attack it's because you you're just not aware of it would you would you share that opinion I I think that's a reasonable adage I'm sure there are exceptions to that but but not knowing not not having seen an attack does not mean that in fact did not happen that's certainly true absolutely and then I guess my follow-up then for mr. Syriac is and with that in mind how can we better equip you how can we better prepare you for the coming election and going forward from a cyber security standpoint thank you for the question in in my opinion continuing the federal partnership that we have locally is something that that is going to be very helpful I know that our local FBI field office local department of homeland security officials have been very helpful whether it's sharing intelligence whether it's providing physical security assessments and I making sure that those functions are funded and perhaps staffing is expanded there are only two u.s. department of homeland security officials I believe in the entire state of Oklahoma and one of them has attached to our state fusion center but you know for me personally I think making sure that funds are available and not just funding but the expertise and resources are available to to election officials to help us secure our own systems thank you mr. Kelly same same question yes there's similar answer but I would I would tell you that in California at 58 counties most of those counties have not taken full advantage of all the services the DHS has to offer I've done that in Orange County but I think additional resources for training and pushing that those resources out is very important and the backlog because it's taken a little bit of time got it and then switching to V vs G at generally and then 2.0 dr. Roman um it strikes me that one of the hardest parts of this is we are playing in asymmetric dynamic game essentially right you're only as good as kind of the last test that you've or the last set of guidelines that you've articulated and the hackers are always kind of one step ahead and so with that in mind I guess how how should we think about updating your mandates from a VV SG standpoint to make sure that we are ahead of the game or at least not you know in this world where we're doing at every couple years it seems like we'd want to be continuously updating this information thank you for the question I I think you've just articulated one of the reasons why the high level principles approach to VV SG 2.0 was the the way that we felt most comfortable because at the high level principles you're you're not necessarily the the principles are carry through changes in technology more than very much more specific guidelines would do and it gives you the opportunity to frame how you can secure the systems at a higher level great dr. Bennell o same same question yes I think the the high level principle and guidelines are very valuable and they afford the opportunity if it is taken to formally adopt just high level principles which are far more enduring and allow administrative revision of the detailed requirements of EVs G to be made adjusted as necessary over time to accommodate changing circumstances fantastic thank you and I yield back thank you Miss Wexton for five minutes thank you madam chair and thank you to all the witnesses for coming to testify today I also want to thank the chairwoman for holding this hearing this is a topic that's critical to both our national security and the integrity of our democracy so I'm very delighted that we're having this hearing now my home state of Virginia was one of the states that was targeted by Russian hackers in the 2016 election and at the time we were using direct recording devices or paper free voting machines although paper ballots were available in many polling places and my my state has now transitioned back to using paper ballots and they expedited that transition as a result of the hacking attempts but it seems like NIST has been sounding the alarm about insecure voting machines for a long time in the 2007 discussion draft paper of the to the EAC a subcommittee of the technical guidelines Development Committee wrote this does not know how to write testable requirements to make direct recording devices secure and this recommendation is that the d-r-e impractical to practical terms cannot be made secure is that familiar to you doctor bromine it is okay and in 2011 the NIST working group on auditability concluded that voting systems that do not provide a voter verified paper ballot will be vulnerable to undetectable hacking and cannot be audited effectively for errors in the vote count is that also familiar to you it is okay so but it doesn't seem clear it seem to be clear that election officials at the state and local levels are getting that warning this warning and the alarm bells that you guys are sounding about the inherent and security of paperless dr ease even the former chair of the EAC Tom Hicks testified to the House Homeland Security Committee earlier this year that a compromised yari could be effectively audited to discover a manipulation were you aware of that testimony I believe I was on that same panel okay can you explain that discrepancy or did you agree with that statement by the by mr. Hicks so I I don't remember the context in which he made that statement I think possibly what he was alluding to was a collection of recommendations for audit ability that might include risk limiting audits so there are certainly opportunities for advanced statistical analysis to be able to reveal the potential presence of anomalies in the in voting but I don't remember exactly whether he was endorsing fully paperless ballots or nothing so going forward how can we ensure that NIST research in conclusions regarding the security and auditability of Diaries are given due attention and share it effectively with election administrators to inform policy we have strong relationships with the National Association of state election directors nasod and other venues for state officials and we talk regularly with them many of the stakeholders participate in the working groups the cybersecurity working groups working group that I alluded to earlier with 175 members so we're getting the word out there's some awareness building the principle guideline from our perspective is the necessity of an audit mechanism it it it doesn't our our guidelines don't specify how that audit mechanism is is to be done but but the importance of audit ability is essential and our guidelines riff like that thank you I will yield back with that Thank You dr. Marshall he's gone okay and so we are now down to mr. waltz for five minutes thank you madam chairwoman and and I want to thank you everyone for holding this important hearing I do share some or have some concern on the timing of it I think this hearing is absolutely necessary and would have would have hoped we could work towards some bipartisan solutions before the majority put the bill HR 27:22 forward this week that is looking to put 1.3 billion dollars at this issue here nor there I am working with representative Stephanie Murphy and putting together an alerts framework we all know I represent Florida and we all know that two of Florida's counties were were breached as a result of a Russian spearfishing campaign targeted at at County election officials none of the congressional delegation nor the state officials were notified by the FBI or DHS as a result of that intrusion in 2016 the bill that we are working would seek to correct that problem not only should officials be notified but Floridians and the voters should be notified and in the guise of maintaining confidence in our electoral system so part of the issue was that the Russians targeted employees of a Florida based manufacturer of voter registration software VR systems VR systems has confirmed to the media that they were the company that was penetrated they have responded to a letter from Senator Wyden that they did not click on an attachment the email however we do know that VR systems use remote access software on election management systems it's sold to the counties leading up to that 2016 election we don't know if their systems were hackers result of the remote access software and DHS is conducting forensics analysis so I promise you I'm getting my questions look at the end of the day the company responded that they had been following NIST cybersecurity framework that we've talked about prior to 2016 and they continue to do so today so this gets to my question dr. Rowe mine under hava NIST is directed to develop voluntary the VV SG right we know that the law defines voting systems for the purposes of mandating NIST to create standards for testing and certifying voting systems not included in the definition of voting systems which I know we've gotten to somewhat today but I want to really spend time on this point not including the definition of voting systems our voter registration panels and voter registration databases and because of this there have been questions whether this vendor in particular but I think it's a broader question whether this vendor VR systems implemented NIST framework because again there's issues now with the definition so although NIST guidelines are voluntary and you're not a regulatory agency which i think is correct regardless of whether the standards meet the definition of voting systems under the law so question one how would how would authorize encoder registration portals and databases under the help America Vote act under hava improve this ability to provide innovative standards with respect to registration technologies Thank You mr. congressman the the guidelines that we currently provide under hava the scope of those guidelines is controlled largely by the EAC who makes the determination of what is what is in scope or it's there it's their interpretation of hava the the role that we play in cybersecurity broadly allows us the opportunity to provide things like the cybersecurity framework and other guidance on more traditional IT type systems such as those that generally are used for voter registration databases and and other epub books and so on so we already have guidelines in place that might be applicable it would be the change there would be that those guidelines would be incorporated into the EAC database for example for for VVS G guidelines and and that would be more directly perceived as more directly relevant to election officials I am out of time but just for could you submit for the record that how doing so and how changing those guidelines when incentivize companies and vendors for example via our systems and other registration software companies to follow to following us guidelines and implement the framework I'll be happy to respond to them thank you I yield my time thank you and next the chair recognizes miss Horner five minutes thank you madam chair and thank you for allowing me to join this subcommittee on such an important issue today i we have covered a lot of ground today and in this is such a critical topic I want to tackle a couple of questions for I think most of the panel just in a slightly different direction it seems to me I've heard both dr. Rowe mine and mr. Xerox say very clearly and explicitly that we have to work to balance being the accessibility and convenience and making sure that people can show up and cast a ballot and not making it so hard to cast a ballot that we disincentivize participation in the system with a reliable and secure system I absolutely agree and this is a challenge to balance and dr. Sweeney in your presentation in your testimony we're looking at two sides of this coin we're looking at the the voting system and the very the ability to verify votes and the security but also the database and and so we've got two different pieces to this as I see it so I want to start with the Vera the piece of the verification and and how we can put parameters around that to continue to ensure the confidence and the audit ability of our voting systems I noted mr. Xerox in your testimony in your presentation that that Oklahoma and I think chairwoman Stevens mentioned this as well has has three as I see them fundamental baseline principles that help the bear the ability to verify and an audit votes paper ballots a statewide system that is uniform and owned by the state which helps lay differences between the different counties and and the fact that the systems in Oklahoma aren't connected to an Internet source which is another another challenge so my my question and we've talked about how we set these standards the v vs g 2.0 v vs g that it seems that we have states that aren't even getting up to the the baseline so i mr. kelly and mr. xerox I'd like to hear your opinions about the the need to set baseline standards that all states have to comply with of course assuming we're going to help provide the funding at the federal level to help with that thank you ms horn and and I think there's a you know there's a fine line but between say providing the the guidelines and allowing the states to determine how best to do that and and some things I mean just just to give an example and again these these are similar things that I've discussed with about other election bills but the the the bill that's been discussed earlier today the the SAFE Act includes a mandate that new voting systems have to accommodate rank-choice voting for example and that's in an election security bill me personally you know I view that as a decision that our that our state should make whether we want to move toward that but if if if Congress is going to provide money and wants to say if you want our grants then then you need to at least demonstrate that you're going to attempt to follow the voluntary guidelines that certainly Congress's prerogative and I would concur with that I would just also add that for the end for an example in California there is a an enhanced requirement in California for certification so it just does not rely on the federal standards it goes above and beyond that and I think I would agree also that the states should in many cases make those decisions personal opinion thank you now turning to the to the next piece of this is that that we were gonna have to face dr. Sweeney you you referenced all of the ways that individuals could perhaps get into different systems that without necessarily verifying their identity so knowing that there are a range of challenges that we may not even know and dr. Roman you've spoken to some of these as well do you see any other pathways or potential solutions for example biometrics or anything like that that would help moving forward to protect these systems I think the most immediate answer is it's probably just to follow the best practices of things like using driver's license but it is a it with with additional information off the driver's license and using a modern CAPTCHA device but it is a bit of a moving target because that's not wholly satisfactory that it requires a bigger question about how we authenticate the problem though is it's the the questions that you pose generally around what NIST is proposed and so forth and it was brought up that a lot of what they talked about happened years before they started saying it I'm like that but now years before and you know so there's a so we have a cycle mismatch as well so I think if we're gonna do the cycle if we can move faster – like implement something like okay what's the best practice right now to nail that down like the driver's license then we have a better shot at not being victimized by it and having to come back in a few years and say well how many states have improved what they asked thank you very much so we both have to address the challenges now and look and thank you all for your testimony I yield back madam chair thank you and now I would like to recognize mr. shermin for five minutes I want to agree with mr. Zarek's that the federal government has no business pushing rank-choice voting or rank order voting those who propose at most are those who most want to undermine the two-party system their arguments for and against having two major parties in this country but that's not something that the federal government should be pushing on the states my first question is for whichever panelist answers it first what number of states currently require the use of paper ballots and an auditable paper ballot trail do we know how many states do that I thought there'd be a jump in to be the first to answer Oklahoma does and I guess the other states don't matter do we have if we don't have that then I'll ask whichever witness raises their hand first to agree to answer that for the record hey we have any hard-working witnesses I do not I know New Jersey does not gotcha hopefully it's only five that do not for states which conduct testing and certification of voting machines how do the state standards compare with the standards promulgated by the u.s. election assistance Commission yes I can as Oklahoma's chief election official I can only talk about our state's I know with our current system which was implemented in 2012 although our state law does not require that we that we follow those guidelines the the guidelines that I said at the time when we were reviewing that system and and requiring testing for it we did require testing to ensure compliance with many of the v vs g 1.0 requirements anyone else have a comment yes sir just very quickly in California it's very similar to v vs g 1.1 but I will say one of the key differences is that California requires volume testing of all the systems where those are not in the current standards should they be added to the national standards sir if I could defer that question okay increasingly a number of states including my own has moved to vote-by-mail my state has authorized ballot harvesting I'm told that the proponents of it would prefer that I call it by a different name what technologies do we need to prevent either false registrations followed by false vote-by-mail voting we're you knowing that a people who people are not looking to cheat by adding one vote I know every vote matters and we but those who want to steal votes want to do it by the at least by the hundreds what do we do first to prevent false registrations followed by false voting all done by mail is there any system that is designed to combat that I wouldn't say design I'm not answering me exactly on point to you it's not so much as designed to combat it it's just as totally a different vector than then it's been really talked about in the computer security because I'd use the change of address but what we also talked about it could be absentee ballots I disenfranchised a person who then would go to the voting place who would get a provisional ballot and that ballot won't count or in the case of a state where it's if I can squeeze in one question in my state they compared the signature on the outside of the envelope – the signature on the voter registration card right but the clarification here is not I've got a squeeze in one more question I'm sorry mr. mr. Kelly or or anyone else is that process useful at all do the people who do that have any expertise in comparing signatures and do signatures change over time my voter registration form was filled out long long ago yes I'm glad you asked the question because absolutely they do and you see that especially with historical signatures that we have on file twenty years thirty years you see a big difference I will add that Oh what percentage of the ballots in our state is our put aside or provisional because there's some question as to whether the signature is legitimate one plus million ballots cast in Orange County by mail we had about 5,000 that were set aside specifically for signature issues now I will many of those were ultimately counted how many of those were not ultimately the majority were ultimately counted California changed its law last year to allow us to reach out to the voter to attempt to cure that and so you had to reach out in 5000 circumstances and say hey is this really your signature yes sir we did well I believe my time is expired well thank you and now the chair recognizes mr. Casten for five minutes Thank You chairwoman Cheryl thank you to the panel the one of my favorite things about this committee is we consistently get such fascinating nerds before us and you guys are all awesome this learned so much today on a really important topic and fortunately the nerds are not just limited to the panel they want to think there's a few of us up here that I want to thank our young visitor Bianca Lewis for being here really really appreciate what you've done and I want to talk a little bit about if I understand what you did at Def Con my my understanding if I've got it right as the method that the participants and your exhibit used to hack into the Secretary of State website was called a sequel injection and I got it right the this is the single the single strategy that these kids at DEFCON demonstrated is also what is described in Robert Miller's report that the Russians did page 50 volume 1 of the reports as the following GRU officers Bianca GRU as the Russian agents targeted state and local databases of registered voters using a technique known as sequel injection by which malicious code was sent to the state or local website in order to run commands such as exfiltrating the database contents in one instance the GRU compromised the computer network of the Illinois State Board of Elections my state by exploiting a vulnerability in the State Board of Elections website the GRU then gained access to a database containing information on millions of registered Illinois voters and extracted data relating to thousands of US voters before the malicious activity was identified this is real-time stuff but what seems to be saying is that the Russians used a real sequel injection to crack open the real state website same strategy that Bianca demonstrated on the models at DEFCON and then the Russian worm kept going all the way through to the voter registration database now Illinois has done great work and in responding to this I I hope we have done enough we seem to be okay in the last election but this is really scary stuff and so what I'm at first I'd like to ask unanimous consent to add pages 50 and 51 and volume 1 of the Moller report which describes this episode to the hearing record objection and then notwithstanding how I started this I want to start with dr. Bennell Oh could you could you explain to us so that a smaller brain to people up here can understand how does a sequel injection work exactly you're getting a little bit away from my expertise but the the basic idea is that the in a web query of some of any sort additional information can be added to what's what would otherwise be interpreted as innocuous web request that is not of the form that's expected by the web server that is handling this request and if there aren't adequate measures in place that web server may interpret that additional information as code to be executed and to potentially do harm or provide services that are not intended by the modifying an existing sequel SQL database yes dr. Sweeney I see you nodding your heads anything you want to add to that either about right no I mean I just simply can add commands within a command so that you'll fact do multiple things that never you never intended me to do you provided access say that lists some voters or to check one voter and I just end up deleting a thousand or review or downloading a million or something like that so for all of you is this and is this an and this is a technique we should expect to be seeing again and be watching for I see a lot of head nodding will be entered into the record dr. Romain does does NIST's work in VV SG addressed the need to firewalls state websites particularly at the photo registration databases that we can protect against this in some fashion I actually don't know the answer to that but I'm happy to respond to that I I suspect that it does but I can't confirm that out there I'll have to go back and and check that would be very helpful to find out happy to do that thank you all and I yield back the balance of my time thank you and now the chair recognizes mr. McAdams for five minutes thank you madam chair I think this this timely hearing is important for our Congress to review the current efforts and the plan and to plan our future work to develop our to protect our elections from malign actors so this work will require I think strong collaboration from local state and federal partners to ensure the integrity of our elections and that all Americans can participate in our democracy in my previous role I was I was one of those local officials and while I wasn't a county clerk per se was familiar with the incredible work that they do to protect the integrity and security of our elections and and sometimes under very difficult circumstances but I applaud and I'm grateful for those elected officials across the country who work with the greatest effort to protect our elections and I'm also proud that my home state of Utah has been leading the way in upgrading our election infrastructure and policies and also cybersecurity practices our county clerk's in 2018 led the substantial upgrade a substantial effort to upgrade voting machines and also to take other security measures in advance of the 2018 midterms while also promoting more options for utens to vote including adopting things like widespread vote-by-mail and same-day registration Utah's one of 17 states that offer same-day registration and I believe policymakers should support any strategy that makes it easier for Americans to add their voice to our democracy so long as our election practices maintain the high standards of security and integrity so I'd like to discuss the implications for same-day automatic or any mode of registration on our election and our election system security so to anyone on the panel who'd like to respond how can same-day registration help to mitigate the effects effects of a cyberattack on voter registration data at close to the election there are there any concerns we should be worried about with that I would say the same day registration could definitely be a way of resolving the threat that I described and the reason being that if somebody if a malicious actor had come in and intended to disenfranchise a large percentage of those voters but those voters still show up at their polling place and could register right there the attack would be Thornton yeah and if I may add in Oklahoma my state we do not have same-day voter registration we have a 24 day deadline I don't anticipate anywhere in the near future that that is going to happen but we extensively use the provisional ballot process in Oklahoma so then in the event you did have a situation we're perhaps large numbers of voters were not appearing on on registries we would have a back up means and then be able to go back and confirm later that those people actually were eligible to vote similar comments and income from California and I would say that the same-day registration growth in California is growing but it is small it's a still a small number compared to the overall database so I think we need to be careful and not to say that's the solution we should be looking at the database as a whole in finding ways to detect anomalies in that database itself so I guess my second question relates to automatic voter registration and how can that operate in a secure election system and ultimately is is our election security and automatic voter registration are they in competition or they are they in some byte symbiosis I don't think they're in competition it's certainly different dynamic when you go into DMV for instance in California and it's automated registration that you could opt out of were same-day registration as your affirmative lis going to a polling place or vote Center to register to vote so I I don't think they're in competition with each other from a security standpoint it definitely would change if I wanted to disenfranchise voters because in those states were provisional ballots done fully count then I would just want to attack the database so we removed automated registration might remove on one layer but remember the attack that I talked about was changing an existing registration so it would still allow that and if I may I want to briefly add that you know some of the concerns dr. Sweeney and others have expressed about the vulnerabilities for online voter registration if you're talking about whether you have the ability to confirm a person's identity or whether someone could use a stolen identity to register to vote falsely that could happen with paper ballots now let me just make one quick correction since I was called I'd these are not voter registration systems I'm not talking about whatever it just happens is sometimes changing the voter record is on the system as the voter registration website but sometimes it's on the DMV site I'm only talking about registrations that already exist and these are policies that would protect our elections so I see our time has expired and madam chair I yield back well thank you very much and thank you so much to all the panelists today I think all of us think this is such a critical issue moving forward thank you to Bianca you are not only a steam wizard you are a trooper to sit through our hearing today so I appreciate everyone here today thank you very much and hopefully we will be attacking again maybe we can get you in dr. Rowe mine for your 21st appearance so thank you all very much thank you

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *