Information technology and Intergovernment Affairs will come to order. Without objection, the chair is authorized to declare a recess at any time. I recognize myself for five minutes for my opening statement. Good afternoon. Thanks for being here, and its been over 240 years since our forefathers declared independence and a democratic experiment began. Throughout the entirety of our existence, our adversaries, both internal and external, have sought to suppress our democratic process. Our existence as a democracy depends on free, fair and accurate elections. Today, were here to talk about the best way to protect our integrity of our Voting Systems. There are over 10,000 election jurisdictions nationwide that administer elections, and even within states, counties use different systems to conduct elections. A year ago, last september, Ranking Member kelly and i held a hearing ensuring the integrity of the ballot box to discuss potential issues with the upcoming election. It was an issue then and remains an issue now. The former dhs secretary has made clear to the best of his knowledge the russian government did not alter ballots. However, our adversaries have always sought to use our nations unique qualities to undermine our democracy. Just because they didnt tamper with results during the last election, it doesnt mean they and other adversaries wont try to do so in the next election. Electronic voting is vulnerable to hacking. Our Voting Systems are no exception. This past january, dhs designated the nations election systems as Critical Infrastructure, something that was being discussed back in a hearing in 2016. Its essential that states take appropriate steps to secure their voting infrastructure. Also essential states have the ability to audit their voting structure. Im curious to hear about how virginias transition went. Additionally, what are the chances a foreign entity could tamper with the ballot box . These are all questions and answers id like to hear today. I thank our witnesses for being here today and for their efforts to ensure our country remains free and fair. I recognize the Ranking Member, my friend, ms. Kelly, for her opening remarks. Rep. Kelly hope you had a good thanksgiving. Thank you for holding this important hearing today. There is no doubt that russia at the direction of president Vladimir Putin attempted to manipulate our elections and has worked to manipulate those of our western allies. It was a broad and coordinated campaign to undermine faith and democratic election. Today, we are taking a look at another part of their effort to undermine our democracy by hacking our Voting Machines and election infrastructure. More than one year ago, we held a hearing entitled cybersecurity to ensure the integrity of the ballot box. We took a look at state and local integrity of our ballot machines. Noted 21 states that hackers attempted to breach their infrastructure. In my own state of illinois, the hackers attempted to breach data. Fortunately, they were unsuccessful. While we continue to learn the full scope of russias election interference, one thing is clear, there will be another attempt to manipulate our elections. Whether it be russia, another nation state or nonstate actor, or even a terrorist organization, the threats to our election infrastructure are growing. So what are we going to do about it . Earlier this year, the researchers at def con were successfully able to hack machines in a day. The first vulnerabilities were discovered in 90 minutes. Usb ports can be used to up load malware. Despite these flaws, dres are still commonly used. In 2016, 42 states used them. They were more than a decade old with some running Outdated Software no longer supported by the manufacturer. Updating our machines to paperbased machines such as optical scanners is a step we need to take right now. Our election infrastructure is broad and contain numerous vulnerabilities. If we are going to withstand a coordinated attack, we need a coordinated defense. In january of this year, dhs designated election infrastructure as Critical Infrastructure. In this announcement, then dhs secretary jeb johnson was clear that this designation was not going to be a federal take over of state and local infrastructure. Rather it was a designation intended to ensure the current state and local officials had the resources necessary to secure their elections. Since then the former dhs secretary and now white house chief of staff john kelly has supported this designation. This designation can help ensure the cornerstone of our democracy, our elections remain fair and secure. If designation is be successful, we will all have to Work Together, dhs and our state Election Officials must do a better job of working together to detect and solve problems. Again, i want to thank you, mr. Chairman, for holding this crucial hearing. Thank you to our witnesses for being here. I look forward to hearing from all of you about how we can continue protecting our democracy. I yield back. Rep. Hurd always a pleasure to be with you, representative kelly. Id like to thank our friend, chairman palmer, for cooperation and work on this important issue. Now its a pleasure to recognize the Ranking Member of the Intergovernmental Affairs subcommittee for five minutes in her opening remarks. Rep. Valdemings thank you so much, chairman hurd, and chairman palmer for convening this hearing today. Id also like to thank Ranking Member kelly for her leadership and all of our witnesses for joining us for this very important hearing. Im pleased were holding this hearing so essential to democracy. While there are so many issues that divide us, integrity of the voting process should not be in question. Regardless of race, gender, sexual identity, zip code, income, every vote should count. Every vote should count the same. I believe that voting is the last true equalizer. However, russias interference in the 2016 election and intrusions in at least 21 states Voter Registration databases indisputable and confirmed by intelligence has forced just to acknowledge has not kept pace with the current and emerging threats from nations, organizations or even a single individual determined to undermine our democracy. Recently, i joined the Congressional Task force on Election Security. Just as we keep our homeland safe from physical harm, so too must we harden against cyber attacks. The task force has heard from officials. Their message is clear. We must act now to protect our Voting Systems. In over 40 states, elections are carried out using Voting Machines and Voter Registration databases created more than a decade ago. These technologies are more likely to suffer from known vulnerabilities that cannot be patched easily, if at all. As we saw from the voting bill set up at this years hacking conference, even hackers with limited prior knowledge, tools, and resources are able to breach Voting Machines in a matter of minutes. We should not assume that state Voting Machines are secure enough to withstand a statesponsored cyberattack. And there is no reason to believe that these attacks will subside. Congress must do its part. Yes, we must. And help states fund and maintain secure election systems. This means funding to purchase newer, more secure election systems and voter machines, help and establish certified baseline cyberSecurity Standards for those states that service them. Our democratic process relies on voters faith that their vote does count. Election security is national security, and our election infrastructure is Critical Infrastructure. With just under a year until the 2018 midterm elections, it is criticate that we understand the vulnerabilities of the past and secure our networks for the future. I thank our witnesses again for sharing their testimony today and i look forward to this very important discussion. Thank you so much. With that, i yield back. Rep. Hurd thank you, Ranking Member. Now im pleased to introduce our witnesses. First and foremost, the honorable Christopher Krebs at the u. S. Department of Homeland Security. We have the honorable tom shedler, secretary of state for louisiana. Thank you for coming up here today. Commissioner cortez, the commissioner of the Virginia Department of elections. So thank you for being here. Dr. Matthew blaze, associate professor of commuter science at the university of pennsylvania. And ms. Susan cline at the brookings institute. Welcome to you all. All witnesses will be sworn in before you testify, so please rise and raise your right hand. Do you solemnly swear or affirm the testimony youre about to give is the truth, the whole truth and nothing but the truth . Thank you. Let the record reflect that all witnesses answered in the affirmative. In order to allow time for discussion, please limit your testimony to four minutes. Your entire written statement will be made part of the record. And i appreciate yalls written statements, especially all of yall had outlined a number of Interesting Solutions to these problems as well as articulating the concerns that we have. So folks that are interested in this topic, many all of these written statements is valuable in understanding the state of where we are. As a reminder also, the clock in front of you shows your remaining time. The light will turn yellow when you have 30 seconds left. And when it starts flashing red, that means your time is up. So please also remember to push the button to turn your microphone on before speaking, and wed like to start with mr. Krebs. You are now recognized for five minutes four minutes, excuse me. Chairman hurd, chairman palmer, Ranking Member kelly, Ranking Member demmings, members of the subcommittee, thank you for this opportunity to discuss Homeland Securitys ongoing efforts to enhance secure election. In 2016, the u. S. Saw operations clearly the threats to our election systems remain an ongoing concern. The organizations i lead, the National Protection programs director at the department of security is leading an effort to provide voluntary assistance to state and local officials. This brings together the fbi, the Intelligence Community, nist, and other dhs sectors. State and local officials have already been working individually and collectively to reduce risks and ensure the integrity of their elections. As threat actors become increasingly sophisticated, dhs stands up in partnership to support the efforts of Election Officials. Dhs offers three types of assistance. Dhs typically offers two kinds of assessments to state ask local officials. The first provides a recurring report identifying vulnerabilities in internet connected systems and mitigation recommendations. Celtic second, our Cyber Security experts can go on site. These assessments are more thorough allowing the testing. As we continue to understand the requirements from our stakeholders, well refine and diversify these voluntary offerings. Dhs continues to share actionable information on Cyber Threats and incidents through multiple means. We share cyber threat indicators and other analysis our Network Defenders can use to secure one to secure their systems. The Integration Center works with a multistate and Information Sharing Analysis Center to provide threat and vulnerability information to state and local officials. Election officials may also receive information directly from the inkick. Notably, were offering security clearances initially to senior Election Officials and also providing clearance to in our third category, the dhs helps to identify possible incidents. In the case of a compromise affecting infrastructure we share anonymized information with other states to assist their ability to defend their own systems in a collective defense approach. It is important to note these relationships are built and sustained on trust. Breaking that trust will have far ranging consequences in our ability to collaboratively counter this growing threat. To formalize and coordinate efforts with federal partners and officials we have , established a government coordinating council. We are similarly working to formalize partnerships with a through aivate sector coordinating counsel. Within this environment of sharing critical information, Risk Management and other vital information, dhs is leading efforts to support enhanced security across the nation. Securing the nations systems is complex challenge and shared responsibility. There is no one size fits all solution. In conversations with elected officials over the last year, in working with the eoc, nist, the department has learned a great deal. Election officials already do great work. But resources remain a challenge. Workforce training and skills. As we work correctively to address these and other challenges we will work to support our state and local partners. Thank you for this opportunity to testify, and i look forward to any questions. Rep. Hurd thank you, mr. Krebs. And secretary, i want to thank you again for being flexible. I know this has been rescheduled a few times, but your perspective and experience on this topic is important. And thank you for being here. And sir, youre now recognized for four minutes. Thank you, mr. Chairman and for the invitation to participate today. Its important to hear the perspective of those who oversee elections across the country. Mine comes from serving as the louisiana secretary of state. The 18 andections in beyond is critical and important to all of us in our nations secretary of state. We are not naive to the likelihood of future cyberattacks. But we also know the use of paper ballots can just as easily open up vulnerabilities. That is why all 50 states continue to prepare accordingly. First, id like to share with you the important developments taking place through nast Election Cybersecurity Task force which was established in february of this year. In addition to helping states share information and combat Cyber Threats a task force assisted with creating partnerships including with the u. S. Department of Homeland Security and u. S. Election commission as well. Its been a key component of the council. Its designated or designed to facilitate, improve communications that as you know did not go well in 2016. Our members were concerned about the possibility of federal overreach and because the designation came without meaningful consultation without any elected officials. My colleagues and i understood we could continue to get the same support and services from dhs without critical designation so it seemed unnecessary. However, the designation is still with us today. We have made good faith efforts to Work Together with dhs. Part of that work includes chief Election Officials obtaining security clearances. We have often been told by dhs they cant share information because it is classified. Hopefully these new clearances will address this problem. Ensuring the integrity of the voting process is central to the role of every chief elections officer, including myself, and does some examples, in rhode island, the secretary and leaned over 100 election and i. T. Officials for a Cyber Security summit. In west virginia, secretary mack warner has added an Air National Guard cybersecurity specialist to his staff. Jim condo solicited the Third Party Risk data systems in 2015 that led to his office to build a new firewall and begin regular penetration testing. Colorado secretary wains Williams Office provides in point Production Software for colleagues to install on their computers to detect viruses and malware functions. In louisiana our hurricane season, we have one of those states for sure that are very expert in that field. In terms of Voting Machines security, remember with the passage of the help america vote act in 2002 states were required to purchase at least one piece of accessible polling equipment for each polling place. They began updating the existing Voting System with guidelines to address the new system such as dres. Last month, the eac released their latest update. The guidelines are set for manufacturing specifics at are certain standards of functionality, autoability and security capabilities. And final approval is expected in the spring of 2018. In louisiana, we take pride and go way beyond any current standards with our Voting Machines. We are a topdown state. The state purchases warehouses of every voting machine in the state. We have the most Current Software available on all of our Voting Machines. We test each and every before and after elections. Once the machines are tested, a tamperproof seal is placed on them to protect against any intrusion. In louisiana because no one touches our Voting Machines except our staff, because theyre never sent out to manufacture for repair, they are not handled by individuals or companies who program Voting Machines because theyre tightly controlled by our office, we have the utmost confidence in the system. We do need to prepare, yes. We do need to continue to update our procedures and processes, yes. We need to be vigilant, yes. The secretary of states, at mass we are currently looking for a , better practices that we can fromt is we can solicit various entities and groups. And most of all were looking for the remaining 396 million that have never been appropriated to help us replace aging equipment purchased over 10 years ago. Ill certainly be available for any questions. Rep. Hurd thank you, sir. Commissioner cortez, i would like the record reflect youre prepared to come testify. I appreciate your willingness to address this body. Sir, youre now recognized for four minutes. Im the commissioner of elections in virginia, and this role i serve as the chief election official for the commonwealth and lead the Virginia Department of election. Virginia has 133 local election jurisdictions and over five million active registered voters. You have my written remarks, and today im going to focus on the recommendations that are prod that are provided in there. And reduce the administrate chb workload for elected officials while increasing accountability in our processes. Part of the focus on Cyber Security, one aspect of these wide ranging efforts has been to strengthen the security of virginias voting equipment, including the votish machines and electronic poll booths when i became commissioner in 2014, approximately 113 of virginias 133 localities used paperless dres. They were over a decade old, already passed their expected endoflife. Im happy to say that all virginians voted using a paper based system. Virginia has twice been put in the unfortunate position of having to decertify voting equipment and transition to new equipment in a condensed time frame based on previously used dres. These steps were not taken lightly. They place a financial and administrative stress on the electoral system. They were, however, essential to maintain the publics trust. The november 2017 election was effectively administered without any voting issues things to the Ongoing Partnership with the state. The transition to paper based Voting Systems was incredibly successful and significantly increased the security of the election. Although its clearly possible to transition quickly, doing so is less than ideal. I request you consider the following recommendations, which i believe will make these issues much easier to manage in the future. Number one, Congress Needs to ensure sufficient federal funding is available for states to procure and to maintain equipment and secure Voting Systems. This is critical need and must be addressed immediately if funding is going to be provided any assistance in time for the 2018 elections. Number two, the u. S. Election Assistance Commission has been critical to ensuring that a set of standards for Voting Systems and certified test labs are available to states. Congress must ensure the eac is toly funded so they continue be a resource for state and local officials. Number three, congress should ensure the use to ensure the use of secure voting equipment in the future, congress should require federal voting certification. This is currently a voluntary process. Federal certifications should also be required for electronic poll books, which currently are not subject to any federal guidelines. Requiring certifications will ensure theres a baseline across the country for securing our elections. Congress should establish some sort of accreditation system for training to ensure that the individuals possible for this fundamental american right are equipped with the appropriate skill and knowledge set. Elections are an integral function of government, and we still have much more to do in virginia and across the country. Especially with the midterm elections quickly approaching. Were extremely appreciative of the work and assistance to date, the federal government can and should do more to safeguard this most fundamental american right. Thank you again for allowing me to join you today. We look forward to continuing to work with congress to ensure sufficient federal resources are available to state and local Election Officials to continue this important work. Rep. Hurd thank you, sir. And dr. Blaze, great to have you here. And having participated and walked through the voting village at def con, i saw up close and personal what the White House White hat Hacker Community and Research Community does and the impact they have on public policy. And so thank you for your efforts there, and youre now recognized for four minutes. Thank you very much, mr. Chairman, the Ranking Members and all of the members who are here today. As a Computer Scientist who specializes in the security of largescale critical systems, ive had an interest in Electronic Voting Technology since it was first introduced at large scale in the United States after the passage of the help america vote act in 2002. In particular, i led several of the teams commissioned in 2007 by the secretaries of state of california and ohio to evaluate the Voting System products used in those states as well as elsewhere in the nation. I also helped organize the def con voting machine hacking village that was held this summer at which these systems were made available really to a Larger Community for the first time for the first time ever. Virtually every aspect of our election process from Voter Registration to ballot creation to casting ballots and then to counting and reporting Election Results is today controlled in some way by software. And unfortunately, software is notoriously difficult to secure, especially in largescale systems such as those used in voting. And the software used in elections is really no exception to this. Its difficult to overstate how vulnerable our voting infrastructure thats in use in many states today is. Particularly the compromise by a determined and well funded adversary. For example, in 2007, our teams discovered exploitable vulnerabilities in virtually every Voting System component that we examined, including back end Election Management Software as well as in particularly dre voting terminals themselves. At this years def con event, we saw that many of the weaknesses are not only still present in these systems but can be exploited quickly and easily by nonspecialists who lack access to proprietary information such as source code. These vulnerabilities are serious but ultimately unsurprising. The design of dre systems makes them particularly dependent on the really Herculean Task dependent on the systems this is alarming and unsurprising. Worse as we saw in 2016 we largely underestimated the nature of the threat to the extent these systems are intended to even be secure. That is theyre designed against a traditional adversary who wants to cheat in an election and alter the results. Theres actually a more serious adversary. A nationstate or state actor who might seek to disrupt an election, cast doubt on the legitimacy of the outcome and cause a threat to our confidence in the legitimacy of our elected officials. I discuss all of these issues in detail in my written testimony. And i offer really three particular recommendations. The first is that paperless dre Voting Machines should be immediately phased out from u. S. Elections in favor of systems such as precinct, scan ballots that leave a direct artifact of voters choices. Secondly, statistic risk limiting audits should be used after every election in order to detect Software Failures in the back end systems and recover true Election Results if a problem is found. And then finally, additional resources, infrastructure, and training should be made available to state and local voting officials to help them more effectively defend their systems against increasingly sophisticated adversaries. So thank you very much. Rep. Hurd thank you, sir. Ms. Hennessy, youre now recognized for four minutes. Thank you to chairman hurd, Ranking Member kelly, to chairman palmer and Ranking Member demmings for the opportunity to speak to you today. Im a fellow at the Brookings Institution focusing on cyber surveillance. Id like to begin by noting how extraordinary it is that a full year after the last president ial election theres still enduring attention to the issue of Election Security. This moment really represents a remarkable opportunity to take long overdue steps in securing federal and state elections. In order to do so, however, we have to carefully defined the issues and disentangle Election Security from covert influence campaigns. Information operations certainly impact the broader context in which elections occur, but they are distinct problems with distinct solutions. The matter currently before these committees is narrower but no less pernicious. The threat to election infrastructure in Voting Systems in relation to the management of elections. The Elections Security threat is not limited exclusive ely to changing vote counts. As other experts have testified here today, altering vote tallies is technically possible, however it remains difficult to do so on the scale necessarily to predictably change the outcome on a state wide and national election. The probable actors with the incentives and technical capacity to carry out attacks are foreign governments, which would need to avoid both foreign detection and u. S. Alley communities. Unfortunately, u. S. Adversaries have a more achievable aim, to undermine the confidence of the American People in our government and our processes of institution and in the selection of leaders. To do so, a malicious actor needs only to penetrate systems in a manner that introduces uncertainty. This landscape increases the importance of being cautious in how we discuss Election Security issues to avoid inadvertently undermining confidence ourselves. Congressionally driven solutions to account for international and domestic realities. Internationally, while most attention has been on russia any number of adversaries possess the capabilities of interest to be of genuine concern. Domesticically a strong tradition of federalism, an Election Administration ensures that despite clear Constitutional Authority any proceeds of federal overreach will meet strong resistance of from states on political and policy grounds. Keeping those features and the nature of the threat in mind i , believe congress should adopt the following broad solutions, which are detailed more expensively in my statement for the record. First, to direct the development for National Strategy for securing elections aimed at protecting systems, deterring bad actors and bolstering public confidence. Second, provide resources to states in the form of federal funding, support and best practices. Third, regulate Election Technology of vendors. Fourth, lead the development of International Norms against election interference. Finally, congress as our primary elective body must renew and sustain political commitment to the issue of Election Security and reestablish norms that have been broken in the way we discuss Election Integrity and outcomes. Thank you again for the opportunity to address you today. I look forward to taking questions on this Important National security issue. Rep. Hurd thank you. And to start off our first round of questions, chairman palmer, youre recognized for five minutes. Thank you, mr. Chairman. Dr. Blaze, what do you think is the biggest takeaway from the def con report . Dr. Blaze i think the biggest takeaway is both alarming and yet unsurprising. And that is that the vulnerabilities that we knew in principle were present are in fact exploitable in practice by nonspecialists. Heres a question that im going to direct to you, and some others may want to respond to it. Im very concerned about foreign influence on our elections, but we particularly in the last year and last few years weve had hundreds if not thousands of reports of domestic voter fraud. Whether it is Voter Registration, manipulation of ballots at the polling place. Is that not also a threat to our elections . Dr. Blaze well, certainly, you know, the potential threats to our election are very broad and include everything from the border registration process the Voter Registration process through the reporting of Election Results. My concern as a Computer Scientist and my expertise is focused particularly on the technical vulnerabilities present in the systems as theyre designed and built. And really every expert whos looked at these systems has found that the surface attack of these machines leaves us particularly vulnerable not just to foreign interference but domestic as well, wouldnt you agree . So someone with a political agenda could, if they had the technical expertise, would be as much a threat as a foreign entity. Would that be a reasonable conclusion . Dr. Blaze particularly someone interested in disrupting the election or casting doubt on legitimacy. The way be systems, particularly the dre systems are designed, its very difficult to disprove that tampering has occurred. And ultimately thats a critical aspect of being able to have confidence in the result. One of the things that particularly concerns me is that you can be disconnected from the internet, from wifi, and still hack a machine because the potential of parts within the machine, foreign manufactured parts. Can you talk briefly about that . Dr. Blaze thats right. The design of dre systems makes their security dependent not just on the software in the systems but the hardwares ability to run that software correctly and to protect against Malicious Software being loaded. So an unfortunate property of the design of dre systems is weve basically given them the hardest possible security task. Any flaw in a dre Machines Software or hardware can become an avenue of attack that potentially can be exploited. And this is a very difficult thing to protect. Ok, we need to go to if we have some Electronic Components to back it up or paper ballots because your fallback position is always to open the machine and count the ballots. Dr. Blaze thats right. The optical scan systems also depend on software, but they have the particular safeguard that there is a paper artifact of the voters true vote that can be used to determine the true Election Results. Paperless dre systems dont have that property, so were completely at the mercy of the software and hardware. As inconvenient as it might seem, for years and years, weve relied on paper ballots. It doesnt seem unreasonable that would be a great safeguard. I want to ask secretary shandler and cortez about this. In alabama, its a mixture of Voting Machines. Do you have that as well . Do you have kind of a all over the road map . Congressman palmer, louisiana is what we call a topdown system. We control, as i indicated in my opening comments, all of our machines, we warehouse our own machines. You know, we do have a tape system of paper behind that that we can audit specifically with three different types of processes. Its never been unproven in a court of law. And the only thing i want to add to def con i want anything from an academic side to look content. Lets talk about when you discover, and im certain the professor from the university of pennsylvania or mit or anyone if i give them unfettered access to a machine they could figure how to disrupt that machine. In louisiana or most states, the machines are not linked together. Each one has a separate cartridge to itself. I guess the implication is at the point of programming, you could do something to that. I guess thats possible. And i wouldnt argue that point with someone much more learned on that subject than i. But again, in a topdown system, that would mean someone in my office on a computer that is cleaned and scrubbed before an election and after would have to have access to that program and equipment in my office. The other thing thats never mentioned in the hacking of the machine is after youve figured what youre going to do, has anyone ever yet sat down and discussed and ill only give you louisiana. In a roughly 36hour period after we go into the machine, put a metal clamp like you have on your electrical box at your home with a serial number, figure out theyre going to get into 64 warehouses across our state, go into 10,200 machines undetected under camera. No one saw you. Unscrew the back of the panel, do what youre going to do, put the panel back on, and figure out how youre going to put that metal clamp back on. So the point im making is that a lot of these things that we talk about are certainly possible. But i would suggest to you the amount of people youd have to put in play to commit this fraud, youd be easier to do a stomp speech and convince them to basically do it your way as the legal way. There is no such thing as a perfect election, none. There are issues that occur from electricity to going to fires at a precinct, i could go on and on, flooding in louisiana and the like. But, you know, one of the things that everybody has to understand is that all of these conversations around this, all deter voter participation, whether you believe it or not. Let me just say this, mr. Chairman, i appreciate your answer, mr. Secretary. Couple of things i hope were sensitive to. One is that we dont want the federal governments involvement in this to infringe upon the states authority to conduct elections. We the other is is that dont want to focus so much on domestic. I am on foreign. We dont want interfere in giving due diligence. I yield back. Rep. Hurd thank you, i recognize. I wanted to ask about your agencys efforts, dhs, to identify states about 21 states on russian attacks on their systems. On october 20, Ranking Member cummings and i sent a letter requesting copies of the notifications you sent to 21 states that were attacked before the last elections. And mr. Chairman, i asked in unanimous consent this letter be part of the official record of todays hearing. Rep. Hurd so ordered. We also ask for other materials, and i quote we ask for documents hacked by russian based systems. Our letter asks for these documents on october 21, but we got nothing. Earlier this week, the Republican Committee staff made Crystal Clear to dhs we wanted these documents before todays hearings so we could ask informed questions. Dhs ensured us they would respond. Instead, late in the day yesterday, dhs sent us only an email with a short script that dhs employees apparently read over the phone to state and Election Officials. I am just asking, where are the rest of the documents we requested . Maam, im aware of the script that was provided. A lot of those notifications were over the phone. They were not by email. There may have been followup conversations. As to the rest of the documents, if youll permit me to go back, and i commit to you we will have a more fulsome answer for you. But as to the specifics of each document, i would have to go back and check on that. Ok, im counting on you to deliver because the telephone script is literally only 13 sentences long. It is not refer to any specific estate or attack. Its just a generic script that provides no Additional Information at all. And just curious about where all the supporting documents that we requested that set forth the details of the attacks. And with all due respect, the telephone script does not help us do our job, which will help you in turn. You have not provided us with any information about the tools the attackers used or their tactics that they utilized or any information on the results of your conversations with these states or the steps you took to follow up. So its been more than a month since we asked for those documents, and the majority wants those documents also. Can you tell us what the hold up is . Maam, im not aware of any particular hold up. What i will say is the nature of the conversations weve had over the last, frankly, year with the states. And ive had a number of conversations with secretary my team had a number of conversations with secretary shedler. My team has regular conversations with commissioner cortez and a range of other state Election Officials. When you characterize these things as attacks, i think that is perhaps overstating what may have happened in the 21 states as was mentioned over the course of the summer. The majority of the activity was simple scanning. Scanning happens all the time. Its happening right now to a number of probably your websites. Scanning is regular activity across the web. I would not characterize that as an attack. It is a preparatory step. In terms of those scripts, there are two scripts. One script was provided to states that wanted Additional Information if they were include in that batch of 21. And the other script was for those states that were not in that batch of 21. So if that context was not provided, i apologize, and im happy to follow up and make sure that you get the information youre looking for. Okay, and i just want to make sure the chairman is willing to work with me today by directing dhs to provide all it documents actually within one week. And i hope we can Work Together to get these documents as soon as possible. Hopefully, in one week because this hearing is supposed to be about Cyber Security and Voting Machines and our investigation to be bipartisan. Yet dhs is withholding the very documents that would help us on both sides of the aisle, help our committee understand exactly how our state election systems were attacked by the russians. So i look forward to your cooperation in working with my chairman. I yield back. Would you yield to me . Of course. Rep. Hurd mr. Krebs, was there anything other than scanning done at those locations . 21 the vast majority were scanning. There was a very small subset of those groups there was a compromise on the Voter Registration side but not within the tallying. And there was a small group also that had some targeting. So we actually whittled it down. When we talk about that scanning, it was also not necessarily an election system that was scanned. Thats an additional context we provided to our partners in the state election offices. What we saw in a lot of those cases was frankly drivebys. You think about walking down the street and youre looking for a house, you knock on the door and you dont know whats there. You may be walking to a neighbors house looking for a key. I apologize for the mundane analogy. ,hat is simply what we saw doing a driveby, seeing what was there, seeing as the door was locked. It a lot of the cases, as secretary shedler pointed out there are significant there are adequate protections involved. Rep. Hurd so youll be able to provide us details who was in addition to scanning and what the nature of that contact was . In terms of the states that were targeted or scan, thats a difficult conversation because the information is provided to us based on trust. We, just like all other relationships with the Critical Infrastructure community, the fact we dont have statutory to compel, we are engaging on a trustbased relationship. If i then turn around and share information tom provided with me outside of that scope of that confidential relationship, tom will never share with me. This is going to jump out in this relationship, and the entire Cyber Security mission is a voluntary mission. That entire mission will be jeopardized if we divulge confidential information. So i am happy to provide information on those 21 states, but in terms of those 21 states, i suggest you reach that to your i will help you to reach back to your states. You mentioned that your state may have been one. I will help you facilitate that conversation. But today while were sitting the portraits,f was hacked. Nce, all when they months ago, attacksworldwide cyber the editor of american prospect magazine wrote this. This weeks cyber attack produced the wrong lesson. There is a much simpler solution. Cannot withstand malicious hacking should go offline. The fantasy of a better Cyber Security is delusional. Gdp onspend half of Cyber Security and yet someone will breach it. I believe that Cyber Security is a multibilliondollar hoax. Untoldgoing to spend billions trying to come up with a system that is a fantasy. We should go to the canadian system. Precinctsmuch smaller and they use paper ballots. Butow that is oldfashioned i think we are headed down the wrong path. Agree with the report. Of this defcon anything . T to say louisiana is not one of the 21 states. So you can scratch us off. Your recognized for 5 m inutes. As we continue this discussion i cannot help but think about my own parents. My mother was a maid and my father was a janitor. But theynot have a lot had their vote. Witness today and every member of our subcommittee regardless of if you were a billionaire or a janitor, you would all work to protect the integrity of our Voting System in the greatest country in the world. I want to go to the report we saw quite a bit about today and go back to the, and my colleague made about these sytems that were breached. Make a comment about the equipment used. Was it sophisticated . Knowledge did they have . The defcon was a broader opportunity for people to get access to voting equipment. Five different models and made them available. We made available the report that has been published about these equipment in some cases and that was it. We opened the door on friday afternoon and people came in theyny tools they brought, had to bring that themselves. There was no proprietary information or kampeter source code. Electricity. There was no proprietary information or Computer Source code. Some said it is easy to hack because of the decentralized nature of these machines. Do you think the decentralized nature protects us from destruction or not . That we have highly heterogeneous systems makes it difficult for somebody to do a single thing that will affect us on a national scale. It goes both ways. Limited a relatively number of different models of voting equipment used in the United States. An adversarial actor interested in disrupting our system has the luxury of picking the weakest sy stem. They need only find the most vulnerable systems to do sufficient damage. While it may make us more secure against someone with onestop shopping disrupting a national election, it actually increases our vulnerability. We have heard a lot about the need for a audit. To beype of audit needs performed to verify the vote counts had not been altered. Voting computers that depend on the software at the time of the election. There is no fully reliable way to audit these systems. Ultimatelylucky, but the design of the systems prevent us from doing that. That is why paperless systems and to be phased out replaced by things that are backed by an artifact of the voter true intent. With that i yield back. Rep. Mitchell on june 21, secretary johnson appeared Committee House comm on elections. Thatid to my knowledge there was an effort by domestic or foreign influence to affect the ballot results since that point in time . No, sir. I do not have any Additional Information. My understanding the intelligence assessment is a foreign adversary. June 21, 2017. Rep. Mitchell did you find any indication of domestic or foreign influence to affect ballot results since that point and time . No sir. Rep. Mitchell let me ask the group as a whole. I think the consensus is that the integrity of our elections is a National Infrastructure issue. Anybody disagree about that . Its every bit as important as our roads, ports, waterways, yet we dont invest any federal money in providing federal standards or guidelines on that. Anybody opposed to the idea that we invest to support that program with some kind of guidelines and states can choose as to whether they can participate or not . I think best practices would be a better word to use. I think the states as a whole, and i speak in a nonpartisan fashion, would be adamantly against the intrusion of the federal government. I agree. Its in the constitution. But certainly best practices. I think there are a lot of evidence of that with some of the entities that are out there today. We welcome additional ones, certainly. Let me clarify, secretary. I wasnt suggesting that we impose a system on the states. Simply a Grant Program with a range of options. Usually Grant Programs have strings attached. Says if you program , want to update your equipment that meets standards of security you can choose to or not. We can accept whatever strings come with it and you can turn it down, i have no problem. Any feedback on that, commissioner . I think resources for states to either purchase equipment or for those that have already moved to equipment to do other things to strengthen security of the election, whether electronic poll votes or other things would be something we greatly support. It occurs to me. We do that for our highways, ports, but yet we expect magically the elections happen with local resources without support. Mr. Duncan talked about would we not be better off with paper ballots. Feedback on simply going to a paper system or paper dependent system. You are referring to a paper system at the poll location, not a mail paper ballot. Correct. I am not opposed to that. The system that we are looking at would be one that would produce, even though you vote on electronic machine it would , produce an actual paper ballot that you could hold in your hand and cast ballot only at that point when you put it into a secure box. Dr. Blaze makes the point that, if you produce a paper result after you put it in the machine, if the machine is tampered with, you could end up just confirming the tapered information. We have currently at least in the machines i use, a paper, i dont want to call it a Cash Register receipt but for purposes of this meeting, that we can produce an audit back. There are several audits, even though i dont have a paper ballot of mr. Mitchell, i can certainly use that in a court of law and we have been very effective with that. One thing i want to mention. In this whole conversation, the segregation of the vulnerability side of the registration or poll book versus voting day. No state, no state, votes online in cyber space. I know that. How do you attack something in cyber space thats not in cyber space. One or two exceptions. Alabama with military voting. Alaska in some remote other remote areas and other states. But a minimum amount of votes. I understand. I think dr. Blazes suggestion of an optical scan that you have the original source document that says voter number this voted this way. Question, you all are aware of what happened in the michigan, in terms of federal election, federal election. 60 of the precincts in detroit were not they couldnt do a recount because the numbers didnt match. There were more voters that voted more votes counted then there were voters. Precincts in the city of detroit were not audi table. Something we encourage states to do is have an audit system. Where we raise the issues of why the disparities and how to prevent them. If in fact we need to do a recount, it was not possible to do it in the city and other jurisdictions. I submit for the record from detroit which was a paper scanned system. They still managed to lose enough votes that they couldnt recount. I brought that out in my comments. Even with a paper system, you still have to have good protocols. Its not foolproof. Agreed. Thank you. I yield back. Distinguished gentleman from the state of missouri, you are recognized for minutes. Rep. Clay thank you, mr. Chairman. I want to thank the witnesses for your testimony today. Last june the vice chair of the president ial Advisory Commission on Election Integrity, kris kobach, made a request of directors to transmit to the white house the confidential voting information history of all americans living in their state and he directed the state Elections Officials to provide the Sensitive Data to a government email address with no apparent means of securing that data. Dr. Blaze, please explain the data Security Issues with transmitting sensitive voter data over email. Well, i, i am not familiar with the precise nature of the request. But, as you have described it, certainly sending that kind of information over an ordinary unencrypted email system would be fraught with many security and privacy issues. Rep. Clay if confidential voter data were revealed due to insecure transmission, could that provide means to infiltrate state election systems . Yes. That sort of information could potentially be quite valuable to an adversary interested in targeting particular polling places or individuals or areas. So information about historical voting patterns and about individual registered voters can be quite sensitive. Clay i see. I understand your states did not comply with mr. Cothe question. Mr. Kobacks request. Explain why. Purging it did not respond to the request. We had significant concerns related to the sweeping nature of the request. We spend a lot of effort and a lot of resources protecting our voters data in virginia, so to take that and turn it over to a commission with no sense of what it was going to be utilized for, how it was going to be stored and maintained, raised significant concerns for us so for us. So we declined to provide anything whatsoever. Clay thank you. We likewise refused that. I want to clarify something thats been lost in the debate and why kris kobach did not clarify his position. I watched him for days on National News networks. If you look at the original request, he truly didnt ask for that. What he asked for was what was available publicly under state law. After, that instead of putting a period, he went on with Social Security and other numbers. Why he did that, i dont know. It caused me a lot of heartburn in my state with hundreds of thousands of emails and facebook posts and the like. So, to answer your question, no, i did not supply that to him. I told him for 5,000 and a credit card, we would be glad to supply the Public Information data that you could get on anyone from google. Quite frankly, more information. But youre correct. Putting that out in the fashion it was, but i do want to say this. It wasnt just the Trump Administration that asked for that. I was posed with that under three defiances to a federal judge to produce that under president Obamas Administration through the department of justice in a lawsuit from several entities. I refused president obama and i refused president trump. So i am consistent. Rep. Clay let me ask you. That brings me to another question for you and mr. Cortes. Are you aware of any cases of voter impersonation in your state . Mr. Cortes . You can take it first. Mr. Cortes congressman. I am not aware of instances of voter impersonation in virginia. Rep. Clay no pending cases or anything like that. We wouldnt in louisiana. We have some issues. Put it this way. If we had one its never been prosecuted or able to be proven. Rep. Clay dont you think its a little difficult to get enough voters to show up, let alone someone showing up and impersonating someone else . I think the real issue is, and we separate the distinctions in the election system. The registration side, or list maintenance. Some states do a better job than others. I know our current president has alluded to three to five million voters. What he is referring to is three to five million potential voters on registration lists. The voter fraud would be one of the individuals who shouldnt be on there showing up at the poll and voting. It may be that. It may be more. It may be less. Rep. Clay you and i know people have the same names. That shouldnt disqualify them. We need information like mothers maiden name, date of birth so we can distinguish the differences. In louisiana, we distinguish them by birthday or mothers maiden name. Rep. Clay i thank you for your engagement. My time is up. I yield back. Point of clarification. You did have reports of illegal voting in both your states. In virginia you had over illegals that apparently were reported voting. Is that correct, mr. , commissioner cortes . Rep. Clay mr. Chairman, i asked about voter impersonation. Someone else showing up and saying that they are someone other than who they are. That is what the photo id laws are all about. Right. Congressman, i believe you asked about our reports regarding illegal voters. We dont agree with neither the findings of the report or, frankly, how the analysis was done. There are a lot of problems in that that we have indicated publicly. In terms of proving our, identifying individuals that are citizens or not on the voter rolls is exceptionally difficult. The processes we have in place in virginia i think capture and prevent anybody from voting illegally or improperly, and so the report you are referring to, i think, was very faulty in its analysis and took information and made sweeping, general statements without taking into account the reality, despite our best efforts to communicate with the report authors about it. In louisiana, its either herbert or herbert. I understand the problem you have there. I understand the problem you have there. The chair recognizes mr. Desaulnier. Rep. Desaulnier i both agree with you. But maybe we have a small difference of opinion. The importance of the integrity of the voting process is supreme for all of us sitting in this room, but raising legitimate concerns about the integrity of that, making sure that we are pursuing best practices in a world thats changing dramatically, i think, is what we are all concerned with. So, in that regard, i am hearing two sort of versions of things here from the panel. And miss hennessey, in your research, i have, i have a quote from michael vickers, who used to be the pentagons top intelligence official who says this attack is the political equivalent of 9 11. Its deadly, deadly serious, to the attacks weve seen in the United States in my view but also against western democracy. This goes to undermining democracy. So we want to make sure, i would think, in congress that we are doing everything to make sure that we are ahead of it and questioning our existing system. So you made a number of suggestions. First off, is there any doubt in your research that these hacks are attributable to russia, the significant hacks . The Intelligence Community assessment of the election of 2016 assesses that with high confidence that is supported by a large body of public data, and there is no Public Information that would counter or refute that conclusion. Rep. Desaulnier so, keeping in mind that we are talking about, in this hearing, the title is cybersecurity of Voting Machines and weve got lots of other activity going out there that hopefully well discuss further in congress, visavis the things we are learning about social media and data collection. But for this purpose, are we ahead of the game in your research . I read where the french and other western democracies are being much more aggressive, not knowing what their infrastructure is, but from your research is the United States doing everything we can, this compared to other International Democracies who are aware of the problem . I think the short answer is no. There are two categories in which we can think about the u. S. s response. What we have been talking to today can be categorized as deterrence by denial. Setting Security Standards that make it difficult or impossible for the adversaries to achieve their goals. Havelaze and others articulated the insufficiency of the u. S. Response on that front. The more needing to be done in terms of federal resourcing and at the state level. There is also a broader concept of deterrence. Deterrence through setting International Norms, response options. We are also not seeing sufficient buyin, frankly, from the top at this point to push those efforts forward in order to get the International Community both to agree on the seriousness of what occurred and also to impose measures. Including those passed by congress to ensure that it doesnt happen again. Appreciate that. Mr. Krebs, in that sort of vein, your response to miss kelly is, seems somewhere in between. We know the uniqueness of the relationship as you have described it between states rights and the ability for them not to feel like were imposing on them. However, you have also talked about best practices. And it would strike me that you are in a position to be able to acquire those best practices, particularly in conversation with the Intelligence Community. Miss kelly asked you if you would give us those documents. It seems like you are equivocating. You said, in order to have a relationship with the states, its based on trust. But forgive me for inferring from that there is a lack of trust in giving those documents to congress. In a federal election is strikes me that congress and the federal government has a requirement to make sure that we are pursuing best practices, in partnership with the states, not overruling them. But if Congress Asks for documents, including the minority party, strikes me that you should give that to us the , whole committee, without edits and without comments. Sir, if i may, i would like to clarify to the Ranking Member. The information, maam. The information that i would provide, no question, best practices. Got them right here. Best practices are just fine to share. What were talking about is the, is the trusted information that is shared on a nature of what may have been a scan or a compromise. Thats the information. We have no question of the oversight interests of the committee. Absolutely no question there. The balance we have is the Optional Mission of the department in partnership with the state and local partners in that, again, that overarching Cybersecurity Mission of the department in working with our partners in a voluntary basis. Ill take that as well receive the documents soon. Thank you. Yes, sir. Thank you, mr. Chairman. Mr. Kurdishrishnamoorthi. Rep kurdishrishnamoorthi thank you for convening todays important hearing. The sanctity and security of our election systems are the bed rock of our republic. The American People need to know, not just believe but they need to know for certain that their votes are counted fairly. My home state of illinois was one of states that the 21 department of Homeland Security informed us was targeted by hackers in june of. Of 2016. The nsa reported that personal files for over illinois voters 90,000 were illegally downloaded by russian hackers. Mr. Krebs, do you have any reason to dispute the nsas findings that russian affiliated entities were behind the recent election data breaches . I am unfortunately not able to comment on that specific disclosure. I unfortunately would have to defer to the nsa. Do you have reason to believe that they are incorrect about that . I am not certain of the nature of the report you are discussing. I unfortunately would have to, again, defer to the nsa. To comments specifically on the details, you defer to the nsa because they are expert in this particular matter and they have the intelligence and the ability to ascertain whether these data breaches occurred and who was the source of these data breaches, correct . Again, i would defer to the nsa again, i would defer to the nsa on any discussion here. Sure. While the implications, you are correct to defer to them. While the implication of russias attack on one of our election systems are concerning what i find even more disturbing , is that it was part of a broader International Campaign to undermine western democracies. Such as the 7 elections in 2017 elections in france and germany. As well as recent elections in the uk and other nato countries. Now, mr. Krebs, again, i would like to ask you a followup question. Can you assure me that dhs is working with our allies and the broader International Community, the Intelligence Community, to develop a coordinated response to these incursions . What i can speak to is the nature of the department of Homeland Securitys engagements with our International Partners immediately before the french election. We reached out to the french sert, the Computer Emergency Response team. My responsibilities are two things. Information sharing and Technical Support on a voluntary basis. Information sharing with the state and locals and information sharing with the french cert. As far as pushing back or a broader situation, i would defer on that. Earlier this month, the president said he took Vladimir Putin at his word that he did not interfere and russia did not interfere in the 2016 election. Quoteunquote, he said, every time he sees me, he says, i didnt do that. And i believe, i really believe that when he tells me that, he means it. Quoteunquote. Mr. Krebs, just a few minutes ago you couldnt point to any reason or dispute. You have no reason to believe that the nsas conclusions with regard to russian hacking were an accurate boarding correct. You defer to the nsas conclusions. Do you, are you saying that the president is somehow wrong to take putin at his word as opposed to deferring to the nsas conclusions on this particular topic . I would like to clarify one thingslsn real quick. I have said all along that i agree with the Intelligence Communitys assessment that the russians attempted to interfere with our elections. Good. What you spoke about earlier was some report attributed to the nsa about a specific state. That is what i deferred to the nsa on. I am not able to comment on that. I am focused on information sharing, Technical Assistance and support to the state and locals. We are in a state role. You answer the question correctly, in my view, which is that you agree that the russians did interfere in our election, or you at least agree with the Intelligence Community which knows what its talking about that the russians did interfere in our election. So are you saying that the president is wrong to disagree with that conclusion and instead take the word of Vladimir Putin that russia did not interfere in our elections . No, sir. I said i agree with the assessment of the Intelligence Community on what happened in. In 2016. Ok. Do you agree with the president that, in his assessment, that Vladimir Putin did not actually interfere in our election . Sir, i was not privy to that conversation. Look. I am focused on helping the state and local governments for next year. Every one of us recognized that there is a threat, whether its from russia, china, north korea or iran. You are not answering the question, sir. Yes, sir. You dont have to be privy to the question. You dont have to be privy to the conversation to be able to answer the question. Do you agree with his assessment that russia did not interfere in our elections . Sir, i, again, i will point back to last years intelligence assessment. I will take that as a nonanswer. Chair notes the presence of our colleague, the gentleman woman from hawaii, miss gabbard. I asked unanimous consent that she be allowed to participate in todays hearing. Without objection. So ordered. A pleasure to recognize my friend the gentleman woman from the great state of hawaii for questions. Gabbard i thank the chairman and Ranking Member kelly for holding this hearing and thank the witnesses for sharing your expertise here. I think the topics boil down to the immediate task at hand, which is seeing what actions can and should be taken to make sure that our elections are protected. For our democracy to work, the American People need to have faith and trust in our elections infrastructure and that the votes that they cast will actually be counted. And this is why making sure that our elections infrastructure is impenetrable is essential. Thats the task before us here in congress and before our Elections Officials. Mr. Cortes, i would love to hear your insights regarding virginias decision to switch from direct recording electronic Voting Machines to paper ballots. What were any obstacles that you found in implementing that change, and did you see voter confidence rise once the change was made . Congresswoman, in terms of the switch to paper, i think the biggest obstacle that we faced was timing, proximity to the election. We have statewide elections in virginia every year, so we always have very little time to implement changes. I think in this particular round of decertification. Subsequent to the defcon reporting that came out the biggestout, the challenges we faced were getting equipment to our state i. T. Agency for them to test and provide us with their assessment. When it came down to the final decision about what to do with the equipment, our biggest consideration was if we had an issue, if there were some issue reported on election day would we have the confidence to tell our voters that the results from the machines were accurate and that we could confirm that. I think ultimately we determined in consultation with our wonderful staff at the state i. T. Agency and their assessment that we wouldnt be in a position to do that with the equipment we were using. Without the independent verification, the paper ballot, there would be no way for us to do that. I think that ultimately was the moment where, you know, decertification moved forward and we decided to have paper ballots statewide for this past november. Our local Election Officials had less than days before the election. Less than 60 days before the election. Frankly, less than two weeks before the start of absentee voting to deploy new equipment. They did a phenomenal job, using exceptionally limited resources that they have and working with not only in partnership with us , but also in terms of the , Voting System vendors to get equipment deployed, get ballots printed, do training, do voter education, all within that window. They pulled it off successfully. And so it, you know, give a lot of credit to our local Election Officials across the state for being able to do that. Thank you. Miss hennessey, i just came in here the last part of your previous statement about making sure that, i think you used the word impossible. Making it so that our elections infrastructure is impossible to hack. Noting the defcon report that came out and the fact that it states, by the end of defcon conference every paperless electronic voting machine was effectively breached in some manner, would the implementation of Voting Machines across the country with some form of an auditable paper record create that impossibility . To clarify, i was referring to impossible to hack as a goal of sort of the deterrence by denial model. I dont know that thats achievable, though we shouldnt make perfect the enemy of the good. There is a vast improvements that can be made. Certainly we should want to move to a place in which systems are both auditable and also audited. Not just to think about how to ensure that a builtin resiliency model so in the event that there is some form of compromise, some reason to doubt the outcomes, that we actually have a system in place to verify it and restore voter confidence. A backup. Right. And then also that we actually periodically undertake those checks. An auditable system is effectively meaningless if we dont actually undertake the audit. This is such an important point, and i think mr. Cortes your testimony is critical to , this. In answering the question of how do we ensure with confidence that you can answer your voters saying that the Election Results , are accurate. I am working on legislation that will essentially ensure that whatever the systems the states choose to use in their elections, obviously that is the freedom of the states to do that. That there be some form of backup in place, a paper voter verified backup to ensure exactly that question and that we can all answer with confidence to voters that the Election Results are as a result of the votes that they cast. So i thank you all for being here today. Thank you, mr. Chairman. Going to now recognize myself for some time. First off, dr. Blaze, correct me if im wrong, i think we may have set a record here today for the number of times defcon has been said in a positive way. So all my harkcker buddies will be happy about that. In dr. Blaze and miss hennesseys statements, they have talked about what i would characterize as oldschool ballot stuffing as one threat. But what a nationstate actor or an Intelligence Service would try to do, discredit an election, is another threat. Mr. Secretary schedler, the first question is to you as the secretary of state for louisiana. Its hard to manipulate the votes in an election in your state. Is that correct . Commissioner cortes, would you agree . Not for louisiana but virginia. Yes, mr. Chairman. And dr. Blaze, and miss hennessey, is it still hard to stuff the ballot electronically in many of these states . I think its very difficult. I think the difficulty that we have is that its very difficult to prove that it hasnt happened. Sure. Its a trust issue. But when it comes to physically because of the decentralization, because many of the vote tabulation machines are not connected to the internet, are not connected to one another, because of the physical security precautions taken around the physical machines that secretary schedler talked about and many of the best practices that mr. Krebs and his organization have promoted, it makes it hard. But the use case that i am worried about is the credibility of our elections. And not being able to prove something is one of those things. And for our two secretaries of state, would you agree that undermining of trust in our elections is a bad thing and something we should try to fight against . Mr. Schedler first . Mr. Schedler i would absolutely agree. Thinkt has happened and i any secretary of state would address you in all honesty. Since the last president ial election and all the rhetoric and all the Committee Reports and all of the things that are going around this, if you dont think that has had a tremendously negative feeling to voters we see it. I just got out of an election for the mayor of new orleans, open c. In orleans turnout parish and we had a statewide election for state treasurer. Overall turnout of 4. 5 . Thats absurd in this country. I can give you a litany of 10 or 15 things. Yall wouldi know not like. Downhetoric that has gone from this past election has tremendously deterred voter confidence. And its a balancing act for a guy like me and, well, mr. Cortes because we are up here trying to defend the integrity of a system. For sure. And yet its being torn down as i speak. Right. Thats one of the reasons to have this hearing. Yes, sir. I am respectful of that. To get smart folks in a dispassionate way talking about the realities and then how can we identify certain things that we can do together in a way to ensure that that trust is there so that we get more than 12 . Now, i would also say that a, i asked a panel in south by southwest with a bunch of youtube stars, and i didnt know any of them, but when you added all their fans together, it was almost a billion. The woman who does digital, digital stuff for the rock said, if a movie performs poorly at the box office do you blame , movie goers or the movie . And i think in this case a lot of times we want to blame, we want to blame voters when were not providing the voters something for them to come out and purchase by pulling a lever. So that is an aside. Mr. Cortes, was there any funny business in your elections in virginia a couple of weeks ago . I believe we had a very successful election in virginia a couple of weeks ago. We actually, i am sorry to hear that you all had a lower turnout in your statewide. We had record turnout in our statewide race for governor, lieutenant governor, attorney general as well as the house of delegates. We did not receive any complaints related to voting equipment, which was a first in the time that i have been there. We had a very successful day across the commonwealth. Very few issues. You always get the occasional place where they have delivered equipment to the wrong place and they may open a couple of minutes late, but we had no major systemic issues that took place. Touche to virginia. Mr. Krebs, some specific questions. How many Cyber Hygiene Services over the internet for internetfacing systems can your organization do in a calendar year . I realize thats a difficult you can ballpark it for us. Thats tough because, frankly, engineeringwise its, i dont want to say infinity, but its, frankly, its very, very scaleable. So you are not concerned about the over 10,000 voting jurisdictions requesting that particular service that you feel like you will be able to meet the need. No, sir. I think the challenge would be intake. Signing up the legal agreement side. How many risk and vulnerability assessments can you do in a calendar year . That is a different question. Risk a vulnerability assessments are time and manPower Limited. In terms of the number on a given year, it would be, let me put it this way. To do one risk and vulnerability assessment, it takes two weeks. A week on site and a week report drafting. What we are doing in the meantime you have about 130 people who are able to do this function . I would get back to you on the specific numbers on the teams, but we are man Power Limited there. The reason for that, and you just made my job a little bit harder with the mgt act. But this all comes out of the same pile of assessments as federal i. T. The high value assets. So if were going to do modernization activities, congratulations, but thats going to make my job a little bit tougher. Thats also the Critical Infrastructure community. With the Critical Infrastructure designation did for the election sub sector is allowed me to reprioritize. I am now able to put requests up at the top of the list. We completed an rva last week. I reviewed the product this week and its an impressive domestic document. Id like to do more. Well continue to prioritize upon requests. These are voluntary products but keeping in mind that a number of states have their own resources or private sector resources. We are not looking to serve for every single state, but we are looking to reprioritize to address. The next question is for secretary schedler, commissioner cortes and mr. Krebs and maybe secretary schedler, you take the first swing at this. And this is probably better, this question, i am asking you this as your former hat at nass. And what role exactly does nist and the hava standards board play . Mr. Krebs, if you are more appropriate to answer that question, you know, ill leave it up to you all. It certainly assists us in certification issues and some of the outlier issues that we have, but i think its more the collective whole of nass, whether it be with the election commission, nist or any of us. We collaboratively all Work Together, we share information through our executive director miss reynolds here in washington. I think its a good thing. I wouldnt want to necessarily disband that. But i think its more looking at it as a collective whole, and our new partners in Homeland Security. I alluded that we were very much against Critical Infrastructure. We are in it. We are in a cooperative spirit, and we are trying to get our security clearances done at this time and were going to continue that. Secretary, am i hearing dhs is not trying to take over . I dont think so. Not yet. Ill give you a call. How is, please do. Please do. Are folks comfortable with the security clearance process . Yes. I know we are trying to get every secretary of state and i believe two additional folks, and your indication is that folks are happy with that process and how its going. Yes. Thats the first good step that we can share some information. Commissioner cortes, do you have any information to disagree with that . Mr. Chairman, i think, from our perspective in virginia, having had a statewide election, we had an opportunity to work very closely with dhs throughout the year. Preparation for that, and really figuring out how to leverage the federal resource offerings along with what our state i. T. Agency provides as well as our, the Virginia National guard. And so we have worked very collaboratively with them. I think the creation of the coordinating council, i think will be exceptionally helpful going forward. When it comes to eac and nist, eacs role in this has been, hasnt been as highlighted as i think it should be. I think theyve been critical in opening up the dialogue between dhs and the Elections Community as well as facilitating a lot of the meetings and interactions that have taken place. So they have been exceptionally helpful there. When it comes to nist, i think for us and i think going forward, you know, what we need to look at is the nist Cybersecurity Framework is something that our state i. T. Standards are premised on and that we utilize for our voting Equipment Security and electronic poll book security. Those standards being there are very helpful to us and provides a level of expertise and things to look for and test against that we would not, you know, with our state resources, be able to recreate on our own. So everybody has been exceptionally helpful. That is very helpful feedback. Mr. Krebs, kudos to you for your leadership in that process. And maybe to anybody at this panel, why does eac have 300 million in unspent funds . Anybody have any, none of you all sit at eac . Would anybody like to offer they must have some of the hava dollars that we need. Thats what we are trying to get at. Is there an opportunity there to reprogram some of those funds to help some of the municipalities that need to upgrade some of their systems . Yes, sir. That was a tongue in cheek comment. I am on their Advisory Commission. I truly dont know. Can you hit the button. Yes, sir. I do not know what that balance is. I mean, i just, certainly something to look at. I think weve got to look at any and all avenues of funding because we do need assistance in the state. I can assure you. Just like federal government, states are in budgetary issues. I know certainly louisiana is and at this critical point of trying to replace equipment because of some of the subject matter were talking about here, we are scrambling to find a way to do that. I am getting ready to go out on rfp. Mr. Krebs, comments . I think what were talking about now and i wish matt masterton, chairman of the eac was here. He is in iowa, i think, doing training. Eac has been a critical partner. When dhs got into this game last year, it was before my time, it was a brave new world. Didnt have relationships. Eac was critical in bridging the gap and developing relationships with louisiana, virginia and the rest of the states. Nist is also a partner. I think dr. Blaze would agree that nist is probably reputationally unmatched in terms of cybersecurity, cryp photography cryptography excellence. Then on the information sharing piece, one last thing. I want to touch on the classified and the clearances piece. Clearances, as has been pointed out, clearances in the sharing of classified information is important. We are, in the meantime, focusing on that declassification effort. It is critically important that we speed up that process to get it out. Tear lines, all that good stuff. In the meantime, when something truly sensitive comes in and someone doesnt have the clearance but needs to see a piece of information. I have the capability to authorize one day readins. We have a suite of tools and services and capabilities to make sure the partners have the information they need. Thats why dhs is the belly button for information sharing with municipalities and the private sector. I believe you are the only organization that can truly but she need to share versus need to know and continuing down that line is important. Dr. Blaze, when it comes to the kinds of systems, the actual vote tabulation machines and you have talked a lot about the scan, you know, version, are, are, one of the concerns i have about some of the legislation thats being discussed is talking specifically about a type of machine versus an outcome. And is it fair to say that, based on your research and your activity, that you are saying there needs to be an artifact that can be checked in the case that a system is, is suspected of compromise . Thats correct. The two Important Properties are, first, that there be a paper actrtifact of the voter. Optical stan optical scan is an example. Optical scan is an example. Thats probably the state of the Art Technology right now. The Second Property is the we that secondly, we have a mechanism for detecting compromise of the software that tabulates votes. And thats the risk limiting audit feature. Put together those achieve or approach what we call Strong Software independence, which means that, even if the software is compromised we still can learn the true outcome of the election. Miss hennessey, do you have anything to add or disagree with . I would agree with everything dr. Blaze said. Thank you. My last question, chairman palmer and Ranking Member kelly, thank you for the indulgence, is slightly outside of the bounds of the hearing topic today. But as we talk about the importance of protecting our Voting Systems and trying to fight this effort to erode trust in our national institutions, disinformation is the tool that hostile Intelligence Services are going to continue to use against us. And i would just welcome and really, secretary schedler and commissioner cortes, what is the role of states in helping to combat disinformation specifically when it comes around election time . And dr. Blaze, miss hennessey, i would welcome your thoughts. And then, mr. Krebs, i am going to give you seconds in which to say whatever you want to say. Secretary schedler. Secretary schedler i mean, its the Old Fashioned way. You get out there and you communicate with people, you get on the air waves, radio, tv and in the newspaper and you combat some of this. Because i will be honest with you. I had an individual just this morning that called me or, excuse me, texted me from the previous election. And he was convinced that our machines were connected to the School Internet system. Because i guess it was plugged into a plug. I dont know. But i mean, its those types of things. And in the every real day of secretary of state or election official across the country that we come back its just part of , the job. I will tell you it has become on steroids in the last months. Lasted 24 months. As a member of congress, i would say i understand those concerns. Yes, sir. Thank you, sir. Commissioner cortes. Mr. Chairman, i think its really about being open and transparent in the process and having, you know, processes in place and working as Election Officials to make sure voter are comfortable with the process and getting out there and combatting any misinformation about how the process works. I think our focus on transparency and doing things like postelection audits, having equipment that has some sort of verifiable backup. These are all things we can do to provide voters assurance that they can actually see and observe and not just tell them everything is ok. We are, i think, at a stage with our elections processes where people need to be able to understand what steps we are taking and how we are doing to make sure that things are ok, to make sure that their voting experience is a good one and that their votes with counted accurately. Good copy. Mr. Blaze i think the most important thing from a Technology Perspective is that the Voting Technology allow us to refute those who say that the election was tampered with. Unfortunately, many of the systems in use today, even if they havent been tampered with, dont, arent designed in a way that allows us to do that. I look forward to seeing a shift toward technologies that are more robust and that allow us to do meaningful recounts. Miss hennessey. To bolster credible institutions now. And so to not, to sort of resist any temptations of partisanship so that there are those enduring, credible voices. The closer we get to the actual election date the higher the risk of politicization infecting that process. Which increases the importance of setting neutral standards now, both for the types of information that will be shared and also for response options. Thank you. Final words, mr. Krebs . Mr. Krebs yes, sir. I think my four copanelists said it quite well. A key tenet of countering operations is shining a light on activity. We have before us some coordination work. We need to do Incident Response planning, develop a playbook. If something pops up on social media, twitter, whatever it is, we get the call. We can work to refute the information and push it out through a clear, trusted channel to the American People so they can retain confidence in our election systems. I want to thank all of you for helping to shine a light on the activities that our states and the federal government is doing to ensure that the American People can have the trust in their elections. Thats what makes this country great. Is when we are faced with adversity we all do pull , together. And i appreciate you all appearing before us today and the flexibility in your travel schedules. The hearing record will remaintn any for two weeks for member to submit a statement or question to the record. No further questions, without objection, the subcommittee stands adjourned. [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] to make him on cspans a senior fellow on the u. S. Entitlement program. Entire Atomic Program can help someone who is in need. Ll of us have it in us of course, it is easy to do it , butsomebody elses money they have the same desire that you and i do. Once that entitlement is put in place, then the game has changed. Groups went around, protecting that entitlement, pressing for more assistance. Desire. John cogan on u. S. Federal entitlement programs tonight at on eastern on q a cspan. Now the deputy Prime Minister and foreign minister of qatar discusses