Gentlemen. Pleased on behalf of the Penn State Dickinson School of law, penn state institute for constitutional sciences, the center for democracy and technology, and the center for justice to welcome you to what i consider to be a very timely, and honestly a very, very important form and symposium. At the outset, i want to thank all of the participants regarding and incredible array of speakers dissipating in the forum. I want to thank the guests who have taken the time to join us this morning, and i also want to reach out and say thank you to cspan for covering something that all of us, i think regardless of republican, democrat, or independent, think is quickly important. It is undisputed that there are people who have been hacking into our elections for a long, long time. Indisputable. S we can start with 2016, and i think we can look back before that, we might have seen there were people playing around in that arena, even before that time, so we decided to get these organizations, to pull together a symposium to deal with hacking in u. S. Elections and how to make the 2020 election more secure. So were grateful that you joined us this morning. Some of you in the audience will probably remember, but i did happen to talk about some of my colleagues, asked them how old they were 2001 on 9 11. Most of them were in grade school, a couple in school. At that time, i reminded them that i was called to the white house and then given the opportunity to set up the department of Homeland Security right after those horrific events. And as i look back and reflect on that time, im reminded that initially we were focused on a small group of terrorists from a small part of the world who would attack us and use physically and attack our citizens. And then within a couple of months, within a year or so, we decided that in addition to dealing with physical attacks, we better start paying attention to digital attacks. Think about it. This is 2002 and 2003. The tools available to those who would attack us with Digital Tools was minimal. The sophistication was probably primitive compared to what were dealing with today. And clearly the frequency has been expanded exponentially. I think back about those days, and i think about trying to deal with both physical and cyberattacks. And i think to myself, and this is my opinion. I share it with you. I hope you agree. Its one of the reasons behind the forum. Potentially as harmful, as painful, as harmful and painful to deal with the attacks of those days, and as potentially harmful to our citizens and our economy, as massive terrorists, physical or Cyber Attacks would be, in my judgment, nothing, nothing has greater potential to undermine who we are as a free people than Cyber Threats to our democracy. To challenge and undermine free and fair elections, by creating doubt. Doubt and uncertainty to the legitimacy of our political process. And create chaos, which we see even today divides our political leaders. If the goal of those who sought to attack this country was to destabilize our government and our political institutions, im afraid we have to admit, to date, theyre succeeding. Truth and civility and the very foundation on our Constitutional Government are the primary victims of the abuse and the misuse. Of social media. Our enemys goal is to destabilize. Theyre succeeding. Now, lets be very clear. We focused a lot on foreign influence and there certainly is , and there will be some discussion about that. But lets not underestimate the role of domestic cyber activity as well. Perhaps not to destabilize our process but to promote a political candidacy or point of view. No matter what the goal. It is unamerican, no matter what the goal, in the digital world, it is one of the major challenges we have going forward. The other challenge is, and i conclude with these remarks, the digital sun is never going to set. Its just going to get hotter, in a hyperconnected world. The challenges associated with Cyber Threats to our institutions of government continue to grow, continue to expand. So it is for that reason that these four organizations got together and said, lets take a look at vulnerabilities in the electoral process, and lets take a look at the impact of the abuse and misuse of social media on that process itself. I had a great opportunity the past several months to work with professor anne toomey mckenna. Shes really the catalyst. Shes really made a lot of this happen. And a lot of the speakers are here because of their admiration and respect for her. I want to introduce my friend and colleague, professor anne. [applause] mckenna so really, im the chief button pusher. Its a pleasure to be here today. I want to thank you all and welcome to our audience on cspan. The governor has told you about the sponsors involved. I think one thing thats important to remember, because were going to be talking today about those Election Security and the infrastructure, and were going to be talking about social media and money and data as well, as part of the undercurrent here. An important thing to do is to remember that no one here is a paid speaker. No one was charged admission. No sponsor is doing this pursuant to a grant. This is because a group of entities and individuals, like you all here, recognize the importance of securing our elections and recognize the actual threat to our elections that come from these two different aspects were gonna talk about today. So when we talk about politics, its very easy to get personal. This group of speakers is incredibly interdisciplinary. Its incredibly mixed in terms of their backgrounds and affiliations. The speakers that have come here today. And so is this audience. This really is an impressive members of media, intelligence community, security, academia, researchers. So were looking forward to working towards problem solving with you all. I dont want to take very much time, but i want to remind everybody, as we frame our questions, as we frame our responses, and well have a really great opportunity for audience participation with the luncheon, and we want to hear from you. So, again, remember, this is not about my politics or your politics. This is about saving democracy. So lets work to do that together. Without further ado, i want to turn the mic over to my colleague, jenny evans, who is one of the leading data scientists in the country. Thanks, jenny. [applause] jenny thank you, anne. And thank you, governo my persou and governor ridge for your investment in bringing us here together today. Were here to wrestle with a critical challenge to our democracy. As anne mentioned, im the director of penn States Institute for computational and data sciences. We support a myriad of data and Computational Research at penn state. We also support penn states High Performance computing system and events at events such as this. The mission of the institute is to bring Interdisciplinary Research of societal and scientific importance and advance these goals. We do that by cohiring faculty with departments all across the university. Were jointly hiring with numerous colleges and departments, departments such as astrophysics and Biomedical Engineering but also such as political science, psychology, geography, and law. And one of these intellectually adventurous, intelligent and , and interdisciplinary scholars. The institutes culture is to bring together a diversity of experts in action through many disciplines, professional perspectives, and backgrounds. You are that group of scholars today. Its our tendency as humans to limit ourselves to consideration of just the facts in front of us, consider the well, where did i find that image . There we go. Therefore, continue the maam behind me. This was purported to be australia on fire. The fires in a single day in australia last year. As an australian, also as an american, this was terrifying to me until i found out that this is not a day. Its a month. Its still horrendous, but its a different story. No single expert can take on securing elections today. Im sorry. Its not simply a technology issue. Its not simply a policy issue. Its not simply a law issue. Its an interdisciplinary problem requiring collaboration from experts in all of these specialties and more. Because elections are at the heart of a functional democracy, its imperative that we investigate this issue from a multitude of perspectives, bringing the best minds to bear. Election security is an interdisciplinary challenge but its also a data science challenge. Data is at the core of our elections, starting months before the votes are cast. The readily available, personal and Demographic Data creates opportunities to provide tailored messages, microtargetting select groups through social media. While this can be a boon to business, this data mining has been readily used to spread disinformation across the electorate. Once elections take place, each vote is a crucial data point in determining the leadership of our country. How these data are tabulated, where they are how they are analyzed and communicated, without bias, these are important aspects of the electoral process that must be secure. While well delve into for newer perspectives on the electoral process today, the fundamental underpinning of data science and technology, the critical need for interdiscipline groups to come together, sharing the diversity of perspectives and opening new doors to discover is unquestionably important. Im delighted that penn States Institute for computational and data sciences, Penn State School of dickinson law are collaborating today with the Brennan Center for justice, the center for democracy and technology, and governor ridge to host this event, tackling this critical issue for our democracy. I ask you to take advantage of this exceptional group, to continue or initiate conversations that will lead to action in support of this grand challenge. Thank you all for joining us here today, and thank you again, anne and governor ridge, for bringing us together. [applause] prof. Mckenna again, chief button pusher. I want to introduce larry norden. Its my pleasure to introduce larry, the director of the reform program. Welcome, larry. I think you press the buttons , too. Larry yes, i can. Which button am i pressing . [laughter] larry this one. Ok. Terrific. Thank you, anne. Thanks to all of the groups involved in partnering with the Brennan Center for justice on the event today. I think its going to be an interesting and informative conversation. Ive been asked to lets see. Oh. Yes. Ive been asked to present an overview of some of the Biggest Challenges facing American Election infrastructure. And im going to discuss a little bit about why theyre not insurmountable challenges in 2020 but also what we can do in the longer term after 2020 to start making some bigger changes to secure our election infrastructure. It isnt fair, but im going to use iowa and the caucuses as an introduction to this topic. [laughter] norden i was a little bit worried about nevada over the weekend, but fortunately i didnt have to overhaul my slides tonight. The reason i think its not fair to use iowa, as an example, before i go ahead and do it, of course there was no cyber attack on the infrastructure they were using there, as far as we know, and, of course, as others have pointed out, the caucuses were run by a political party, in this case the democrats. They were not run by professional Election Officials, by the states or the counties, as the primaries are and as the general election in november will be. Nevertheless, i think there are some important lessons going into 2020. And the first is that vendors are a point of vulnerability in our elections. We, often on capitol hill, when people talk about our election infrastructure and Election Security, they talk about Election Officials. They talk about states and counties. But much of our election infrastructure is created and supported by private vendors. They touch nearly every aspect of our elections. So folks may know that there are three big manufacturers, Voting Machines in the United States , and they control about 90 of the market for Voting System. But there are certainly hundreds of Additional Companies that maintain and program these machines, that build and maintain Voter Registration databases and electronic poll books to determine who is eligible to vote and that perform other essential functions for our elections. Yet unlike other vendors in other sectors that have been deemed part of Critical Infrastructure, like dams or energy or defense, there are no federal regulations over these vendors. And in fact, theres been very little federal oversight of these vendors to date. What this means is, we dont even have a full picture of how many vendors there are working on our election infrastructure. Either manufacturing or servicing. We dont know where theyre working. We dont know what kind of screening they do of employees that perform critical functions. We dont know who owns them. Maryland infamously earned in the past couple of years that a vendor for the Voter Registration systems was owned by a russian oligarch. They only found that out because the f. B. I. Informed them of that. We dont know what their supply chain practices are. We dont know where their parts come from and we dont know what kind of internal Cyber Security practices they enforce. So Election Officials can know what kind of security practices they put in place in their offices. But they really dont know when theyre dealing with vendors and purchasing products or services from them, what theyre doing. They can ask and they can trust them about what theyre doing , but they really cant know. Were not going to get that problem fixed before 2020. But i do think there is a bipartisan interest in tackling this problem. There was a hearing at the House Administration committee in the past couple of months, where both republicans and democrats expressed concern about this issue, and certainly when i talked to Election Officials of both parties, they say this is something that they want to address. So i said, i dont think well solve this problem before 2020. I dont think that means we need to be despondent about 2020. The department of Homeland Security, Election Officials, state and local governments have all done a lot to secure our elections and our election infrastructure since 2016. And of course for the first time in more than a decade, congress has provided money to the states to help secure their systems to spot and patch vulnerabilities in those systems that they purchase from these vend. Nevertheless, i do think this is a real weakness going into 2020 , and the solution, as always in elections, is to hope for the best and to prepare for the worst. So that brings me to the second lesson from iowa, which is that a great danger of cyberattacks is systemwide failure. No election is perfect. There are always technical problems that we read about and see in elections. But if the reporting app in iowa, you know, were just a few glitches and only some precincts had trouble reporting their results, i wouldnt be here talking about iowa today. The problem in iowa was that the failure was systemwide. Systemwide failure is different and it is a danger of Cyber Attacks that entire communities or jurisdictions can be targeted for systemwide failure. A systemwide attack could be particularly damaging if, unlike in iowa, it prevented people in large numbers from voting or having their votes accurately counted. That means systems like Voter Registration databases, electronic pole books, which are used to determine eligible, and, of course, voter machines. The answer do this vulnerability to this vulnerability is to build in redundancies to ensure resiliency. So heres an example of one of those pieces of infrastructure that i was talking about. Electronic poll books. What might happen if this system was attacked or failed . It might not start up. So wed have difficulty checking people in. It might have inAccurate Information. You get long lines. People get told they cant vote a regular ballot. Maybe theyre even sent away. Weve seen examples of this is nearly every federal election. But at a county or statewide level, it would be a real i mess, and i would argue a bigger mess than the problems that we saw in the iowa caucus. So what kinds of things can we do to ensure resiliency under those circumstances . Well, there are 41 states that use these electronic poll books. Only 12 of them require to have in the polling place a paper backup for these electronic poll books. That seems like an obvious solution. Having something thats not on this tablet to go to, if the system fails. Of course, even if you have a paper backup, its possible that the paper backup itself could be corrupted in some way. And there we have a federal solution for that. The Voter Registration databases is infiltrated in some way. The federal solution is provisional ballots. We can have people vote and go back and check later whether or not there was some problem with the data that we had. So thats a really good federal failsafe. Unfortunately, most states dont have any minimums on the number of provisional ballots in polling places. And we have had instances in the past where polling places ran out of provisional ballots. So the Brennan Center has recommended that every voting place have two to three hours of materials, if theres some kind of systemwide attack on the database or on epoll books. Of course, voting machine failures themselves can also be a problem. There are 20 states that use electronic Voting Machines to cast or mark ballots. And there, again, emergency paper ballots that can be broken out, so that people can vote on them, are key. But many states dont have minimums, again, for emergency paper ballots in case of that kind of a failure. That brings me to the third and final lesson i want to talk about in iowa, which is that paper backups are essential. If voters in iowa had voted on that after that failed, instead of it just being a reporting app, we really would have had problems in iowa. There would not have been a regard to go back to that people could have trusted. We might have lost those votes entirely. We still, unfortunately, have states that have whoops. We still have states that are using paperless Voting Machines in the United States. And this is despite the fact that there is near universal agreement, and there has been since 2016, that we need to get rid of these systems as soon as possible. The good news is that weve drastically reduced the number of paperless machines that we use in the United States. Weve gone from about 30 Million People voting on these paperless systems in 2016 to, i would guess, less than 16 million coming up in this new election. There really are, as you can see from this map no battleground , states that will be using the paperless machines in november. This november. On in addition to having paper, we should be routinely looking at it to check the totals that the software is reporting. Only about half of all states require that kind of review of the paper, before certification, and even fewer check a statistically significant number of the paper ballots. So im just going to wrap up by saying while all that may sound dire, i think the good news for 2020 is that all the things that i talked about as important resiliency measures are things that can be done in 2020. Its not too late. Probably not even too late for the primaries and certainly not for november. Getting backup paper poll books in the polling places is something that is very accomplishable. Having enough minimums of emergency paper ballots and provisional ballots is something we can do this year, Something Like conducting audits are things that we can get done in time for the november election. [applause] prof. Mckenna thank you, larry. I think governor ridge made this clear, but our states are on the front lines in securing our election infrastructure. And one of the resources that our states have are the National Association of state election directors. So were very fortunate today to be joined by the executive director for the association, amy cohen. [applause] ms. Cohen good morning, everyone. Real quick before i start. I want to emphasize something that larry said for the kids at home, which is that caucuses are not run by Election Officials. They are run by political parties. So im sure everyone in this room knows that. But i just want to emphasize it as we kick off the rest of today. So thank you very much, anne, for having me. I thought it would be helpful before we spend all day sort of , talking about elections and Election Security, to give you an of view of sort of how elections work, to help you have more of an informed discussion. The National Association of state election directors, or nased, is a professional association for state election directors. And our members are all 50 states, d. C. , and the five u. S. Territories. So i like to say that we cover a we haveround, because American Samoa and guam and california and texas and literally everything in between. And as you all know, those are very different. In 40 states, the chief election official is the secretary of state. And they are represented by the National Association of secretaries of state. My colleague is in the back, but in those 40 states, the election director works for the secretary of state. And in the other 16 states, the election director is the chief election official. If youre wondering what an election director does, they are the Administrative Professionals who implement policies, implement technologies, run trainings, work with local Election Officials, and so much more. There are a handful of federal laws that touch elections or govern elections, but i think when were talking about security, a big one to remember is the americans with disabilities act, because Election Officials have the very difficult job of making sure that elections are both secure and accessible for all voters. There are, of course, other laws and the constitution, but in general, elections are run by the states, which means that theyre very highly decentralized, both in law and in administrative structure. Most states administer elections at the county level, but there are 12 or so that administer elections of the township level. They are mostly in new england, but then also in michigan and wisconsin, which means that there are between 8,000 and 10,000 election jurisdictions in the country, depending how you count, and every single one of those local election jurisdictions is responsible for elections in their jurisdiction. I would like to use wisconsin as an example, because they have, depending on how you are counting, 1853 local election jurisdictions, or somewhere over 1900. If youre a math person, you recognize that thats about 20 of the local election jurisdictions in the country. Many of those are parttime, and a third of them turn over annually. So, when were talking about implementing Cyber Security at the local level in particular, thats what were working with, right . We have to run trainings and educate local Election Officials who may have other responsibilities, but who care about deeply about democracy and who care deeply about doing this , and we dont want to scare them off. Because we cant run democracy without them. Wisconsin, theyre not here, but ill pick on them anyway, because theyve done such an excellent job in a lot of different ways. They have run trainings at the local level on an ongoing basis, they are doing hundreds of trainings a year for all kind of things, Cyber Security and election administration, things like that. Theyre doing tabletop exercises. And they have implemented multifactor authentication for several systems for all of those local election jurisdictions. But it is really hard, because, again, you have to make sure you are not scaring people off and running them out of the process. Since the Critical Infrastructure designation in 2017, states have taken advantage of a lot of different resources at their disposal. All of the states are working with the department of Homeland Security in various different ways to secure elections. Many states are also taking advantage of instate resources, working with the state cio and other things like that to do phishing tests, vulnerability assessments, things like that, within the state. We have states Like Washington , who are working closely with the National Guard to take advantage of that cyber expertise. Obviously, amazon, microsoft, and many others based in washington, so they have a lot of good cyber expertise, but there are other states doing the same thing and we have several working instate with colleges and universities to run trainings, but also to take advantage of the expertise there. We are seeing that at the local level as well, where local jurisdictions have colleges or universities in their jurisdictions, and theyre relying on that expertise, because they may or may not have it within their own office. Something that larry touched on, were resources. Elections, i think most of new this room probably know, elections are sort of chronically under resourced. And then when federal disbursements come, certainly people appreciate that and the thing i like to remind especially i like to remind people in 2018, is that it is really hard to procure stuff for state and local government. Its hard. Especially when youre talking about dedicated technologies like Voting Machines. These are not things that you can just go to staples or office depot and buy them off the shelf. Thats not how it works. Its dedicated technology, and it takes a long time and can be really difficult to do. The other thing to keep in mind about procurement is because of the different ways that states are structured, in some states, things like Voting Technology are procured at the state level. You have the buying power of an entire state, which can help with negotiating. In other states, that is done at the local level. That can be really difficult, and, again, then you get into the timelines of such things. Once you get through a procurement timeline, then you have an implementation timeline. Nobody wants to implement any technology to weeks before an election, that is insane, frankly. You need to have time to educate your borders if it is great to be a voterfacing technology, and you need time to educate poll workers and staff, because an election really requires all these different people to work together. The thing that i will say again, also, to keep in mind as we go through today, the best way to know whats going on with elections is to talk to Election Officials. Talk to your state Election Officials. Talk to your local Election Officials. There are 8000 to 10,000 local jurisdictions in the country. I can guarantee you that you will find a local election official who is willing to talk to you and talk to you about this. The other thing ill say is that every single one of you has the opportunity to be a part of process, both as a voter and as a voter and also as a poll worker. The best way that you can sort of make sure that things are going the way they should be going is to participate in the process. Participate as a voter and participate in the process as a poll worker. People feel more comfortable in their polling locations when they see their neighbors. So be there and help your neighbors feel more confident in the process. Finally, ill say that you also have the opportunity to attend to your local logic and accuracy are testing, so that you can see how local election jurisdictions are testing and preparing for an election. I talked to quite a few local Election Officials in 2018, and i said, did anybody attend your local logic and accuracy testing . Everyone is talking about Cyber Security. And the answer was almost always no or maybe one or two. So those are my three big ways that you in this room can get involved in the election, be a poll worker, and if youre concerned, attend your local logic and accuracy testing. Thank you very much and enjoy the day. [applause] prof. Mckenna thank you, amy. That was really helpful. Im very excited to introduce the dean of penn state dickinson law, danielle conway, and bring the going to bring up panelists. You can sit in whatever order you are. And we have an npr correspondent, not to take her line, but she was covering Homeland Security when all it was an empty desk in the west wing with tom ridge sitting at it. Right. So its come a long way. [laughter] prof. Mckenna we also have Jared Dearing. We heard amy talk about what election directors do, and this is an interdisciplinary panel. Next to pam is Maurice Turner, who is cdts technologist. To have them give that perspective. Next to maurice is larry, who we have all heard from. Danielle, take it away. Dean. Conway thank you, and can you advance the slide . Prof. Mckenna yeah. Dean. Conway fantastic. So from the institution of our nation through the Voting Rights act of 1965, i will get no argument that voting is the cornerstone of our democracy. From frederick douglass, to Elizabeth Cady stanton, we have been in a constant and herculean struggle to be selfactualized as voters. The modern struggle though, against disenfranchisement, voter suppression, and obstacles to registration must now account for insecurity of Voting Technology. This Voting Technology creates failures in a democratic system, functional failures, and security failures, and so this panel is here to address these failures. I want to begin with pam, talking about voter confidence and democratic failures. I will give you a lead question, pam, about helping us understand the decline in Public Confidence in the fairness, accuracy of our elections by hacking and failures ive listed. Pam well, thank you very much. Im glad to be here. We at npr, and many other organizations, have recently done polling on voter confidence in the elections. And i just want to give you some of the results, which i found quite astonishing, in part because we actually have had pretty good elections so far. There really is not much evidence of people tampering with votes or systems breaking down, but thats not what the public feels. So this poll we did in january, and 41 of the people we pulled not think thatdo the nation is prepared to fend off an attack against our elections. 44 think it is very likely or likely that many votes will not be counted. That is 44 . That is pretty astonishing. Than 40 think it is likely that a foreign country will tamper with the votes to change the results. Thats 40 . 77 think that Foreign Countries will spread false information. I sort of wonder about the other 23 . [laughter] ms. Fessler then, this is very concerning, because more than half think that it is much more difficult now to distinguish what is true and what isnt true. We did this in january before, and we did this before when we had the news last week where we had these briefings, and news about briefings about russian intentions in the upcoming election. And what i found sort of most surprising, that generally cant see from my reporting anyway, that there was much new or surprising in the actual briefings. What, to me, was actually surprising was sort of the response to that news. We had the president reportedly was very upset that once again, an assessment was made that russia was working in his favor. He replaced his director of National Intelligence. We had Bernie Sanders revealing that he also had been informed a month earlier that his campaign was being helped by the russians. He implied that somebody was leaking this intentionally right before the nevada caucuses for political reasons, and then it was just one thing after another, where everybody was pointing their fingers at each other. So, as low as the confidence was before all this happened, we have to wonder what the confidence is going to be going forward. Dean. Conway so you have outlined this decline in Public Confidence not just including disinformation barriers to voting, foreign threats, media reports, but also our internal actors, our candidates are pointing to this. This might be disinformation in and of itself. Ms. Fessler right. Exactly. Exactly. Dean. Conway may i ask you, pam, to comment on the growing doubts of validity of elections as we move forward . What are you doing now to try to combat this, and what can be done to address this, in the likes of what we talked about as well . Ms. Fessler i think one of the things that amy talked about, and what Election Officials have talked about everywhere, you need to go to a trusted source for your information. That you shouldnt believe, obviously, everything that you see in social media. The problem is that there is so much information out there. I want to talk a little about the media, the role of the media. You know, it is very difficult, because obviously, our job is to point out where there are potential problems, but i think that more needs to be done to make a distinction between what is a problem that is just a technical thing, a machine that broke. I always think about larry, remember a few years ago, there were so many reports of machines, where there was slipping of votes and all the se people were, oh, something nefarious is happening, and larry goes, no, because the machines when they get old, theyre just old. So i think it is very important for the media to make distinctions between what are just the normal problems that happen in elections versus something that really is not something nefarious going on, and its not always easy. But i think it is important. Then it is up to the Election Officials, its up to intelligence officials, i believe, to share this information so that we have a better idea of what we are reporting about. Dean. Conway great. I would like to turn the discussion to jared and maureen particularly to talk about the law and policy functions. What kind of strategies can we take in the appropriations sector to support election innovation, function and security . Maurice well, i think appropriations are the key when it comes to the practical side of who you do we get out of the security hole that were in , because all the solutions require funding. It took almost a year here on the hill for an appropriations bill to be passed and help support even just a portion of the investment necessary, and i think that is too long. It took a lot of time and a lot of Political Capital when obviously a lot of the members were interested. We had dozens of bills and dozens of congressional hearings. Usually those are strong signals that we will get something done , but, unfortunately, that didnt happen. It ran into a blockade in the senate aide got a huge amount of effort to get a small amount of money through. And coming at the last minute, it meant there were unfair expectations how quickly that money could be spent. Its hard to imagine what it would be like to be at the state and local level, trying to figure out how much money is going to come from washington. When is it going to arrive . Then plan a budget around that, especially for states. And theyre budgeting once every other year. Jared i am very similar to maurice. My take on this though is, you know, we have a lot of people in kentucky that were saying, well, clearly this is the federal governments fault. And in my opinion, really stable electionfunding needs to be a tripod of funding, it needs to be federal, state, and local and if all three are not participation in that process, then its not stable election funding. My belief is that, instead of helping america vote act or hava, funding to replace the election equipment several decades ago. What we see now, there have been created some pretty significant negative externalities created by dropping tranches of funding every year or so into the state, and the states are not incentivized for their own budgeting streams. Routinely, i would speak to state legislators and say, we need to fund these systems and create more opportunities for the counties. And when we hear back from them, it is like, well, we are being told that the feds are going to drop money in. And at the local level, it is even harder, because they are not getting access to federal dollars and also not getting access to state dollars. I had to recently go into a county in one of the most rural parts of kentucky, where the fiscal court was about to zero out the elections funding for the county clerk. I wanted to tell them, one, it is illegal, and you cannot do that. Two, i sat down and worked with them on their budget for several hours, because they are trying to fund water bills for the hospital, theyre trying to fund roads and trying to do that in a time when the town itself is completely transitioning from a coalbased economy to an economy thats just not there at all. So that Funding Source, that tax base that was there prior is no longer there, and they need to be able to have a Funding Source that is routine and that they can count on on a regular basis. For the state level, it is the same, we need that from the federal side. If the federal government continues to drop every decade or so, its only going to intensify the fact that all of our systems are coming to the end of a lifecycle at the exact same time, which intensifies that need. Dean. Conway so i think i am anticipating what larry want to talk about, i hope i am, because you refer to upgrading systems and making them more interoperable. So let me ask this question to you, jared and maurice, give you a little time to think about it, and then i will let larry speak. So the question i want to talk about with systems is, is there an i. T. Knowledge gap . Do we have the means and the capacity to address that i. T. Knowledge gap along with the funding gap . Larry . Larry i was just going to add something to what jared said. Its a problem that you have a lot of finger pointing going on when it comes to election funding. That the state will point to the counties, or maybe to the federal government, and the problem is that there is no investment. I think ultimately, congress has to solve that problem. Congress is the one that can lead. They can do what they did with this last tranche of money, it would be nice if they did it on a consistent basis, where they require the states to match a certain percentage of that money. I think absent that, what ends up happening is that everybodys waiting for somebody else to fund it, and in particular, what you start to see is that it is the poorest counties that suffer, particularly rural counties. We saw this, we did an analysis in virginia a few years ago before they finally replaced their equipment, and it was those counties with the lowest Median Income in the state that were left with equipment that was breaking down the most, that was the oldest because nobody was acting and the wealthier counties were able to afford it. Jared the irony is, i actually think it would cost the federal government less money if they doled it out in yearly installments or biyearly installments at the federal election cycle rate, right . And if they did that, it would encourage the states and the counties to spend more and own more about responsibility throughout the entire ecosystem of procurement. Dean. Conway so would that be a first start in creating and in orderlistic system to plug the i. T. Gap . Jared absolutely. Dean. Conway what else . Jared and i know that maurice is doing a lot of work on this topic, and ill let you speak as well. From my perspective, ive got 120 county clerks that vary in skill sets and abilities. What i can say is that every single one of them is deeply, deeply invested and care an immense amount about the sanctity of our elections and about the foundational level of our democracy. But some of them, they just dont have the resources. Were talking about individuals who may be nondigital natives. And i have said this in other forums, but were now asking them to participate in what is national security. Were asking them to do that with very limited resources in communities where many of the smartest individuals are leaving to go to college, go to larger cities, and theyre not returning with those skillsets to be able to provide some of that gap in i. T. Understanding. Dean. Conway maurice. Maurice so i think there is a multipronged approach, that would be appropriate. First would be starting with the local community, as amy mentioned earlier, one of the best ways to help is to be a poll worker. Why i think in every community there are folks who are not only more comfortable with technology, but folks that have the ability to get specific i. T. Security training and become poll workers. Because as a nation, we are facing a Cybersecurity Workforce gap. That could be a place where additional dollars could help. At the federal level, it is being done where there are special classifications and equipment processes that can take place to help encourage people with those skills to come on board. I think that is something that can happen at the state or local level. Barring that, well have a longterm solution. In the shortterm, programs like the illinois Navigator Program where you have a state level, small force of folks with these skills that can go out and be assistance on a shortterm basis, to help shore up the security immediately, is definitely a step in the right direction. Leveraging National Guard units that have some of these abilities, and then rotate them around and see where states can help together through mutual aid benefit arrangements, so that way, if a state is suffering from an attack, leveraging within the region to get additional support. Dean. Conway thank you. Amy cohen and pam fessler mentioned the difference between functional failures and security failures, larry. Can you flesh that out a little bit more, so that we have a good working knowledge of that distinction . Larry yeah, i mean, in fact, somebody said this to me a long time ago, you know, anything that can happen by accident , practically, when youre talking about technology, could also happen as a result of malicious actors. Many of the things we see that our technical problems on election day, you can imagine them happening as a result of a cyberattack. I talked about electronic poll books failing and they failed somewhere. I think there are lots of good reasons to have electronic poll books, by the way. But they fail somewhere in every federal election, but with the cyberattack, obviously, you can be much more deliberate about what you are targeting. And the same thing with problems with we had a situation in los angeles some time ago, where there was a software bug and the information was in the registration database that went to the poll books was inaccurate. Right . So in fact, i think often, if we want to look at what kinds of problems we could have as a result of a cyberattack, the best place to look is where these technical failures have happened in the past and try to imagine, if they were more directed, if they were more systemic, what would they look like . Dean. Conway so larry and maurice, could you address some best practices used by Election Administrators to avoid the functional failures . Say, protecting against a software collapsed or lack of security software, a la iowa. Maurice certainly. Well, i definitely want to start off by saying Election Officials are some of the best when it comes to planning and making contingency arrangements in case something happens. We are not just talking about particular Cyber Security threats, but also if there are Power Outages or theres bad storms, the roads arent passable, there are a number of things can go wrong on election day that we need to be prepared for, and i think this is one avenue of that. Something that is acutely foreseeable and that we run into last year was the idea that windows 7 support was going to be ending, and somehow that came to a great surprise over the summer, even though it was something that was published many years ago. So i think it is looking further down the road, when we are talking about software road maps to make sure that a critical , piece of equipment, that the software is something that also needs to be kept uptodate and supported. It is dangerous to run software that is no longer receiving security patches, so we need to take that seriously. We need to make sure the software is up to date and the equipment the software is running on is appropriately configured. Larry i would just emphasize what i spoke with about a little bit in my presentation. Resiliency planning is critical, and having redundancies is critical. Being ready for what to do face in case the ebook and poll book are not working, having enough backup materials ready to get you through the worstcase scenario, which is one you might have as many as 35 of your voters coming through. To figure out, what do i need in this polling place to get me through the period . Very often, those solutions are lowtech. They are having the emergency paper ballots, they are having the revisionary ballot materials. The key thing is training the poll workers and making sure the poll workers know what to do when these problems happen. I am going toso open this up to everyone, and i will ask pam to start off. We are going to talk about security failures now and round out the discussion. Identify the greatest threats to Election Security, say Media Coverage of elections, vulnerabilities, the role that media plays in Public Confidence , and how media reports come in daytoday and give us this information. Pam well, i think i talked about that a little bit already. I guess, you know, one of the things i have been covering the election process since the 2000 elections, you know, when we had the hanging chad issue. And what has struck me is that every single election, the problem that emerges and i am talking about in the major cycles is something people do not expect. It is something different, whether it was long lines, whether it was a storm. And that is what the challenge is for these Election Officials, they have to prepare for everything. We have not even talked about the fact that we have this coronavirus issue now. What if something emerges on election day or around that, where people are not supposed to be gathering . There are so many things to worry about, and every single time, it is something different. We obviously have a lot of focus now on Cyber Security, which is very important. And training and communication, but as weve also said, our adversaries only have to make it look like they have the potential to disrupt something. To disrupt something. I think that danger right now, is us kind of believing that they have this power, when they dont actually. The other big thing that we havent really talked about that much is the whole spreading of ransomware, which i think at least the National Intelligence people are very concerned about, that it wouldnt take much in very specific jurisdictions simultaneously to paralyze getting the voting results, and we dont know when thats going to happen or how it is going to happen. Dean. Conway jared . Jared um, you know, honestly, and i hate to say this, but facebook and twitter are legitimately probably the biggest threats we have in Election Security. We, at the state level, are doing everything we can to harden our systems. To larrys point, we often talk, not necessarily about security, but resiliency throughout the entire system holistically, but , you know, when were talking about the security, when we look at the in order for democracy to work, people have to actually show up and vote. Right . And were seeing decreased voter turnout year after year, and some of the polls were seeing, similar to what pam was talking about, we are seeing a lot of people who fortunately dont believe their votes will be counted appropriately and correctly. I was at devcon last summer at a panel, and we were talking about this and i am seeing this as an engineer not just an administrator, but we were in a room full of engineers and the moderator asked, how many people in the room first he asked the\ panelists, actually, how many of you are confident that your vote will count in the next election . Everyone on the panel raised their hands. To the audience and said the same thing, and everyone laughed. And they thought it was a joke. They said, oh, no, were not secure at all. Were talking about a very limited group that theyre very myopic on understanding and how elections work and systems as a whole, and it was disturbing, because these are the people being interviewed by the media, people these are people who are on camera right now. And you know, i was sitting next to someone who works with election systems in colorado, who knows more about the Election Security in the state, and he is confident his vote is going to be cast and counted appropriately and correctly. I know a lot about my Election Security systems in kentucky, and i am confident that when i cast my vote it will be counted correctly and appropriately, but, yet, the general public is at unease and, you know, unfortunately, a lot of it is both miscommunication and disinformation thats going out via social media. But it is also sometimes the normal media process. There are a lot of incredibly dedicated journalists out there , and ive yet to meet a journalist thats not actively trying to help this process. But the problem is, you know, unfortunately, when we tell stories, we can either tell stories that push people to the polls or inadvertently pull them back from the polls. And every time a story comes out that weakens that trust just a little bit, it breaks the system. So dean. Conway and i know that we have an audience of burning questions, but i want to give maurice and larry a final word on these greatest threats. Maurice sure. For me, my biggest time for concern is coming up, so its going to start in about a week and then run through the first couple of weeks in march, because there is such an opportunity for both the operational failures, but also some of the misinformation campaigns to really have an impact in a very shortened time period. I am not so confident that we have the processes in place across different states for having these primary elections to be as resilient in a shortened period of time. Going back to 2000, bush v. Gore, we had several weeks to ao the supreme court. Have a i see if we similar situation where the outcomes are unknown and we are having these back to back to back primary elections that we dont really have the processes we have not tested those for anes to really allow fbi investigation to take place or some other investigation to take place if there was evidence of interference what does it look like if the vote totals change a week later . We saw what happened in iowa, we are seeing what is happening in nevada, where we are not having 100 of results being reported. I dont know that, given the number of what we have in the races that we would be able to recover as quickly. We have seen it drop out immediately after primaries. Klobuchar raised about 12 million, a significant amount money in her came. As in her campaign. In her campaign. I think the timetable is going to be dramatically shortened, and i am not so confident that we will be able to, as a nation of states, have a coordinated response that it would take to recover if there is evidence of malicious interference. Word, and we final will take questions. Larry i would echo what everybody else has said. The combination of disinformation, whether it is operational failures or something else, with social media, is it really can result in undermining the trust in elections, and ultimately you need that for elections to work. For elections to work. Particularly as we get more hyper polarized, it becomes more of a challenge. If you look at if you look at polls, the losing side is always much less trusting that the results were accurate. If you add to that social media and you have forces domestically and abroad looking to fuel the fire, it becomes a dangerous combination and there is a lot of work we have to do to get ahead of that. Have to do to get ahead of that. Danielle we will take lessons now, and you will pass the mic to those who are raising their hand. We have a hand raised. As someone who is an undergraduate student entering to help out on her College Campus in regards to voting, i guess my question is for jared, because huma you mentioned facebook and twitter. Facebook and twitter are huge on campus. For example, a lot of my peers about my friends even a lot of family members who are in my age range from 2030 are constantly looking at twitter or facebook for their political content. As someone who knows that is one of the worst things you could do when it comes to securing elections or just in general, having political opinions, what would your advice for a College Student like me who is trying to steer everyone away from fake news on social media . Larry so one, identifying trusted sources. Depending on what state you live in, who is the chief Elections Official . Is there a state board of elections, secretary of state . In some circumstances its, could be the executive branch. But understanding where those trusted sources of information are coming from but also identifying when you see something that you think is inappropriate, identify and let someone know. We had an instance in kentucky in our last Gubernatorial Election were someone tweeted out they had shredded thousands of absentee ballots for specific party. We know that that is not true, because we actually track our absentee ballots so we knew there were none missing. Clearly someone whos trying to put that information out. But because someone saw it, a very small limited network, identified it, pass that that information up to us, we were able to take that down from twitter and have them deal with that. Part of the problem were facing has been people screen grab that and reposted it on twitter and said it was commentary, so we are not going to take that down. Orn though it is commentary disinformation, it was only spreading their message. Honestly, its one, understanding that consumer still has some control in that marketplace. Notifying twitter and facebook but you will remove yourself. If you truly care about elections, youre not going to take part in that process. Like we have to start putting pressure on facebook and twitter. Probably irrationally told facebook at one point, you would be doing society a favor if you replace your platform with cat videos. [laughter] i dont think theyre going to do that realistically. That means that as a society, we need to put pressure on them as an organization that resides in our country. Danielle next question right here. Hello, i have a question as a law student, i am from dickinson law. So it seems to me that most of the problem is with the private actors here. Its the private vendors that make the machines, it is facebook, instagram, twitter and windows systems. Is it possible to remove these private actors from the election process . Is it too late . Or can we downgrade to a system where we use paper . Or should we upgrade to a system where we are more heavily where we basically accept the fact that we now have to consider these cybersocial engineering interferences on these platforms and just use a completely different system than a state, county or townshipbased system . Maurice i think that the private sector is essentially linked to our election infrastructure. That is actually something that is true for most work that governments do. Thes not always going to Government Employees doing the work. There are positive examples of private sector coming into the elections process i will highlight a couple voting works is a nonprofit that is actually designing and ruling out open Source Software using commercial offtheshelf hardware to help lower the cost of elections for Election Officials to help close the budget gap. But also making it accessible, secure and accountable. There have been pilots in a couple of states. Microsoft is putting resources behind a concept called. Dtoend viability that was piloted just last week in wisconsin as a partnership with voting works. Some jurisdictions are going to them as a way of using security built into mobile devices plus botching technology to be able to help increase the security for the voters that are least likely to turn out, talking about folks are military overseas or even have some accessibility needs. Those are voters that have turned out in such low numbers, that it is worth considering adding a bit more risk to the way that they vote. Because traditionally, trying to get those ballots back either by x is even lessfa secure. So there are some additional conversations that can be had. The appropriate amount of investment in the development of some of these new technologies, rolling them out as pilot programs and sharing that information across states and local jurisdictions, we can be in a much better place rather than the way were doing it now , where so much of the industry is concentrated within a small number of manufacturers. Basically counting on local Election Officials to be not only security officials, but also procurement experts when it comes to evaluating holistically whats the best technology to use for my local jurisdiction. Ill just add quickly, its hard for me to imagine giving getting the private sector completely out of our elections, they are so intertwined in our elections. Even los angeles basically built its own Voting System but even there they were working with private vendors to help them. Its not like the inhouse expertise to build their own system. I do think that, and i alluded to this little bit in my talk, we need somebody to help Election Officials. Theres so many vendors out there. Maurice mentioned votes and there was a study recently came out on a system that there was a Marketing Team from m. I. T. That identified security risks with their system. The jurisdictions that are contracting with them, why shouldnt they be able to figure that out ahead of time . Somebody needs to help, and to my might have some kind of federal certification system the way we do with Voting Systems. It would be very helpful, so that we are not relying on Election Officials basically to have to guess, and relying on salespeople who at the end of the day are interested in selling and are not necessarily going to be as interested in ensuring that their systems are as secure as possible. Danielle it would seem to me that there are ways precontract, to do design specifications and Performance Specifications that are uniform and interoperable, such that it can actually respond to that, even though you have a vendor working with the government to create can i add something . I do think that local Election Officials are a lot better than what they used to be. I think the vendors would come in and say, we will provide this machine, trust us. There is a lot more questioning of not only how the Machine Works and what the vulnerabilities are, but also what their security practices are. Some of the states and localities have built that into the contracts they have now with vendors, that you need to tell us exactly what the security protocol is. It doesnt mean there arent still lots of vulnerabilities. One quick thing is, you said that you think it is a private sector where a lot of the problems or. Wanting with. Problems were. One thing with facebook and twitter, i point again to last week, the example of what the response was to the news coming out about these briefings on russian interference. It was the campaigns that went to twitter, and the candidates who used it for their own political purposes. So it is not just the private sector, it is the Public Sector and the candidates as well. Danielle great. We have a question here and another question here. Helping us get the word out about the upcoming census it is going to help us we draw our electoral boundaries. Are there any [indiscernible] on how that is translating into the [indiscernible] . I will speak to that a little bit. I am also concerned with the of theand the security census. I have been concerned about that since my time here on the hill when it was obvious that the operational benchmarks were not going to be met. My biggest concern is that with this massive push to get people to complete the census online, if people are that are not confident that they can complete the process online or they are simply not able to because those systems are not up, it will put additional pressure on volunteers to be about to go out in person timid and currently, the system is behind when it comes to getting volunteers, behind when it comes to community partnerships. So it looks like it will be an additional pressure on back of systems that are also not functioning, and that has a cascading effect. What were seeing is the potential for the American Public to see the institutions of government as not being able to function in a digital age. It started with the healthcare. Gov, the obamacare website, and we have just seen failure after failure after failure that people can point to. The opm data breach. These are massive hits to confidence that regular people can identify, and it sticks with them. At some point, we have to show the government that we can do the digital age correctly and securely, in a way that is accessible to everyone. So my hope is that there will not be any major incidents that have a negative impact on census. But census tracts with elections when it comes to were doing this to ourselves. That means if theres a coordinated attack that is targeted, theres a highly likelihood that it will be successful. Would just add really quick but i think you have a similar issue between census and elections with disinformation as well. Theres the potential for a lot of Bad Information out there around the census, attempts to discourage people from participating in the census. And i do think that again, the media and trusted officials have a responsibility to be out there giving good information about it. Jared two things to the census part. One, it shows you how interconnected elections are with so many varying things and theyre so granular and its hard to actually tell that story. When there is some sort of issue, whether it is an equipment failure, or a website at the county level has been taken over, when it is reported, it is always reported as hey, election system is hacked. With the general public years here is that, i think that is what is skewing some of the numbers when people worry about their vote being cast. When they hear its a website that is just a countywide website, they equate that with Voting Systems, the thing you cast your ballot on. Because of the inability to anularize stories when it comes to election systems, i think thats pushing some of that narrative. But when it comes to the census i think, i took my political hat off a number of years ago. You cant win elections of still you cannot run elections and still have a party hat on. When it comes to redrawing lines, i do have a comment on that. What i will say is that we often talk about elections being the foundation of democracy. I think it is maps, maps are the foundation of democracy. Updating Gis Technology in states is highly, highly important because we live in a representative democracy. If i can guarantee you are getting the correct ballot face to make sure you were voting for for your actual representatives, then you are being disenfranchised. We have to begin to do more with these ancillary technologies that really play a large role. This is ai think holistic issue. Questions here . Hello. I am with propublica. When maurice, you were talking about the different primaries and how the reliability of those results matters in terms of how candidates the money they receive, i think back to an knoxent a few years ago in county, tennessee, in which the county website that reported these results had gone down. Im just curious your thoughts if results are tallied and kept securely by the state, local and county officials will they still put up results on the website . Especially a 15yearold windows operating system and or create fraudulent results that have dueling winners for a county or federal election, im just wondering, first, do you see this as a potential problem, an area that has not been addressed, beyond talking about Voting Machines . And what can be done about it . It needs more upgrades, or moving to the cloud as a Green Infrastructure that way . Just curious your thoughts. Maurice i am worried about that. It seems like an unfortunately easy way to undermine voter confidence. Abroad, we have seen attacks on things like reporting sites. I think having redundant sites ready to go if there is a andlem with your site, again, i think there is a possibility for those that can onit, to report accurately what those totals are, on the fact that they are unofficial. That where the official sites are, i think all those are of potentially addressing problems that might occur on Election Night with reporting results. I think we even saw this a little bit with iowa. What happened was a mess. It looked really bad. But at the end of the day, it was about reporting the results. They did have paper backup for the votes that they were able to go back to. So some of it is just i think on the media and the reporting, but you sure that we get out Accurate Information. As i said, i do think that it is valuable to have for election offices to have redundant sites if something goes wrong with the sites that they have that go down. Maurice i will address that from a Technology Point of view. I think it would be important to keep in mind how people are actually looking for results on Election Night. Are they just typing in an Election Results insert my state into google . Are they going to social media . Are they going to the election official websites . View, i thinkt of that if we can make it easier for machines to find what the Election Results are, it would be easier. So if someone types in what is their election result on google, you know, what are some ways that we can make it easier for google to find those trusted Information Sources with Accurate Information on them . Things like a dot gov domain , as a trusted source of information that is easily identifiable, something that is different from other domains. Webpageschinereadable so that information can be easily parsed and updated. Because i can definitely see a situation where, on Election Night, people are just asking with their voices, who is winning, or who did win, and they have no idea where the information is coming from. Whens the last time you asks alexa, what is the weather . What is the data source for the information . You go okay, its going to be about 32 degrees, i should get a jacket and you move on from the day. We can take a look at what are some ways we can make those trusted sources more readily identifiable and accessible by the tools people are using, assuming that they may not go directly to that source of information. I think that there is more of a push this year to try and get the word out, not only just from the media but also from election dont expect to get the results on Election Nights. That seems to be the message. If there was any good advantage to the, it was to say, this is initial information, you might have to wait days. I think you can talk until you are blue in the face, people are still going to want the results immediately. One problem that i see is that the candidates will, one candidate came out ahead in the gotnning, then when they more official results and somebody else is ahead, if it is a really close election, they are going to use that to try and sow doubt in the results. I am thinking of florida and in 2018, there were huge numbers of absentee ballots that were not counted. It was days, and there were all these President Trump raised this question, why do the results keep changing . What is going on . As though it were a fraud. I think we all just have to be very careful in trying to get the message out, this is the process. I think there will be tons and tons of absentee ballots this year. You know better than i do on that. But [laughter] jared, you have the last comment. Jared it is absolutely a problem. Night returns, as a society, we need to get away from this idea have to have them immediately. Part of that process is that with the controls in place to mitigate risk. In kentucky, we posted Election Results on every single precinct before those results actually go back to the county. So to me that the several it adds a layer of security into the system that says that votes are not being chained at the county level and that we can always go back. Its also giving access to ap and admins to have runners that go around. They actually pulled the results on the doors of the precincts in kentucky and have those up and ready to go. Quite frankly before i have those results. So for me even though on my Election Night deterrence system, it says in big flashing red letters unofficial , results, it is a how many times i say that or its on there are big and bold it is, people still take that as verbatim and the run with it. And they run with that. We know is definitely from election administrator processes, is a human process. There is Human Interaction with this data. Because of that, sometimes a clerk might fail to put absentee numbers of the end of the night. Guess what, when they go back to certify the election, those numbers were grown because of absentee numbers are coming in, and it becomes a breeding ground for disinformation and for that sort of thing. In my last Gubernatorial Election, i had a governor that did not can immediately based on concede did not immediately based on the fact that our Election Night returns system was showing different things. And he appropriately asked for a recanvas and he improperly allowed that process to play through. Properly conceded the race after those results came back. Thats appropriate. But what happens when the numbers are so skewed that the general public doesnt trust those numbers . Thats a big problem. Pam can i just add one thing . Danielle it will be the last one. [laughter] pam sorry. Larry brought this up a bit in the beginning when he gave his talk, why it is so important to have these audits after the as a matter ofat routine, you do a risklimiting audit, so that people have confidence that those official results, if different from the initial results, are accurate. Danielle i would like to thank pam fessler, lawrence norden, Jared Dearing and Maurice Turner for this conversation about Cyber Security and election system infrastructure. Thank you. [applause] you all. We are having a coffee break now. Stay tuned for the social l engineering discussion