Id appreciate it. Im going to take the role now, vice chair. Present. Commissioner palmer. Here. Commissioner thomas hicks. Here. So we have a quorum of the commission. Good afternoon, i thank you for joining us today as the u. S. Election Assistance Commission convenes an Election Security forum for the security challenge Election Administrators face ahead of the 2020 president ial election. This vital conversation will provide us with a better understanding of ways the commission can help jurisdictions address a variety of Security Issues, including those that stem from aging Voting Technology. When Congress Passed the help america vote act of 2002, it established the eac as the only federal entity solely focused on Election Officials and voters they serve. Part of our charge is to be the nations clearinghouse on Election Administration. It is this responsibility that brings us here today and guides our Election Security efforts. Eac prides itself addressing significant issues and this again is an example of that work. While there are plenty of News Headlines that can serve as the backdrop for this conversation were not here to address an individual media report, were gathered for a comprehensive look at this hour and a panel with experts, including secretaries ever state, a state election director, our federal partners this this space, election testing and certification, and election authority. These with its could not be more timely or important. Election security is front of mind for everyone, especially those on the front lines administering the vote. Theyve recently released 2018 Election Administration and Voting Survey revealed nationwide these Election Officials deploying 334,422 pieces of equipment to cast and tabulate votes in the 2018 midterm elections. Election officials are responsible for each and every piece of that equipment. We know they rely on the eac to provide the resources and support to help make election systems more secure and resilient. We all have the responsibility to provide that assistance. It is my wish that we leave todays forum with a better understanding of the challenges that administrators face and ongoing administrations and security threats and administer elections that garner confidence in the end result. Ill ask to make statements. Thank you, chairwoman mccormick. In the roughly six months since commissioner palmer and i were sworn in, eac has a look at voting accuracy. It was to start a 90 day on the Voting System or guidelines. We held meetings on the new draft version of the principles and guidelines and we heard 2. 0 is a significant step forward to modernize Voting Technology. We also discussed how the voluntary nature of the bbsg results in a system where the full value is only realized if the guidelines and the testing and Certification Program are utilized across the country. We should drive to create a testing and certification system and provide access and security to the American Voters that the American Voters deserve. Speaking of testing and ke Certification Program we recently added those would decades of experience with election equipment and testing and certification to dr. Jerome lavatos team. We are lucky to have talented individuals working here. Im confident our testing and Certification Team specifically will rise to the challenge before us today and work with election individuals, Voting System manufacturers, our Voting System Test Laboratories as well as our federal partners from the International Absolute of technology and security infrastructure and Security Agency to quickly develop processes and procedures to incentivize the Voting Systems in the field. Doing so is crucial to the security of our election system. But such updates do not exist in a vacuum. Earlier i mentioned our work on the bbsg. Were working with our partners on drafting the new Technology Requirements that will be crucial to developing the next generation of voting equipment. These efforts should compliment the important conversations happening every day in the elections field on issues like assessing and mitigating rifshg in to risks. And those potential issues could be reported and fixed before they could be exploited. Todays forum is important in identifying where to do more. It would be nice if we could solve everything in the next three hours, i suspect this will be more of a start than a finish and we must get the job done and drive to maintain a testing and Certification Program to provide real value to the Community Without adding unnecessary burdens or costs. If there are avenues where we as an agency could do more programmatically we must consider suggestions. If legislative fixes are necessary, we should look at members of Congress Without delay. I look forward to todays conversation and would like to thank the witnesses for being here and engaging with us on this important issue. And also, before i turn it over, id like to thank the eac staff for pulling this Work Together. Thank you. Thank you, vice chair. Commissioner palmer, do you have an Opening Statement . Yes, thank you, chairman mccormick. Id like to thank our witnesses for participating in todays hearing, as well as those who are tuned in online for this important discussion. Todays forum has a chance to provide needed clarity where Election Security stands, ahead of the president ial 2020 election and how the eac can lead in the efforts to make our elections system and infrastructure strong and secure. In this new type of warfare, state and local Election Officials are on the front lines, on the war for democracy. I have full confidence that our Election Officials will zealously prepare and train for the 2020 election and in the end get the job done for the American People as they did in 2016 and 18. Because of the unique role that Congress Gave us, and the fact that we work closely with state and local Election Officials in a number of areas, the eac must take the leadership role. The question today is whether or not were adequately planning and establishing lines of communication to Election Officials with the necessary information to prevent and recover many attempted Ransomware Attacks and for a first strike on our democratic ideals. The 380 million appropriated by the congress is going a long way to assist in preparation and planning on fundamentals of elections. However, as Dwight Eisenhower said, ive found that plans are useless, but planning is indispensable. As we look at this, im eager to hear from experts including the dynamic challenges faced by state level policy to implement and address the election system security. And the federal partnerships put in place after the 2016 election. Im looking forward to learning more about how election vendors and Technology Leaders are working to address end of Life Software used in election system. Your opinions about the value of establishing a coordinated vulnerability Exposure Program and input how the eac is testing a certification system and Voting Systems can provide more meaningful security testing. As a former state election official im very familiar with the challenges faced by the men and women across the nation and face difficult decisions that stem from limited resources and seemingly unlimited needs including those securing elections. My goal is to conclude this meeting with a better understanding of the Election Officials needs and suggestions how industry leaders, federal agencies, the congress and others can best support local efforts to secure elections. Faith in our nations elections systems is on the line. Protecting will take all of us working together and todays forum had the opportunity to do just that and demonstrate our commitment to our nations voters. Thank you for participating in todays forum and look forward to a robust conversation on these issues. As i travel across the nation to visit election offices, your presentations or attend conferences, Election Security is often the centerpiece of those conversations. After the 2016 election it was clear our nation need to look under the hood of the election systems through the process we identified a number of areas will need to do better. A lot of progress has been made. Including improvement of two medications between state and local election leaders and fellow partners who support their work. While todays forum will likely provide even more evidence of the progress weve made, its also a chance to collectively identify opportunities to further advance, to further advancement and cooperation including it would expand the market for election equipment and better track the supply chains. The challenges faced by Election Officials today are often tied to aging voting equipment or lack of resources. I suspect we will are some of reflected in todays testimony as well. The reality that eac fries to reflect its daytoday work including todays forum and all of our ongoing efforts. For example, im proud of the work we did last year after congress appropriated 380 380 million in muchneeded Financial Support to the states and territories. The eac quickly and responsibly got these vital resources out the door. Today we continue to write oversight and guidance for all the stones. Our most recent conversation with those who received these funds project 85 of the money is likely to be spent by the 2020 general election. With at least 90 going to replacing aging voting equipment or improving security and resiliency. We know more resources are always welcome at and my fellow commissioners and i have passed that a long with our interactions to members of congress. Todays forum is a perfect opportunity for us to examine ways all these entities in this room, lawmakers, federal agencies, election manufacturers and others can Work Together or can continually Work Together to improve security and strengthen voter confidence. Its also a chance for us to remember our efforts must not undermine access to the polls. As work to make election more secure continues, we must also safeguard the statutory right so that every eligible american can cast their vote independently and privately, regardless of ability. I look forward todays form and again thank our participants for being here in being a part of the work to help america vote in a way that a secure, accessible, and accurate. Thank you. Thank you, commissioner hicks. I would now like to invite our executive director brian newby to make remarks on the avenue of the eac staff. Director newby. Thank you. I was introducing the agent will have three panels representing three flights of testimony that was arranged as, first, secretaries of state, then the eac testing and certification director Jerome Lovato, Jared Dearing from kentucky and other stakeholders related certification and Software Changes including our federal partners dhs and nist results microsoft. The third panel represents many of the eac registered voting equipment manufacturers as well as the test labs. Geoffrey hale from dhs has been participating in another meeting this morning and will be arriving after that panel begins the second pivot if for some reason has difficulty getting in time for that panel we will move them to the third panel. One final, though about today, when Microsoft Windows seven was a top with the security discussion meeting and were very we are very pleased microsoft is here today, but todays meeting topic is much broader and today you will talk about risk, a word that is central to security audit wanted to note risk at a different level to do as well. All of you as commissioners have discussed security and segregation issues with Election Officials, vendors, congress and other stakeholders and by pausing to discuss these items today in an open meeting to engage in public dialogue with a clear end result is not yet known, is a risk. I hope all will see and appreciate the leadership role the commission is taking in this regard. Similarly, the election equipment vendors and microsoft have taken a risk to come in today to talk openly about the Security Issues the election industry shares. I know you as well as the eac staff appreciate their willingness to come in today to speak candidly on these issues. Beyond those who are speaking today we have received other common for the record from opensource Election Technology institute, easy though, center for democracy and technology, and dominion voting. Copies are available for the public and attendant and will be posted on our website. This form represents one of the broadest both meetings and Election Security ever help. The largest ever the eac with 13 individuals appearing today. With that background i hand things back to the chairwoman for introductions of our first panel. Thank you, director newby. Our first panel is right now we will start with secretary carter when. The honorable kyle are to win is louisiana 44th secretary of state, resident of baton rouge, secretary ardoin was elected on december 8, 2018. He brings a wealth of knowledge to the office having served as interim secretary of state from a intelligence election. First assistant secretary of state for eight years prior to that. Currently secretary ardoin surface treasurer of the National Association of secretaries of state, and on the election infrastructure subsector government courtney can counsel. His goals include securing new voting equipment for the state, protecting the security of sensitive voting data and continuing the agencies hightech protection for both the election and commercial divisions. Welcome, secretary ardoin. Ranking madam chair and mr. Vice chair and commissioners. Mr. Newby, staff. Is a pleasure to be here. Its place represent the great state of louisiana. Most important its so important to beer to discuss the important issues to securing our future elections. In november of 2015 microsoft announced they would no longer sell windows seven computers as of november 2016. On september 6, 2010, microsoft announced the into support for windows seven would be january 14 of 2020. In december 2018, i informed the governor of our state that windows seven opeRating Systems conflict with the states legacy election Voting Machines for both early voting and election day. It provided information for the resources that would be necessary to move louisiana forward in our election process. In the summer and fall of this year we are switching out 250 windows seven pcs and all registered voters offices with windows ten pcs, clerks of course devilry received windows ten virtual laptops used to conduct qualifying and result uploads to the state election Registration Information network. So how did this affect the state of louisiana . This has been a costly endeavor to replacing all seven all windows seven computer used in the register voters and clerks of course offices with windows ten virtual laptops throughout the state over the past two years has cost well over 250,000 here thank you. Currently the state is leasing Voting Machines with its current vendor into the request for proposal process is completed and awarded to a vendor due to the windows seven endoflife issue. The machines are the use of windows ten. This endeavor has cost us just the leasing of these in excess of 2 million. Weve been diligent in keeping the virus definition files updated for our systems all laptops are scanned regardless of whether or not they are connected to the internet prior to each election. We have sent strict directives to all registrars, clerks, warehouse employees and secretary of state Election Division staff stressing they are never to insert random memory sticks into these laptops or change their phones charge their phones or any other device. We also discussed this a great deal in training and with the support staff reminded of these entities regularly in person during the test and feel process of our voting equipment of how critical it is to follow the strict directives. In addition they are instructed to never insert a a memory stik issued by the secretary of state office into any other computer, regardless on the mystics are scanned for viruses upon the return to our office as a as a preventive measure. And that means any home, work environments that are used by our local election officers, all of this has led us to additional security measures. I would like to say that additionally the cost of windows ten desktops has been 670 per machine, and it does not include the cost to configure, test, deploy, train or maintain. Windows seven equipment is eric at me none of the devices ever touch the internet connected. All are updated with virus definitions or are scanned for viruses before every use. By the end of the year all units will only be used with passwordprotected memory devices, or are our mps. How does Software Upgrades affect her office . Upgrades can be mended at inopportune times and cost setbacks are preparing for elections, leave it as short a to get everything completed and tested. Installing an upgrade and not properly testing the upgrade would be detrimental to our system. Being methodical and thorough in establishing an infrastructure to control deployment and adhere to a routine is critical. Testing of theres a fine with such as developing testing, staging and production with one week between each come with production schedule around the election calendar or cycle can be unusual is very timeconsuming and not a corner that we can afford to cut. Updates can incur excuse me. As an example, if an important patch comes out three three tor weeks before an election, it causes of two way too ill to but because we cant interfere in the election process that is already in motion. Updates can incur downtime and require extensive troubleshooting to identify and resolve upgrading software. For example, during this last qualifying, due to a situation a cyber incident in our state not affecting our election system but certainly a a concern becae it affected local governing bodies, we had to install new pcs this the recycle. Those new pcs, once turned on, because we were not able to have the timeframe that we normally have as i referred to earlier, began implementing new updates as soon as they were turned on. This sucked the entire ability of bandwidth for the local entity that had to use them, and thus the affected the clerk of Courts Office which then caused us issues with qualifying. This is a graph. Microsoft since patch updates every second tuesday of the month, and we update, we provide development and testing can we do the updating testing by our i. T. Division and they would perform staging mimicking the predeployment and then we deploy. How Software Upgrades affect our office. We perform extensive inhouse testing on all components used in the field in order to test and write detailed instructions on the usage of the new units. Upgrades can sometimes cause issues thatll occur in the parish due to their system being slightly different from the secretary of states office. So, for example, if we order, all parties need it to ensure uniformity and updates. Nonuniformity makes fixing issues more difficult. How remediation of potential vulnerabilities could be addressed. Certainly the eac is making it quicker and cheaper for vendors to certify upgrades. Certifying components versus entire systems, was it for registration, whole votes it election results, publishing vote capture devices of vote tabulation is helpful. Using common data format is important. For example, vendors using the same result output format either through scanners or drcs so they are able to certify tabulation component using automated test by running the standard series of result output to the component and assuming a, input the election result publishing are able to make sure that the component output is what is expected. Encouraging asymmetric encryption on data transfers is more important and integrity and authenticity data transfers could be between our erin system and election Management System or the dre scanners and through our dms and vice versa. Integrity confidential and authenticity of the most important components. And asymmetric encryption offers us that. Not symmetric encryption. Implementing for future equipment purchases requires devices to apply. Now were requiring implementation future equipment. For devices to apply Security Patches and for updates no less than three months after release from vendor or manufacturer. We will also require any commercial offtheshelf equipment to remain within the mainstream support window of the manufacturer and the updated and eac certified or use within one of the release update dates updates are manufactured. When all the technology in general we require additional layers. What i mean by additional layers is we are by passwordprotected thumb drives to transfer data. Requiring additional layers of protection that are costly and timeconsuming collegiate taking stronger measures when reacting to threats reacting to threats is cutting off local access to networks out of abundance of caution. If limiting these additional layers can quoteunquote break things. What a mean by breaking things is that after rush to deploy new windows ten, all bandwidth which refer to earlier in my talk was consumed at one colocated site during qualifying with windows updates that we had to block temporarily. Vendors will state you can force the updates but it will break eac certification. This leaves our offices vulnerable to anything that happens. Eac certification in our opinion is the utmost importance. So how remediation potential vulnerabilities could be addressed, and then closing out there is little red light keeps blinking at me. Reaching at the users and educating them on the vulnerabilities we face today in todays world is key. Stressing to them while additional security measures may be cumbersome, they are absolutely necessary. The sooner this is understood and accepted, the easier it will be transitioning to these new means of ensuring secure elections and maintain the integrity of our election system. Additional security will soon become Second Nature and be accepted as common business practices. State and for the most part local Election Officials understand what is at stake and are vigilant in our efforts of securing our elections. Its important to note that we were doing Election Security the fourth 2016. Unless you think an election official and actually have put on an election, there is a hue airgap by federal officials, elected or appointed, regarding the reality of our processes and procedures versus the magnitude of speculation going on in washington, d. C. Election security is not a partisan issue. What is partisan is using Election Security to create fear among the electorate for partisan policies which have absolutely nothing to do with Election Security. Thank you, secretary ardoin. Thank you. I like to welcome secretary Denise Merrill from connecticut. The honorable Denise Merrill was elected to her third term as connecticut 73rd secretary of the state on november 6, 22. As connecticuts chief election official and business registrar, she is focus on modernizing connecticuts election, Business Service and to prevent access to public records. Since taking office she has supported and expanded democratic participation, ensuring every Citizens Rights and privileges are protected, and that every vote is counted accurately. Secretary merrill has worked to expand Voter Participation through election day and online Voter Registration. She has also improved connecticuts democratic accountability and integrity with the series of Rapid Response processes to election day problems. Secretary burwell was elected president of the National Association of secretaries of state for the 201617 term answers on the board of advisers to the election Assistance Commission. Prior to election as secretary of state, Denise Merrill serve as a state representative from the 54th general assume a district for 17 years. Thank you, secretary merrill, and welcomed. Thank you come and apologize for my delay. My flight was delayed. I dont know why. They never told us, but as you just heard, i did have the privilege of being the president during the 2016 elections sometimes i think i just drew the short straw, but it was quite an experience and so as such i was very involved in the reactions to it happened during the 2016 elections and thereafter, in terms of setting up lots of different communication structures and other structures to start to deal with the cyberSecurity Risks that we just became aware, really, during that time that were aimed at the election systems in our country. I think all my colleagues would agree, weve come a long way since then in terms of setting up lots of Communication Systems and other systems so that we can have a better response if we do uncover some of these problems during elections. We have a much better understanding of these threats. Many of us have availed ourselves of the services of the department of Homeland Security over the last couple of years, and connecticut is no different. We have done that. First, i should paint you a little picture of connecticut because it is quite different than what my colleague was describing in louisiana. First of all, connecticut has the distinction of being the only state that really basically has no counties. What we have is an election situation where we have 169 mostly very small towns and very independentminded. Really, the administrators of the election and my office acts as an advisory body. We do however have the Voter Registration, the voter registry. We had one of the earliest voter registries and reviews the same vendor now for almost 20 years which started out being pcc and has now been acquired by other companies in the interim, so most of what weve done has been through that company, that vendor. The Voter Registration system has had many upgrades over the years but it is housed and managed by the state i. T. Department. I have almost no i. T. Staff of my own, and the security is all managed really out of our state i. T. Department. Naturally we collaborate with them. As my colleague said many of us at been doing security on the voter registry which is our state is one of the biggest databases we keep for many years. And although we did of course availed ourselves of anything dh had to offer, i was told by our i. T. Staff most of it was kind of redundant, different products are Different Things but essentially we were one of the 21 states that were eventually told that they had seen probes in our system. None of them got in, and i am not going to be as technical as secretary ardoin in my presentation because im kind of give you an overview of what weve done rather than getting into the nittygritty. But i would just say that the most important thing that happened last year was the release of the 380 million. Id like to tell you a little bit about what weve done with it. Bearing in mind that weve taken a very conservative view of technology in connecticut. Although we had one of the original voter registries and we do not an election Management System, as do many states, we have not adopted the poll booths. We have an organization which is very, very valuable in a state called the yukon Voting Center got i think at this point we may be unique in the country and having services of the Computer Science department based, its part of the Computer Science department lack of a better word, a division i guess, and they test equipment. They even would equipment. They evaluate systems and they of course are completely nonpartisan objective, not vendors, not selling anything. That has been a very big help to us. They also, every election, test all the computer chips that are in our tabulators. So are tabulators, weve been using the same ones that they were purchased with hava funds many years ago. They have served us very well. We have paper ballots. We have a fairly strong audit process after the election although i would like to see it do more with an audit process. Just because i think that right now People Stress is most important thing we are doing with here. And so i think the stronger and not a process we can have the better off we will all be. It is i think the next thing i like to connecticut is audit our process. We have three offices in each precinct after the election. We used to do 10 but they are proven to be, its really a machine audit and is proven to be 99. 9 accurate. In other words, its working. You know, the cards are tested both before and after by the uconn Voting Center. The Election Officials mail them to Voting Center. The check and make sure their program properly and then mail them back. We do nothing online. That is why when we did get dollars from the state actually to purchase electronic poll books, because of the time seem like a very good idea. This was about five years ago. Its much more efficient. Its much more accurate. Theres no doubt about any of that, but when the evaluated three different versions of electronic poll books, they invited us back and said they didnt think there was secure. I think the reasons they offered at the time, because it was a surprise me to be honest, because a lot of states are using them. They said they question was about recovery, what happens if they crash. And i think were on the verge of having a solution to that. But the more important question they had was, you know, yes, its true going to order people not to connect them to the internet, but they are capable of being connected. And even that was enough to have questions into her mind at the time. We are still looking at but what im saying is were taken very conservative approach. Likewise with our election Management System, which is quite sophisticated, has lots of bells and whistles, and you can come it has the capability of uploading the results from the tabulators if you put them on a memory stick and have some other software that you need to make that happen. But we do require them to type in the results from the tabulators. We do not feel comfortable with having that information uploaded, even from a memory stick. Like i say, conservative approach, and that has its share of problems. If you can imagine 169 small towns, many of our Election Officials come in once a week. Some of them dont have many computers. There are towns that have no computers in the town hall, deliberately. I think many a fight with several mayors about this issue. Some of our times are a small as 2000 people people in the tent and maybe 800 voters. So its the challenge. It cities also. Thats the challenge we face. Weve taken our 5 million which was our allotment from the 380 million and spend a good deal of it on something called a Virtual Desktop, which as i understand it, and im not a techie here, but it does two things. Salt the problem of the microsoft seven we dont really know what people come what towns, what opeRating Systems are using in their town. We gave them the microsoft seven im sure at the time we installed all the equipment with the original system. However, apparently if you use this Virtual Desktop, which essentially allows us to log in to every desktop on the system and to help see whats going on, because we spend a great deal of time on the phone with people who cant login, who dont know how to do whatever function it is theyre looking for. This would allow us to override their systems, and as i understand it, it would use a microsoft opeRating System so that that, as i understand it, make it not necessary for us to go with buying on the opeRating System for every town. We also had to spend some of our money on youth tabulators. Used they were purchased almost two decades ago and thats incan history in computer talk. We are looking at purchasing, you know, i think as i recall about 500,000 or maybe almost 1 billion of the money record used to purchase used tabulators. At this point we have no fines for buying an entirely new system. Theres just no way i do have an even priced at that. I am planning to have a committee put together that will look at what were calling the future of voting, as we dont know where its going, and thus always the case with any kind of computerized system. I would say my biggest ask of this organization is to hustle up with the certification and standards. We are going to be in a position where were going to have to replace our Current System within the next few years. Weve been very satisfied with the usage of these systems. Weve gotten used to them. We have paper ballots, people mark them themselves. I think theres a great deal of trust in connecticut in our election process because we did use all the best practices. But i can see that theres going to be a big need for us to have a lot of information from a source that understands this and knows where the field is going. That would be my request really, the 5 Million Dollars has been invaluable in helping us maintain what we have, and do better, and will continue. We have planned it goes on for some figures a lot of it is about training because we have lots and lots of local officials. Connecticut is also unique. We dont just have clerks or county clerks managing elections in each of the 169 pounds. We have two registrars of voters, one from each party. And then you also have a town clerk who does absentee ballots in that sort of thing. Its a very decentralized would like to say system but theres lots of training that simple. These are not folks who are familiar with technology necessarily. Some are, some are not. Our biggest challenge is really training, making sure people change the passwords, know what a phishing email is. Its very basic really. That speed is that the book covert . Yes. Thank you for letting us talk about what were doing out there. I feel like were in a pretty good place at the moment so thank you. Thanks, sector mill. Id like to open to question from the commissioners. Ill just tell you, secretary merrill. Given the city town jurisdiction scheme in your state, are you comfortable with the level of visibility and control your office has over the state security as it pertains to Voting Systems, equipment and software . When it comes to the voter registry, yes. Because the state to spend its resources doing the security and its house in our i. T. Department, state id department called do it. We wont go there. [laughing] i think they do a very good job of it. The system itself is getting on in years and we have made significant upgrades, but again i think in the next few years we are going to look at another upgrade here it is difficult to manage. I have made some proposals to the state legislature to have a little more centralization, bring back sort of county level of government, but to no avail. I think were going to be where we are, and it works remarkably well for some purposes. For example, i cant imagine trying to hack my election tabulators. Its unimaginable really. Yes, i am comfortable at the moment. I can see you two, three years ago, maybe not. Secretary ardoin, you mentioned a cyber incident unity with down in louisiana. Obviously cause you great concern and your change out your computers from windows seven to windows ten do you have the tools and resources necessary to combat such incidents, and what if you from this incident you were discussing . I learned from the incident that you are only prepared when something happens. Basically you dont know exactly what to expect until youre in the situation. I was very pleased with how my staff reacted and the steps we were able to take. Its because of unique system of louisiana being a topdown system. We quarantine our system. We knew was, with some having windows seven and some, very few, having windows ten, we knew there were vulnerabilities there. What we were also, because of everything weve been doing, we kept a straight inventory, if you will, of which parishes had windows seven units, and how many. Those were the ones we immediately banned from the system permanently from the moment the incident was brought to our attention. The incident affected some local governing bodies but never touched the election system. But knowing that there were some who had interact with parish government authorities we felt the need to shut down the system. We decided to take money that had been allocated from self generated revenues within our agency, and not purchase sensors for the clerk of Courts Offices which we had initially intended to do. And utilize those funds to buy the windows ten units, given that we felt like that was a much more secure opportunity and need in our system moving forward. So thats basically what we did. We were able to move fast. We quarantined the whole system immediately because we are able to shut off local access. Our next step was when we knew which parishes had been hit, we run quarantined the other parishes and kept those precious quarantine into when you through the Cybersecurity Commission that we were able to bring them back up and we did it one parish at a time. But if another parish was hit, though it took them off like a continued that quarantine process. It was very successful. Im very pleased and thankful for my staff reacted very quickly. But again it takes that type of incident for you to realize how quickly things can happen within your state. I immediately with what information i could, contacted the president of nas and asked for a Conference Call with other sectors in order for them because we were told this could be much larger than one state attack. The importance here, madam chairwoman, is information is key Elections Officials. If we dont get information, we cant protect our system. The timeliness of the information is absolute, is developed to make sure that our systems are secure, weve got to get the information as quickly as possible from which ever, whether its a local partner or a state partner or a federal partner, and sometimes we just dont get it. Thank you. I do want to monopolize the time but if one question for both of you. You can just give me, you know, a quick shot it again. Weve talk about microsoft seven and updates to systems in this hearing. When youre running several elections a year, how do you work that into your schedule . The election start, primers as well but then you have early voting sometimes, he got the general election. How do you fit those updates into the systems into that schedule . The best we can. As i stated in my presentation, the tuesday updates, the monthly tuesday updates when they come in, the problem for us is, and i would imagine for any election official, is once we start the clock for election preparation, theres no stopping that clock because the timelines are so detailed. Especially with weave a deadline to meet. We cant avoid those deadlines. And even if a patch comes through, we may have to delay the implementation of the patch because as i said it affected us having to adjust with regard to this incident. It affected our endlessly to do qualifying online because of the patches that were being automatically updated, and we had to stop that process in the Registrars Office because the clerk wasnt able to do their job. Its a very delicate operation but its very concerning to us, and i think thats something that eac needs to delve more into in order to make sure that our voices are being heard with our vendors, whether it be microsoft or voting equipment vendors. Again, were a little unique. We do not have any form of early voting so we just have the one election day, which helps in the way. But we dont do anything in the 45 days which is what it is in our state. And again we dont really know what our local towns are running. We will have very little control over their local systems. And so this Virtual Desktop hopefully will provide that problem but we wont be able to do a pilot until this year is our municipal election so will be able to pilot it this year, but it totally will be in place for 2020. But up until now we do patch her own system and thats the basic voter registry. But Everything Else is really at the local level. Thank you, secretary merrill. Vice chair hovland, give any questions . Thank you. Thank you all for being here. I appreciate your testimony. You were talking a lot about the process, and obviously its extensive its not just taking out your phone and katie update. One of the things that that really sends home to me is, is a cost associated with this. That is, people and labor in addition to quebec. One of the questions we get asked a lot by congress is about the 380 million that secretary merrill mentioned. Do you all see, would it be useful if there was, obviously federalism, this all gets splt up, but if there were a consistent modest federal funding stream that was specifically toward security upgrades, maintaining equipment, may be implementing programs like Illinois Cyber Navigator Program where you have statebased Election Technology, i. T. Experts that assist counties, parishes, towns with fewer resources, do you think that something that would be helpful and needed . While of course. Resources are always helpful and necessary. I would say what weve been doing in louisiana is we set aside our 5. 8 million in hava funds ticket for the new Voting Technology to purchase new equipment. What weve been doing is absorbing in our regular budgets all the cybersecurity needs that we have, which is growing exponentially each and every year. What we would hope for is if the federal government does make Additional Resources necessary, that there be no strings attached, that each state is different. I think just the two of us sitting here, we explain how different our states are. The cultures are different and the voters have different expectations. But we all have the same expectations which is a secure environment for our elections and that every vote is accurately counted, and everybody gets to participate the wishes to participate. I would say this. The federal government providing Additional Resources would be helpful. But the federal government also needs to communicate to the state of the absolute responsibility. I am no different than my colleagues here who is causally asking for Additional Resources to fend off cyberSecurity Issues, to update equipment and to do whats necessary to secure our elections and offer our people the right to vote. In addition to that we are taking on in louisiana, we have a strong responsibility. We have all the i. T. Operations with the election in the agency and we do that for the locals as well. And we provided as i said, equipment to the locals that takes a lot of money. And so all partners, irish or local, state and federal need to cooperate and Work Together on this funding issue for resources for securing our elections. Because lets face it. Were all in one large ship, and thats the ship of america. And if we are not working together to secure our elections and fund our elections appropriate, and what are we here for . Ranking. Secretary merrill, would you like to add to that . Yes, i would concur with that come just recognizing that states have very different capacities for funding the elections. I mean, connecticut for quite a while had a lot of, we cited most of what we done through bond funds. Which is perfectly appropriate because it is equipment and infrastructure for the state. But that every state can do that. Right now connecticut isnt too willing to do that at the moment. Were in the budget crisis thats been going on for four or five years now. I think theyre certainly a role, and that would be very helpful in my state, i know, because the reason were not Going Forward with providing more local equipment, upgrading their opeRating Systems and so forth, is because we dont have money for that. Traditional traditionally its d by the towns and the state. So i agree with my colleague that the states have a responsibility here, too. But like i i said, that differt capacities for doing things and i think it is imperative that this country and the states and local governments and all of us as you say Work Together to do this. This is one of the fundamental operations of the government. Youre not going to privatize elections. Its time we put some dollars behind whats happening. I think this is a really recent development. It was over old in 2016 that we realize there are all these Cyber Threats and so forth, so we have reacted i think pretty well in the short term with what we can do. But in my state, for example, its much more efficient i suppose to control security for these big databases from a central level. I respect that it actually makes a lot of sense as long as i have someone in my office who can work with that person. I think we ought to take the same attitude over all come that we work on it together, that were able to articulate what our particular needs are around these questions, that you provide some sort of framework for that, for the funding. But it do think some funding needs to come from the federal level. Thank you. I want to be sensitive to our time so i will hold off any other any of the questions until after my colleagues go. Thank you. Commissioner palmer, do you have any questions . Just a few. Would you agree what i hear i think the both of you is the priority as your chief election official agent state you need of greater Voting Systems and their Voter Registration systems, and eponymous of the electoral process. That is what most of the money could really help your states. Is that a a true statement . True statement. We have our job to do which is set new Voting System standard of security, visibility can get this out some manufacturers can start designing equipment to the standards. I think thats all i have. My state is about to embark on an rfp process and we will be dealing with the standards that were set in 2015. And much of the blame is to the federal government for not having had a functioning eac with a full commission. Im very thankful that we now have a full commission of that you all are working very hard, but we are now behind the times because of that. 2016 snuck up on a spree quickly and we all reacted as quickly as we could with the resources that we had. The fact is im going to have to go a little bit further, as i stated earlier, in what the requirements that we will have to work under that are not necessarily even issued by you all yet. Thats very concerning to me. Not to mention all the various legislation rolling around congress that could require this or that. I have one followup question. As the congress looks at different funding, printer otherwise, one of the things we hear, and i am fairly comfortable in observations having worked at the state level that the executive branch, the government or the i. T. The state level has a lot of the protections that sector middle talked about. Im were concerned about the small town to me that have those resources oversight. Do you think its possible you at the expense how the money hava funds, how they could upgrade the local i. T. System to be more resilient and working some of these attacks . Yes. I would say thats exactly what im doing with the money that ii got, the 5 billion. By instituting these Virtual Desktop we essentially have given them more capacity. Maybe thats a direction that others could follow. We havent tested it out yet so i dont know how its going to work out. Rather than purchasing 169 pounds worth of equipment might be better to just try to work with what they have as long as this Virtual Desktop takes care of the security part or all of them. But yes, and then the training is all local Capacity Building really. Yes, youre right. My biggest fear is vulnerability at the local level and so thats exactly what we are working on. Thats exactly my fear. It almost came to fruition, by the grace of god it did not. But we are taking those steps because we were able to retain our election i. T. And our system and not go forth into a consolidated system along with the rest of the state agencies. We were able to control our own destiny, if you will come and work with those local Election Officials to secure our environment and continue to secure our environment and train them on our environment. Being able to see it from a larger picture, 30,000 feet, if you will, that was the right thing to do for our state and we continue to be able to predict vulnerability and work with vendors outside to look for newer new ways to secure our system. That gives us the ability to quickly react versus having to go to the state and asked for permission. Im not saying its not working for others, but it is an important component for us. Commissioner hicks, questions . Thank you, chairwoman mccormac. I will have couple comments and hope i can put a couple questions in there as well. One, secretary merrill, i wand to say, i was saddened to hear that peggy reeves retired. Ive never worked with ted romilly yet but im hoping he will be able to fill her shoes because shes a very important woman at a think shes done a great job for your state. One of the things i wanted to ask is a little bit about the overall training. I know as secretaries of state and other Election Officials, you have more than one job. Your job is not just to election. It might be other aspects of it as well. Are there other portions of your job like he like you did tax cn or other aspects that you have to updates done, and how are those Updates Incorporated . Yes, absolutely. I am among other things the business registrars like the other large database in the state which is business registry and were constantly updating it. It helps we use the same vendor for both systems, and have historically for many years. Thats right, but its not as critical. You dont have that one day. I always like to compare and election to getting a wedding. You have that one day everything has to go right. Unlike the business registry where theres constant deadlines for this and that. We dont have the same issues in that sense. I also am responsible for the commercial registry in the state of louisiana. Its the same thing, and we do use the same vendor as well. I think actually have the same vendor. It is a constant concern because that system also is being constantly scanned and probed. Business Identity Theft is a growing phenomenon, so we are protecting businesses as much as we are protecting the elections. But as secretary merrill said, thats an ongoing process. Election day is critical. Election, we have early voting, seven days of early voting in louisiana, and that is article as well. Voters have to check in. That is using our system on a daily basis. And so there is concern. We dont have an electronic poll books, and given the situation where we are, i hope, i will never ask for electronic poll books. You just have to now be looking for things you didnt necessarily have to look for before. And as we say, cybersecurity is not an in game. There is no finish line in cybersecurity. That reminds me of something you said earlier about having plans and it reminded me of former heavyweight champion mike tyson saying as you and has a plan until he gets punched in the mouth. I speak your that we are, we all have our plans ready for 2020, but a think it would be a lot of swings at as an adult and well get hit hard but it would be a lot of attempts for folks to hit us. And i think states are doing a good job of planning for that, and i would put the plug in that the ec does have i. T. Training for Election Officials, and im participate in a couple of those at our director of testing, Jerome Lovato and his team have been going out to state. If theres an opportunity to take advantage of our training for folks, definitely do that. Ive been to both your state and a think the folks have done a great job with the election process. The last thing i would ask is a little bit more of, other than money, what can the federal government for you in terms of, i know, no strings attached, but please say that again. Its more of what sort of things can we help you with moving forward in 2020 2020 an . Can you convince microsoft to not charge us for the three years of support after january . That would be a good start for us because thats pretty expensive. I think our quote was 300 per unit moving forward for three years. That can get quite costly. If we are unable to replace all of the windows seven units. And without telling our locals is, whatever your parish just bought for you, put aside. Its not worth the threat. And they dont have the money because they just bought the systems. The new equipment but they didnt buy the windows ten. Bright. Hustle up with those certifications. I mean really, thats the short answer. But also, just thinking out ld here almost, i can hear a division, because we keep for forgetting the maintenance costs on all the systems is very large ongoing cost. Maybe thats where the state should be because thats not something we can expect money every year from the federal government. Infrastructure cost might be where we could use the most help. Thats the kind of thing you pay it once at the maybe the state should be picking up the ongoing costs, together with the towns and whatever iteration is. Its different in different states. That would be my short answer, certification standards. People are out buying things right now and they need help. Thank you. I want to extend my sincere thanks to both of you for being here. Appreciate your comments. We will take all of that and as we continue forward and looking at these issues. Thank you very much. Thanks for having us. Call up panel number two, please. [inaudible conversations] i want to thank you all for being here, for our form, this Important Information for us to learn from you, what we can about these issues that are critical at this time. I let the sectors got a little bit on time, but i just wanted to let you know that the clock is set for five minutes, and that it flashes yell at one minute and then the red light comes on when your time is up. I want to go in and introduce the panel. To my right is our direct of Testing Certification of u. S. Election Assistance Commission jerome novato. He published a white paper to provide a foundation for elected officials on how limiting audits work and things you consideredr conducting pilot. Prior to joining the eac, he worked as a Voting System specialist at the cobra secretary of state office for ten years where he served as the Voting System certification lead and risklimiting audit project manager. Next to jerome is Jared Dearing, state election director for kentucky. Kentucky state board of elections, and he has worked in campaigns and Election Administration for over ten years. Jarrett has what the public and private sector working both at the local estate levels including working for the city of louisville associate office of Company Governor jerry brown. His private sector work includes several Tech Startups located in the bay area in boston. He is a graduate of university of california berkeley where he studied how the policy and engineering. Next is ginny badanes. She is is the director of strac projects for microsoft defends Democracy Program. Her work focuses on counting the growing threat of nationstate attacks against global Democratic Institutions globally. Her efforts include increased as he could f campaigns and elections and addressing the issue of this information as it affects these organizations and processes. Her work previous to this will focus on occasion with political organizations and the use of Data Analytics and other emerging technologies. Prior to two and a microsoft in 2014, she was a Vice President for political account at cbi where she worked closely with president ial intended camp and custom. Over 15 Years Experience a political technology, and has been recognized as one of camping election rising stars and has received the American Association of Political Consultants 40 under 40 quarter next we have matthew show, chief of the Computer Security division in the Information Technology laboratory at the National Institute of standards and technology, nist. Just as imported his predecessor for the last decade and began a focus on Election Security in response to Cyber Security incidents in 2016. Just has been instrumental to the eacs ongoing collaboration with dhs, thank you for being here, thank you to all of you. Ill start with you jerome and will go down the line. [inaudible] sorry about that, i dont know how to operate. Good afternoon chairwoman mccormick, commissioner hovland, thank you for hosting todays forum, for taking the lead on addressing the complexity of testing and then applying Software Security updates to Voting Systems. I want to acknowledge and thank thepanelists for participatingin this discussion. Personally i greatly appreciate and value your input and look forward to hearing your thoughts. Ive been involved in Voting System testing for over 12 years now. And have literally installed Voting System software in thousands of voting devices in my career. Id just like to highlight that once the ac certifies a Voting System, that system is certified to requirements and that moment in time. Our testing and Certification Program manual provides guidance on changes to Voting Systems that i can talk about more detail if time allows recognizing that we have limited time today id like to hear more from our panelists and im glad to answer any questions you all have and i just want to lay the groundwork because we do have limited time and as some of you know in this room, i can talk about this for a long time so i will refrain and allow others to have the opportunity to express their thoughts on this matter. Thank you jerome, ms. Darren. Thank you chair, person mccormick, vice chair hovland, thank you for allowing me to participate in the conversation about voting certification. Im the Southern Region representative of the National Association of state election directors and also the executive director of the kentucky state board of elections. Prior to mycurrent position ive worked in the public and private sectors , typically Public Policy and engineering including Software Development and im glad were having this conversation but i wish it could have taken place sooner. Microsoft announced it was ending support for windows seven several years ago and then 2014 it ended support for windows xp. This is not our First Experience with this community. Since the passage of help america vote act of 2002, Election Administration has grown increasingly reliant on technology. ,mandated every state replace punch card machines , of course created voluntary Voting System guidelines and the Voting System testing and Certification Programs. The move from lever and punch card machines was designed to move act of voting to a more modern technology yet the move to any technology requires ongoing maintenance , technology is not a static and is in a constant state of integration. OpeRating Systems, firmware and software all require ongoing updates to maintain functionality and security area as of august 2 msi packet has sent out 81 separate update advisory in 2019 alone from vendors ranging from mozilla and google to microsoft. Anyone who tried to use a laptop or cell phone knows keeping Technology Current is critical to maintaining its lifespan and the welldocumented funding issues and Election Administration me the state and local Elections Officials need their voting equipment last as long as possible. When we invest in new technology, we do so knowing we may not have the funding to do so again for another 10 to 15 years and in some cases longer. Voting machines are dedicated technology keptunder tight physical security. Elections officials worked hard to keep machines patched but as with most things in elections, our ability to do so varies by state. Enter kentucky while we certified Voting Systems at the state level after theyve been certified by the eac, their maintenance takes place at the county level which means the commonwealth relies on county officials to update and patch Voting System after taxes and modifications are approved by the state. Our county offices and officials like many around the country are severely under resourced. Other states and all patching and update differently. But a Common Thread throughout his most of us cannot compel our jurisdictions to update their equipment. We can encourage it but we cannot require it. In many places the local jurisdictions must make arrangements with their Voting Systems Service Providers directly to have Voting Machines patched which can come with a fairly heavy significant price tag. Every dollar counts and unfortunately that means patches are not made when they should be often times. There are challenges with the national Certification Program, different stateshave different needs , laws and structures but consistent nationwide is our certification process represents a moment in time. A vendor submits a system for certification, it uses an opeRating System, firmware and software that is essentially a time capsule of when the system was developed but we all know that it is not how Technology Works but rather, we all know that it is not how Technology Works. More importantly, that does not help bad actors at work either. We need to balance the need for certification with the eminent security needs of Elections Officials on the ground where time and resources are of essence. Last month i participatedin conversation about coordinated vulnerability disclosure on capitol hill with representatives from congress, the ac , a cyber Security Infrastructure Security Agency and Vendor Community technologies as well. There are a lot of smart engineers out there want to use their skills for good to help make our elections more secure. We need to work in the field to develop a process by which ethical hackers can communicate vulnerabilities that they find to the relevant parties. But Elections Officials and vendors need to respond quickly to fixes before those vulnerabilities are exposed. It is not enough to find and report bugs. There must also be a way for systems administrators to digest and remediate these issuesafter notification. Some vendors have worked with sissa to have an evaluation conducted at national laboratories. To take advantage of the Cyber Security expertise that are Central Government can offer. Assessment conducted by sissa is a more indepth then the security testing performed by the Voting System test last. As part of the eac certification process but eac does not have a procedure in place to incorporate these results into the Voting System certification process, this means that festival must conduct security testing which makes it timeconsuming and expensive for Voting Systemmanufacturers trying to make their systems more secure. The ac also develop a process to certify modifications made by the Voting System vendors to be addressed, to address potential borrower abilities found inthe assessment. Certification needs should be the stamp of approval that tells us ourtechnology is secure, not the obstacle to more secure systems. Our Current System certification disincentive this incentivizes patching leading to issues with common and lifecycle processes as we are seeing with windows 7. At a community we must come together to adapt quickly in the light of an everchanging Threat Service and create a Certification Program that can accommodate constantly iterating security environment we are in. There are a lot of intelligent individuals working on this including here at the eac. We need to continue to Work Together to develop a more efficient process at the vendor level to drive these much needed modifications, patches and upgrades. Thank you for the opportunity to speak todayand i look forward to your questions. Like you mister darren. Welcome. Commissioners, thank you for the opportunity to join me today to discuss the important issue ofsecuring our elections. My name is jenny badanes, director for microsoft that defending Democracy Program. Our decision to engage more directly on Election Security comes from the companies believe that building and maintaining systems worthy of voter confidence is a task that cannot be accomplished by one organization or entity alone. It takes participation from all of us. The federal government, state and local government, election distance vendors, academia, will society and voters themselvesto drive solutions. Last year microsoft formed the defending Democracy Program which works with governmental and nongovernmental stakeholders globally to tackle issues around campaign and Election Security as well as disinformation defense which brings us to the topic of conversation today, election certification form area with given consideration to the role that microsoft can play to be an impactful partner to the Election Community. One thing i want to note as many of you are familiar with doctor josh lowe, at Microsoft Research and an ever present advocate for the end and verifiable election. The idea that advanced cartography to come aside current voting processes and enable a voter to know their vote was correctly counted was incredibly appealing to us as a team. Lightly announced the creation of election guard, and open source Software Development thatwould allow vendors to build the functionality into their system. Weve been working with many of the election vendors identify how this might interact with theirsystems and explore possible pilot opportunities. One intersection of technology in the us that gained recent attention and was discussed a lot today is the issue of windows 7 and of life. By way of quick background and we gone over a lot, the Company Announced in january 2020 the windows team would and ongoing support for windows 7. We are committed to helping our customers remain secure as they modernize their systems and make the move to windows can. We understand some customers will need time which is why we will offer security updates to customers running windows 7 on their system details are being worked out guarding the cost and the process and we will have more information to share in the coming weeks about how these updates will be made available to the community and what it will cost but i assure you microsoft will do what it takes to ensure these customers have access to security updates that are straightforward and affordable. We are committed to protecting our election and are dedicated to doing our part. I want tohighlight a related issue that was not even brought up this afternoon. Protecting our elections system against known vulnerabilities is important which is why we should be focusing on how toremove unintentional disincentives that have been created by requiring recertification after passing or updating a system. In our perception, theres a lack of clarity about it and how a Security Software update could be applied to a system without triggering a comprehensive recertification process. We should stop giving Election Administrators the hobsons choice of using elections systems with known vulnerabilities are applying Security Patches and in so doing taking their systems out of certification. I look forward to discussing this and otherissues this afternoon and welcome your question. Thank you miss badanes, mister schultz. Thank you. Thank you for having me. My name is matthew schultz, National Institute of standards and technology where i leave this Computer Security Division Within the Information Technology lab. One of my missions and one of the things we provide as part of the security divisionis a set of tools , references and information to assist organizations, state and local or federal government partners as wellas us industry in securing their technologies and infrastructures. In these toolsets that we provide, we have a series of both documentary guidance to assist organizations and establish an effective Enterprise Management program , this will allow an organization to make critical decisions about setting up a program and then making the critical Business Decisions about prioritization, timing and application of patches and updates to important systems that theyuse in order to achieve their business objectives. We provide guidance not just onpatch management on Configuration Management. Obtaining, limiting and maintaining security configurations for endpoints as well as back and machines that are used again to support these business objectives. Not a documentary guidance, but we also provide tools to allow for the automated implementation of security configuration as well as to allow for toolsets to identify items and endpoints, opeRating Systems that are inspected and secure and if not, to allow for other toolsets to remediate and enforce security configurations if needed. We must also provide references for organizations to identify if they are vulnerable, one of our references we provide is the Us National Vulnerability Database where it mischaracterizes and incorporates every known publicly declared informationtechnology vulnerability and publishes it in a machinereadable format and we also provide severity metrics for these vulnerabilities for organizations to use. This then provides an essential metric for them to decide how to prioritize patches and whether or not a patch is critical to them the Information Technology that they use. I would like to echo some things that weresaid by some of my prior speakers as well. His runs several informants and Testing Programs specific to Cyber Security products. It is incredibly important for any Certification Program to clearly communicate where that certification allens lies between upgraded and patch versus maintaining a certification a version number. Often we give organizations a Business Risk rather than an Information Technology or Cyber Security risk decision you in maintaining a certification versus patching a vulnerability. Clear, concise medication on the intent of a Certification Program is especially in the dynamic environment that informationtechnology exists. It is critical so that folks can make good risk decisions balanced with those Business Decisions that maintain the security of their products so thank you for having mehere and i look forward to answering any questions. Thank you mister schultz, mister hale, welcome. Good afternoon, chairwoman mccormick, vice chair hovland, thank you for the opportunity to speak on Election Security and i like to thank you for considering me for a role on the Technical Guidelines Development Committee area i served as director of Elections Security initiative within infrastructure Security Agency. Night my teams mission is to ensure election stakeholders have the information to manage for their systems. Within our charge we oversee the sector agency, coordinate field engagements, provide technical assistance, contribute to the National Security apparatus and support vendors, parks and organizations and the electorate towards the objective of advancing Election Security and encountering foreign interference our support comes at no cost and is entirely voluntary but weve seen out in the field need to continue to do the fundamentals, fundamentals like understanding the different impacts of confidentiality attacks on their system like ensuring systems are operable and able to detect and recover from exploits which is why sissa provides a Cyber Security Program Including education, training and cyber exercises, promoting email security, protecting the organizations online presence, securing Important Information in transit and arrest and developing Incident Response plans. Weve been thrilled by the engagement of the Election Community with all 50 states, more than 2000 jurisdictions and several major vendors are dissipating in some capacity. His hearing is timely, at least in part discussing the end of life of windows 7 is consistent with the findings weve seen. Two of the most common vulnerabilities we encounter are unsupported systems and imager patch management processes as you are aware, Election Officials are asked to administer a complex array of systems amid a severely resourced constrained environment, improving Vulnerability Management tours one of these risks and for the other it could not solve the technology. The most recent grant fund is one way space can address that risk and eac should be commended for how we distributed that funding and because i touched on the vulnerabilities weve seen in the field its worth noting that although we put a large portion of our efforts focused on advancing the security practices of internet connected databases, where we see our highest availability for attack, that is not the anything away from the importance of securing Voting Systems. To that end weve invested in providing openended vulnerability testing for Voting Systems in a service we call critical product evaluations. Sissa is encouraged by the Vendor Communitys involvement with still more queued up to do so. These evaluations are aimed at enumerating vulnerabilities found in half where on Voting Systems, poll books, other components the vendor wants tested. At this assessment matures we believe back can be a compliment relationship between our Vulnerability Assessment and the Compliance Testing of the eac. As you move towards the bsg 2. 0 we see an opportunity to work with you in definingthe process. Now more than ever the eyes of the Security Community are on our elections and while that comes with increased scrutiny it brings with it a wealth of diverse. Expertise and for Election Officials to benefit from the security expertise and other critical and structure sectors, i believe it will look to the eac. Because of the eacs leadership role serving as an honest broker as a belly button for collection and demonstration, security testing and compliance we are in a position to provide additional value to improve vulnerability disclosure, coordination and management. Any coordinated vulnerability disclosure will only be as effective as the testing andcertification process enables. Sissa works with these challenges across several sectors and in addition to the assessment of services we provide where we identify and discover vulnerabilities, sissa is a vulnerability Management Program where researchers tears was her assistance. With this wealth of material, we look to you for how we can integrate our information with your policies and processes in a manner that allows adaptability to emerging threats, vulnerabilities and risks including the ability to provide upgrade, update and patching in a timely fashion. We sissa value our partnership with you at the eac and we look forward to opportunities to bring our corresponding expertise together , now under the next bsg and in the years to come in support of Election Officials. The program you were discussing, is that idaho labs program . Our national Cyber Security assessment teams are working out of the iphone national lab, critical product evaluation. Last time i heard there were a couple of vendors it sounds to me like you had more vendors sign up to at Penetration Testing. Openended vulnerability testing, yes. Theres an increased interest is more have, or more of the communityhave discussed their experience. Are you discovering vulnerabilities that are actionable . I believe the vendors would be best positioned to their experience but the feedback weve gotten has been positive. Theres a lot of discussions about Software Validation and how components can be potentially hot swap, and obviously this results in a level of information that we get to work with the vendor following the assessment on mitigation opportunities. Thank you, mister scholl, you described them of the resources that missed as for the Election Community as far as tolerability. You have some sort of resource to help states or localities with Data Recovery after a compromise and mark which is of course very important in the election world, especially with the Voter Registration database. Thank you for the question, we do have guidance , documentary guidance only on recovery operations. As well as protection against malware. Some guidance pacific to read somewhere and protection against ran somewhere and we recovered from some of those acidic models but the services we have for that that would be most useful would be the documentary guidance and recommendations we have for setting up those types of programs. Obviously we hope it doesnt get that far. We take preventative measures first but we wanted to know about Data Recovery since it is important to us. We do look at Data Recovery capabilities is one of the key capacities needed to recover from something such as a ran somewhere. Miss badanes, you provided us or microsoft invited us with a security update the verity Rating System to kind of a heat that you i guess categorized these different vulnerabilities as critical and maybe less so but maybe you dont know this, i dont know but how often do you categorize an update or a Security Patch as critical . We heard that there were, somebody mentioned it, over 1000 security updates but obviously theres very Different Levels. How often are we looking at critical . Thats a great question which im happy to give the answer to. Im not familiar with how often this has come out but your correct we do categorize them and emphasize which ones are the most critical. Security vulnerabilities are stored through an open standard called the common vulnerability scoring system, thats where the government, we have to have an acronym and thats what cbs does and generally its a scoring system that ranks one through 10 with double underlying criteria that make up the underlying score. That score, one being low , 10 being critical and some gradients in between is then used to apply to how important a patch might be with reference to a vulnerability so its a common scoring system that used not just by microsoft but by all vendors will participate in this standard scoring capacity, and this is that severity metric i mentioned earlier that misuses and publishing are vulnerabilities. Iq, and theres also a separate index on exploit ability index. Correct, as part of that score there is theres likelihood, theres the verity. Theres the type of attack might focus on, its a confidentiality attack, mobility attack. The exploit ability index or measures, look at things like is it remotely exploitable or must it be done locally . Is it too old or is it new. The level of expertise that might be needed so theres the individual items that are assessed a vulnerability expert when they look at creating that score to make that decision on how critical that vulnerabilityis. Miss badanes, windows 7 is the topic that began this conversation. How has the communication been between the Vendor Community and microsoft as far asfiguring out what needs to be done to go forward to address that issue . Its been a positive experience. Weve been working with the Vendor Community on other initiatives as well, as a concern that they had that they were working towards resolving and trying to understand what role microsoft can play in assisting them towards that end so its been a positive working relationship. They gave us the opportunity to take some time to begin our thinking of how we might address the Election Community specifically on this issue. Obviously its something that attacks all Critical Infrastructure customers of ours, all customers in general but the communication and workings of the Vendor Community have been good. Good to hear. We hope that issue gets fixed as best as it can and that the systems can get updated. We know thats probably a resource issue for many thats important for us to know. Mister darren, you were talking about the fact that most of the patching and updating is done at the local level. What is your assessment of the Technical Expertise and competences of your individuals who are responsible for these security upgrades and patches . I would say its just like the general public, it very drastically. But i definitively can say both as a state director working closely with my local administrators, that they care incredibly deeply about elections. It is there one part of the job that they, that is widespread whether theyre in a marriage license, whether theyre doing registrations for vehicles, but often times elections is a thing that most of these individuals care deeply about in a way that manifests in how their daytoday functioning is so there often times not dealing withdirectly with elections but still calling us because they still have technical needs that need to be filled. The local level, it is where we are most severely in need of resources. They are not, the individuals themselves but the communities are the weakest link within this structure. They are drastically under resourced, many counties in my state if you were to show up in the town at 6 pm, mcdonalds is often times the busiest place in town and its not because people are eating there, its because people are using the free wifi and this issue can be magnified, i have hundred 20 county clerk center deputies, there are other states, obviously everyone does it differently. Wisconsin has 1800 local administrators that work at the administrative level so if we are failing our local administrators, we are not doing our jobs and part of that must be resource allocation and i say that specifically because i have clerks that might have one or two Staff Members and they are not digitally native. So these are individuals have been working on analog systems for their whole career and were not asking them to participate in what is National Security. Were talking about local communities that are having trouble funding roads and water bills, hospitals and were also asking them to take part in the defense against foreign state actors. And cliff that is looming before us is that we are failing to fund them appropriately for Critical Infrastructure in their own offices so part of that to answer your question is that some of my counties have amazing it staff because their large and funded because there might be a large city in the county but a lot of my counties are incredibly under resourced which means the backend, they dont have it staff and while we provide as Many Services as we possibly can from the state perspective, im also strapped. And so i was talking to someone a couple days ago that if you had money come your way, what would you do with it . And in many ways the Cyber Navigator Program is one of the first to deal with it. Having individuals to be able to he trained, it staff to understand security, to understand the clerks needs directly at the local level, to be able to travel the state, build relationships that are trusted because the clerks have to be able to trust these people so if they show up to be able to help with it needs to help secure their systems, to help best practices , theres an ideal situation but its a long winded answer of saying we need more. At every level of government. Mister lovato, we were talking about patches. If there is a patch andits said to be the menace , who tests for that market whether it actually is a dentist or whether it wouldrequire modification of the system. This is where it gets a little more, located. Cause you know, our home computer as a patch and we can connect to the internet and update working on some network and do that. When it comes to a patch for Voting Systems, it may appear to some to be just the demoness likewere doing is one thing. But what we have to look at is the Vendor Software applications and how they interact with opeRating Systems and so one patch in our minds maybe, were doing this one thing. Were addressing this one vulnerability or multiple or whatever. But they may have some ties from their Software Applications meeting the software that tabulates votes for instance, that says if you do that, this will mess up this part of it. And so then it gets way deeper than just the minimus and in our lab Program Manual wouldgoing to modification. And would be considered so theres 1. 0 system for instance would go into 1. 1. In the modification and so that would require more testing on the Voting System test lab. And their ideas have floating around in the community recently about one idea about , i heard recently was for a Voting System manufacturer to self certified and that might be a good idea but like with everything discussed, it would need more discussion around what thateven looks like. For instance, for me on my end, how do we trust that im naturally more skeptical about things just in general and the idea of a budding system manufacturing system managers think we have to selfcertified sound good but it might be a good idea if we have a good program to oversee that , to ensure that if you have multiple vendors and their self certifyingthat the following the same procedures or processes or policies. But thats Something Like i said, will need more discussion but it was an idea that might just work. But we dont know. But we just cant say Software Patches in the blank in a blanket statement. Because its just not, some of the test lab had opportunity to talk more about that they can get into more detail since they do the handson stuff day in and day out. That is their likelihood and talk more in detail about things that they run into that have plan to come that way. Thank you. As Mister Lovato said, love what im about to get into may be more appropriate for the next panel but i do think the diversity of the experience on this panel in particular could be useful so Mister Deering had talked about finding that balance between certification and security updates. And obviously certification needs to mean something area the reason we had is to us a test to a quality of the system, but in this environment of looking at security updates and balancing those, im interested to think about obviously the minimus has been brought up and we have sort of a, we have modification. I recently had a conversation with another industry that talked about sort of a traffic light system where Different Levels attempted to hit different pieces of i guess testing in order to be recertified. Have there been things that youve seen Esther Scholl that missed or hail, through other sections of Critical Infrastructure where you have a certification environment that requires these updates and if that works well . Let me answer the first part. The second part about working well ill have to a little bit about. The myth maintains the us National Calibration system so we have a national. Laboratory Accreditation Program we recertified calibration last across the country to conduct education activities on behalf of the nation. We have significant experience in standards, conformance activities. So much of what youre calling certification to some extent is a assessment and an attachedstation that a product has met a specified standard. Theres a balance there that weve been discussing around the level of rigor and trust thats being extended to the product versus the risk and the failure of the product to meet those standards and how we wish that to balance those risks. The costs are always there. Time, dollars, and impact to innovation and technology are on the cost side. Assurance and risk monitoring on the benefit side of the Security Program so we do programs, everything from what wasmentioned. Vendor self attached station or vendors declare, while youre putting trust directly in the vendor youre putting the liability directly on the vendor so the vendor themselves are the ones who are making the attached station versus a second or third party which is then a remote set of liability so again, theres the balances everyone must look at. Some do it well. Some have learned lessons over difficult Business Decisions about maintaining a certification for business purposes. Which is one type of risk. Versus a Cyber Security risk of patching and then potentially losing your certification. For example, the center for devices and Radiological Health at the fda has updated their requirements for the visa certification to ensure that good Cyber Security risk decisions are made and maintaining the security of medical devices in a balanced way if the medical device certification as well so they are an organization who has looked at this very heavily and has put out some guidance on how to obtain these kind of balances so that might be a model that potential you could look at. There are a couple of sectors that come to mind where the minimus changes get pushed down stream for validation and acceptance testing but transportation, aviation, medical devices come to mind but those may not have the same unique factors of the Election Community that election data doesnt move as you all know so how you are timed down or that temporal nature sets and urgency about when these systems cannot be touched and when they must be patched so i think there are unique factors here that drive the call to action earlier in the process andperhaps other testing. And you. I think a lot of that from my perspective is criticality. Where, when you find vulnerability, of vulnerabilities been identified, what level of criticality do they have and where does that fit at the certification process so does it just get put back in line with all the other certifications we need or do we say theres a triage process here where we can say if an exploit is found and its deemed to be highly critical the damage it could do and going back to some of the standards that we use around this, how do we derive what best practices are . Curb certification for the specific exploit so its not just the onesizefitsallfor every vulnerability , vulnerabilities are different so you are asking that question earlier of when i Critical Issues come in, how often do they come in but mark by their very nature their random and sporadic when they do come in its so imperative that we do address that in a meaningful way and i know that one thing that i would love to see from the ac is you guys are so perfectly centered on certification between all of the elections administrators at the local and state level, our security partners, our vendors. We look to other sectors for best practices and i think of the automobile sector. Their setting standards 10 years, 15 years ahead of time , letting them know that here are the goals we would like to see as a sector whether thats a mission level, whether thats safety features that will be expected to be put into cars as theyre coming off the line. The eac, you guys have a Certification Team. You have engineers here and the ability to also produce research can guide this sector as we move forward into the future so having the ability of vendors to just be reactive when issues like windows 7, even though we all know theres lifecycle, we all know theres lifecycle read what happens at the next lifecycle. And in my small perspective i would love to see that from the ac is the idea that as we move forward we can talk about not things that are happening today but rather what happens five and 10 years from now and whether an elections administrator might encompass 10 years i dont know but were making decisions today that will determine the death or failure of that individual. Thank you and im conscious that my time is expired. Commissioner palmer, do you have questions . Id like to tease out a bit more, there was discussion about imminent Security Risk versus certification and sort of how we address the oneissue. I believe the issue i think someone mentioned the word risk and theres a risk of failure. Of that product and that sort of begs the need to make sure that it operates with Voting Systems so that theres no Significant Impact that even though its a patch, it still works asdesigned to tablet goes correctly and securely. And the liability rests not only on the vendors but on the entire community, if theres a failure with that but id like to , if theres comments about how we can weigh that risk. On doing something as was said with the patchwork some sort of a selfassurance testing where vendors have some sort of limited or abbreviated testing by the eac, is there any ideas on how we can sort of have a procedure in place to sort of if not absolutely necessary, not to do an entire Certification Program but more of a limited review to ensure that theres nothing thats going to result in a catastrophe. From an electoral perspective, but will meet the needs of addressing the risks that are associated with some sort of imminent Vulnerability Assessment. Can you frame that in a more abbreviated. Theres a larger question there. Can you tell me exactly, ill give you more directives. I think from a local state perspective as well, if there was an immediate change is necessary but youre looking at a twomonth Certification Program. What would you do in your circumstances and the state of kentucky is you have to balance at risk as well. Eac, we may not necessarily have an abbreviated, we have sort of a hole here between the minimus change, which require certification, what program can we instill sort of make sure that we are limiting our risk of failure addressing the problem from a security perspective. Part of it to scale issue. Again, at the, in the commonwealth of kentucky we certify systems at the state, top level of the state but yet the purchasing and maintenance of those systems are done at the county level so if a vendor were to come in and tell us we found a fairly critical vulnerability, thats something were going to work with our counties with, but at the end of the day,we cant force them to do that. This is part of, this part is definitely negative but having local rules and local administrators and the diversity of our election systems from a holistic perspective is vital. How do we balance that need. I dont know theres necessarily an answerto that. Like we were talking about earlier, it needs to be cheery iced and each individual item as we look at to say is something that rises to the level where i need to drive every single one of my counties and help them pass whatever thats going to be and do we determine that the minimus. And further and pass that, the idea as well is what happens when if we say hey, maybe thats not the minimus to the certification but now it becomes a public issue and the voting public finds out that a vulnerability exists. Part of my job is not just the protection of the system but the reputation of the system. That is one of the most important jobs we do is protect the reputation of the licensed holders. So how do we balance that need to act, to act appropriately, to act within jurisdictional boundaries of whether we have that right to work with that individual and enforce that patch on them. As well as maintaining the security of our systems and the eyes of the public. I dont know if theres directly and answer. Mister smoltz, you raised some of those issues of how theres this balance between risk. There is balance between risk and i think to my copanelist express it quite clearly, its not just Security Risk, his reputation and Public Confidence, theyre all all kinds of factors that are looked at and what it comes down to is what is the meaning of this certification . And part of it is Public Confidence and trust. Not just for those running the elections but the public as well and who is the certification of authority to mark early id talked about the medication being extraordinarily important. I am a Certification Authority for several very small Cyber Security modules for use within the federal government. I have run across very similar situations where communicating to all my stakeholders to say patch this no matter what it does to the current certification, this is the important thing to do now. That then becomes a risk decision for the Certification Authority that then alleviates the users of the responsibilities of those other reputation officers or Business Risk issues as well. Its a difficult thing to balance and so some of it is look at local anything the Certification Authority can do when a decision is made along those lines to assist with that is extraordinarily helpful. Along those same lines, i see that the issue into pieces and one is, seems relatively simple and the other is a lot more complicated. The one is what we can do at the ac to address this from a certification point of view. I think there are solutions to that. That will just take us. Along with our federal partners. Our partners in the Vendor Community. And that is an easy list. But i think an easy list, who knows. But the, where it is as jerry was pointing out is you cant force depending on how the state is organized, you cant just go into a Counties Office and say updated now. And they have to do it and that will take more work on on that and even if we have something thats over the vendors liable, they could just go bankrupt and skip out. And still, the government, state and local and federal government is out left holding the pieces. Another issue on along the same lines is that say and its could possibly happen. That especially next year where theres so many primaries and their staggered throughout the us. Its say the first state told the primary has system x and then state number 27 is later on in the year and they have system asked in between that time, vulnerabilities are going tobe discovered. Because its the way our structure is is that this is our certified system,this is what were using for this election. We address that if all set and our first state says i was operating Voting Systems, elections on honorable Voting Systems, this is where that complexity comes in and the fact that just earlier. The one thing about elections that almost no other industry has to deal with is the deadline. Elections have to happen on election day riyadh there is no other time for that. So thats is how i see this issue is that one piece, we can work on. And have guidance even, on how you implement a patch but for further discussion, how does it look when okay, the ac has a certified system with all the latest patches. And all of this great stuff. But then push down to the localities that are resource strapped. That cant get those updates as quick as the public and others would like. What does that look like and that to me is the bigger question you without diminishing or missing the fact that we still have a job to do and really relatively quickly. Commissioner x riyadh. I have a couple quick questions. Yesterday i flew back from denver. And the pilot came on and talk about the number of planes, he was talking about the fact that this airline only, and the industry has built 53 of this particular type of play only, and this Company Owned 26 of those so relatively small portion to the number of planes that are actually in the system of air travel. My question goes to what are the numbers that were talking about in termsof updates , in terms of his Voting Machines, the whole book or other aspects, is it are we talking millions, are we talking hundreds of thousands that need to be updated from windows 7 to 10. And what sort of timeframe can that, i shouldnt say updated, ijust supported. And of the, i probably should have asked this in the last panel, of the, i heard a lot about the updates being towards vulnerabilities but are we updating on other aspects of it as well . Not just vulnerabilities in terms of improving the operatingsystem overall. Thats the first question that i have. If anyone wants to answer it. Thank you. The first answer is obviously better addressed in the second panel or the third panel area i think the vendors will have a better understanding of the volume of types are out there that are running. I will say though i think we need to draw a bit of a distinction between the types of devices that were referring to here. There seems to be a conflation between Voting Systems, those are in the certified category and i recognize more the Voting Systems, dns and others are considered part of that but those are the devices where you have some kind update. The minnesota otherwise, however we referring to it, thats where certification concerns come into play there are other systems running windows 7 that are not inside that certification riyadh and therefore updating them to windows 10 or having constant updates of patches, its a little bit of the different story. I recognize theres still publications. As the secretary mentioned on the last panel around doing those and i think that theyre just different stories when it comes to those that have certification concerns versus those that have normal everyday update concerns and considerations. As far as the volume of the machines in each ofthose categories, thats not something we would necessarily have access to that information. At thenexus of panel will have a better idea of the numbers. One thing commissioner x i want to point out is not every Voting System runson windows. Theres also x and android. And others. That was going to be my next question of how many was the percentage between windows 7 and the androids are being operated on. And how do they do their updates as well . I think the number of questions would be better for the next panel for sure. But it is a smaller percentage. I do know that. But i just dont know, i cant give a full partner. I guess the last question i have would go to mister hale. In terms of the working with the vendors in terms of the Penetration Testing in the idaho labs, thats completely voluntary your correct. I know there was a minute 20. Im wondering if you asked the question of the last panel which is ultimately the view to moving forward. I do miss in my job if i did not mention the Coastal Union , universal Coastal Union and whether or not we are pulling out of tpp. I know its a little wonky and i know it seems like a fairly large subject, but we have an election coming in november riyadh and for those that are not necessarily familiar with it, there is potential that the u. S. Postal service pulling out of the cpu which allows us the ability to have contracts before and with foreign nations on delivering our mail. I know were going out 45 days before the election, unfortunately my requirements to send those out will be prior whether the usps sides whether they will bepulling out. I am concerned on how i notify my voters when that does go out. How do we, how do we educate them and say there is the potential that if this ballot comes to you now and you do not submit it within the next several weeks, it could cost upwards of 60. To send this postage and that even if they agreed to deliver it in the first place. And while that gives me great concern about my overseas voters, voters that are abroad, it deeply grieves me to think that i have military voters are literally protecting our right to vote and might not have that ability to turn that in. So if theres anything that the ac can do to intervene on some level, maybe provide some guidance to the states that have, not all states are on federal election cycle so i have one coming up in several months theres anything you can do to give us guidance on how we should be treating this and maybe how we should be notifying our voters, how they can more fully involve themselves in the voting experience, ensuring that their balance would be of immense value. I think thats great and i think that my fellow commissioners and i can sit down and talk these issues through to see how we can help them improve the process in 2018. Theres another issue that occurred with overseas voters in terms of what the foreign states nationals trying to influenceour elections. Those folks who are living overseas were trying to contact election offices in the state and were being denied because they had ip addresses so we worked with a couple of states to say and you set up some things to alleviate those issues. And i hope that we can hopefully work with the Postal Service and whoever else to alleviate this issue as we move forward. I want to thank each of you for coming here and spendingour time with us today, its helpful to hear your point of view. I will take all of that into consideration as we move forward in addressing this important issue. Thank youand i want to, panel three please. Third panel, thank you for joining us. I will quickly go through your bios and we have a hard close at 3 30so if you could talk quickly, wed appreciate it or abbreviate your statements but we do want to hear from you. Where am i starting . Im starting at this end, bill quigley, bostonbased company focused on bringing innovation to the Voting Systems and election auditing, clear ballot voting certified systems in use for counties in ohio, wisconsin, colorado, washington and oregon as well as florida, vermont and maryland. Before joining clear balance, will lead teams and policy research and healthcare Information Technology. Next to will is chris lafon, Vice President of security for ess, he joined ess in april 2018 and in this role he is responsible for companywide security efforts including products, operational and infrastructure security. May be engaged to assist. Thank you for coming. Next to chris is bernie hirsch, chief information should quality officer for microvote. Microvote general corporation, the longest continuous it operated Voting System manufacturer in the United States. Under his leadership microvote achieve the First Federal certification of the Voting System in our nations history. For the past 12 years he has been responsible for leading Election Software and hardware development, Quality Assurance and system certification. Next to bernie is ed smith, director of Global Services for u. S. Aid smartmatic which he joined, on second 2001 he joined the industry with position at heart in a civic leader moved to Vice President position, and clear ballot grew. In these positions he led many federal estate campaigns as well as operational function such as manufacturing supply chain, Quality Assurance and feel of what mr. In his current position at smartmatic he leads certification of Global Services for the United States sales region picky leads federal and state testing as well as compliance for the systems prior to testing. In addition he leads field upon a a certified systems across the United States and as served as delivery manager for the los angeles project. Next is jack cobb, Laboratory Director for pro v v which he cofounded. Pro v v is a National Institute of standards and technology accredited National Voluntary laboratory Accreditation Program, noting excuse me, Voting Systems Test Laboratory looking in huntsville, alabama, and is an eac easy accredited g systems Test Laboratory. He has over 18 18 years of development and test experience with a solid background in Software Background and implantation using optic oriented analysis and design. He provides Technical Expertise and guidance to entities in the Voting Systems test arena including federal and state certification bodies and Voting System manufacturers and is accepted by the Voting Systems industry as subject Matter Expert in Voting Systems and Voting Systems test and certification. He is serving as examiner to multiple states intellectual body providing technical guidance and expertise for examinations and reexamination of electronic Voting Systems to federal and state requirements. And last at the end of our table with jesse peterson, certified Security Specialist in i. T. Consult with over 20 years of experience in computerrelated fields including but not limited to hardware, software, functional and performance testing, networking and Network Design begins over 19 Years Experience including implementation of intrusion detection and prevention solutions, system hardening, patch management, detection and removal of Malicious Software as well as managing and maintaining an hardening firewalls. He served as Security Specialist for sli compliance way works with voting manufactures and state agencies to validate and verify that electronic Voting System solutions comply with requirements for federal certification by the eac. He works on state security Voting System requirements. His security experience includes conducting physical and Software Related security analysis and testing of electronic Voting System Vulnerability Assessment, Risk Assessments, physical and electronic Penetration Testing, data encryption, networking into medication protocols System Design and architecture assessments. I want to thank each of you for being you today and i look forward your comments. We will start with wheel on the end. Welcome. Thank you. Thank you commissioners and eac staff and to my fellow panelists. This has been in a limiting discussion so far. I would be briefly more time for discussion. I am the Vice President of injury at clear ballot. At clear ballot we believe security is not just regular requirement. Its a business imperative and one of our core values. We view its the foundation of our Security Strategy but not the entirety of it. In addition to securing our own i. T. Infrastructure we think its important to incorporate security. Best practices that go above and beyond. And also product features that have historically emphasized things like hand marked paper ballots and election audits. We are excited to participate in cooperation across the industry on initiatives such as gordon dated vulnerability disclosure programs so we can leverage the expertise of the industry in the broader community. And finally as a vendor we aim to certify new versions of our systems and get them out to our customers as often as we can do we look forward to continue to work with the eac to certify as often and as securely as possible. Thank you. Thank you, mr. Crumbley. Mr. Wlaschin. Good afternoon, chairwoman mccormick and commissioners. Thank you for the opportunity to come and talk with you. My name is chris wlaschin, im vp Security Officer for es s. Not only do i do that but also the chair of the election industry Sector Coordinating Council, a team of manufacturers, many were represented here and about 27 altogether entities, Technology Providers, advocacy groups who are focus singularly on advancing Election Security, the state of election secured in our nation. When i look around the room at the panels youve assembled today, the witnesses that you brought forward, of the state of our nations Election Security is better than being reported because of the focus on Election Security. Our state and local Election Officials, this is where they shine when it comes to protecting the integrity, the validity of the reliability of our nations elections. Im thankful for the eac leadership and i believe as we talk to these issues debate about windows seven and other vulnerabilities that are being considered, the eac at the right place to exert leadership and perhaps empowering the Voting System test laps to take on a security testing role. The certification process you have now in place that nearly all vendors comply with, could be modified to embrace some security testing that would meet the needs of 2. 0 and beyond. I think the eac is the right body to oversee that and further protect our elections ecosystem. You may be aware that there is election of vendors are partnering with the i. T. Isac to develop a program of coordinated vulnerability disclosure. Earlier today a white paper was released by the i. T. Isac women of the major election tabulation manufactures have contributed to understand what that might look like and we are excited to move forward on that issue but we need eac support. As you are from of the Panel Members that chordata vulnerabilities disclosure programs will not work unless testing answer vacation process is modified to accept those kinds of inputs. Ill close with the comments about dhs and cisa organization are exerting leadership in the field. Our officials are more empowered, more aware, more focused on Election Security and cybersecurity then that ever happened before. Cisa is making a measurable contribution to awareness a protection that the risk and affordably assessments, the testing that some election manufacturers and jurisdictions are going through here that needs to be resourced and continue. Ill close with looking forward to your questions and advancing the knowledge about Election Security and what we need to go. Thank you. Thank you, mr. Wlaschin. Mr. Hirsch. Thank you chairwoman mccormick and commissioners and eac staff for hosting this event, and the think we all agree that cybersecurity and the secret of our elections as a primary concern for the public right now. With good reason. Its something microvote has been concerned with throughout our history. We are not new to the table of trying to protect our system. In the past the way weve done that and i think the way most of the vendors have done that is by complying with the Certification Program that locks down our system in a way that is configured correctly, tested, and then isolated from the surrounding world. We consider each individual vote gathering device as a separate election that we are empowered to help our customers to protect so were essentially protecting tens of thousands of elections leading up to and including the election day. We have several initiatives that we have taken up in the last few years in response, including, i think im a diamond member of a hotel chain now, traveling to all of the Security Initiative information sharing meetings that many of us have attended. Microvote has spent almost three years certifying our system to move from windows seven to windows ten with a great percentage of our system. We are currently upgrading 7000 Voting Machines in a state of indiana, and i think hundreds of servers to go to windows ten. And were adding a component as well for the state which up until now has used very successfully our dre for decades that we continue to upgrade. Thats a large project for our company but i think its very worthwhile. We began developing the db path a year and half ago and we begin the process just getting certified in the state within the past month and so were looking forward to next able to conduct risklimiting audits and having paper backup to our internal rate and of different technical things working to keep up with the threats we all face. But ultimately the thing that ae think what most progressive about trying to enforce is the new service we call pacs, the preand postelection cybersecurity suite which we been champing now for several years because we feel the eac certification that we took initially three years to gain from a new system back in 20072010 and then modify it for another year and sold our first eac certified system in 2011 took us four years but in that time i think our system was significantly improved by the process we went through with it eac. To leverage that we fail its important that these systems be carefully configured and identified and protected. If there is an intrusion we can detect that, and we do the tools to do that. The system identification tools that come with every certified system. Our pecs cybersecurity street leverages our certification and those tools to which of the jurisdictions have and can conduct an election that has integrity. We have jurisdictions with as few as 20 precincts and with some that have 720 precinct. You have to have a Voting System that can scale to all different sizes and a proud we are doing a bang up job. But our company Quality Assurance statement is we insist our customers are 100 satisfied. Thats a job every one of us does. You mention, i of these three roles. On the cio. Im the ceq oh and the cso and all of us at her company consider all these rules import for all of us to constantly maintain. I thank you for bringing us together and i look forward to your questions. They, mr. Hirsch. Mr. Smith, welcome. Thank you, madam chairwoman, mr. Vice chair and commissioners, thank you as well for the honor for coming before you today. Security Election Security drives from many sources but today im going to confine my remarks to things like providers, they can get in direct design and maintaining their own infrastructure. Vigilance over security threats and threat evolution and continued agility in developed by the providers followed by faster and faster cycle times through certification, which is aided by the administrative capability and capacity here at the eac. I am covered with provider preparation, better inputs makes your job easier and generally allows for better and faster output. That all required some changes as i built on some earlier comment to the certification process. Todays certification is monolithic. Mr. Dearing made the comment that the time capsule and thats more a better way putting what im saying in terms of monolithic. It requires longer cycle times although the eac has improved that over the past few years. Ive attended some very early meetings and solve the origins and definitely with people who aided the eac in the formation of the test and Certification Program before the eac stood up. That Certification Program. Therein lies some of the reasons why certification is so monolithic. Peoples backgrounds, for instance, in some cases were in the Space Program and certainly in apollo and previous programs come once you set the rocket up there wasnt much you could do with the software. And a focus on security even back then allowed for the monolithic certification that we see today. It was interesting that you had secretary ardoin invited and his predecessors accepted a test report for security updates followed by administrative review and approval by secretary staff. And thereby they generally had some of the most uptodate if not the most uptodate software across the u. S. Because the use of flexible in the state certification process. Thats some things to think about. Another comment id like to make providers like a set a moment ago needs to make insecurity and monitor for threats. And manager products to keep them updated. Looking at myself in the mirror in the other providers, i think it showed a gap in Product Management to a windows seven, obsolete by microsoft while products either were in certification or in particular had not even entered certification yet with that opeRating System. Microsoft publishes information when its going to go obsolete and as provided its incumbent upon us to Pay Attention to that and move forward. Last before move into a second phase of my remarks, the eac has an emergency procedure for certain occasions and building on some the comment earlier, but its not meant for something wideranging like os patches and other patches in the system which i speak to in a moment but it would is a very specific situation and so its not applicable although its come up sometimes as a possible solution to moving forward and with faster certifications. Ive given all this background and so id like to make a proposal. I tell my staff dont come to me with problems unless you want to talk solutions. I have to follow that. The eac can build from existing testing and Certification Program manual causes as well as clauses. If you look at volume one section eight, volume two with respect to Quality Assurance, and Configuration Management, theres a requirement for a Management Program, and those clauses, that requirement that was put in some years ago can be built on with relative ease. First, the eac could require a simple expansion of that program to include security updates. What does this view . You could also require alongside that to be provided from the system provider with the Quality Assurance program that they would use to approve on a rapid basis patches to the system. The eac could intake those draft procedures, review and approve them here and once approved, give them back the provider to then actual use. What does this do for you . One, you havent already that it procedure that if a system provider comes forward with a patch, you can at least very quickly benchmark, did you evn follow your own procedures to qa dispatch . If not, send it back to the provider. If so, enable the expertise to enable and evaluate that upgrade, and then add it to the existing certificate. You will probably want to to these. Os patches may be the least risk because microsoft and other folks test those already. Driver replacements and it ultimately Application Software written by the provider probably is the most risky and would be the most betting. Theres also a place in there for thirdparty libraries that we know of are in the system. In a sense this follows but issues of expanded on the diminished procedure that already exist whether their own technical staff are evaluating changes to the system. Here you would have something above de minimis but below baseline and even modification of certification. One add to this that would really help, we used of a number of technical reviewers. At one point there mightve been as many as seven. There are three to five. Those folks provide expertise and security, in Database Management one of them was a former elections administrator a provided expertise to augment the already considerable expertise on your staff over the years and certainly presently. I believe those were cut due to funding constraints and thats a shame and thats a place where congress can act to restore funding and restore these in my opinion very needed technical augmentation positions to the eac. Thank you. Thank you, mr. Smith. Mr. Cobb. Thank you, madam chair and commissioners. Thank you for inviting here today to speak. Id like to begin by stating this as a second time ive been in the present of a full eac commission of the United States election Assistance Commission and its good to see that. I hope it stays that way. Ive been involved in Voting System industry since 2004, with over 15 years. The issues where discussing debate are not new. I believe at the first eac vsd a meeting in colorado in late 2006 or early 2007 early 2007 we had these discussions here this was before the was an adoption of the first eac Program Manual. The indicia struggled to find a post between Configuration Management of a certified system and the ability to update a certified system for security vulnerabilities. In this context im defining figuration management as all components of a a system. This includes commercial offtheshelf products of software and hardware and proprietary software and hardware. During the test process they are required to document all pieces of software and the Company Hardware that a Company Submits for testing. When this discussion is come up in the past, Configuration Management argument has always one out. But with the everchanging Security Landscape is becoming more important to find some solution that tips the balance of the skills from 100 Configuration Management and 0 security updating of thirdparty products to something that is manageable and more secure. The arguments put forward for configuring management our company is a system the same as the certified systems if their event updates . And come how do we know the system is updated and it will function the same as tested and certified . These are all good questions and in the language and opeRating System updates that when applied the Application Software ceased to function at all. The assumption was, lets include the latest patch into the system already under test and everything will be fine. In that case it wasnt. The argument for the Security Side is, if you have a vulnerability in a certified system, that is telling the hacker were destroyed. This is true. The sturdy professionals i have dealt with have pulled their hair out the moment i tell them that would be no updating of the system under test once it leaves this laboratory. In their field this is a first the most important thing to do to keep the system secure. Discussion for the past have tried to find solutions to this issue. We have thought about allowing vstl to do an analysis to determine if it is the ms. Or not. Allowing a number of minor updates before requiring testing. Creating update modification which is something commissioner palmer was asking about. Creating test cases for system during certification that would run when the system was updated later after certification. We even talk about allowing updates if the trusted bill of the suze has not changed, allowing updates to thirdparty products. These are just a few of the ideas that been kicked around over the years. Hopefully the discussion we had today and provide the commission with useful information to make a determination on how we can move forward. Again i thank you, madam chair and commissioners for the opportunity to speak on this important topic and i will gladly answer your questions. Thank you mr. Cobb mr. Peterson. Good afternoon. Id like to thank you all for having me here today. As you know sli is one of two vstl that are currently testing under the lab. As allies been into that Test Authority for the Voting Systems of vacation testing since it was first established in 2001. As such sli employs a long tenured expense team of credentialed Voting System test and 60 professionals and we have an expense with nearly every Voting System used in the u. S. Today. As such, sli also participates in the department of Homeland Security Sector Coordinating Council for the election infrastructure sub section subsector. As you can see sli compliance is dedicated to helping the election Assistance Commission to evolve in the process and if all the processes and procedures used to test and certify Voting Systems. These procedures need to evolve to encompass a way to quickly and efficiently address the current lack of system updates and patching to facilitate a secure Voting System solution. The federal certification testing includes a robust testing of a thousand plus requirements and usability, accessibility, hardware testing and security testing just to list a few. I feel the Voting System test labs have unmatched expertise when it comes to the Voting System standards and understand is Testing Systems to these specific standards during certification. As we all know its imperative to get Voting Systems to the field as quickly and in a manner that doesnt impose unnecessary cost. I cannot stress enough the importance having standards in n the process that is flexible enough to comment the necessity to maintain current uptodate patch election suspect the need to provide election infrastructure with vulnerability patches and security additions as they may be has been a wellknown issue for some time, as my panelists stated. It is the professional opinion of myself and sli compliance that additional method or path for expediently making specific securitybased additions to already certified Voting Solutions is necessary. As jerome said and the last battle the certified systems are locked in a specific place and time and usually that is of vital trust to build of the certification effort. The testing a Certification Program manual details the patch for modifications as we all know of a certified Voting System, a change order to the systems hardware on the documentation or data that is minor in nature and effect. The patch for the determined if the change is at them and must change modification. This is the process needs to be explored to determine guidelines for our certified Voting System would be allowed to have an expedited patch or Security Patches, firmware up dates, Malicious Software detection definition as well as potential for the security enhancements. With the current climate we all realize the Threat Landscape changes faster than the systems can go through certification which can lead to a system being locked in some sort of certification process continuously. This process could be a tedious and timeconsuming effort that involves parties from that only the labs but the manufacturers and the eac, and can hinder the process of getting Voting Systems through the modification process and Certification Program in an efficient and timely manner. The potential to have a specific type of change process that is focused on security for the systems would make it easier for all parties involved. Sli compliance acknowledges it would be some kind of guidelines and definitions without the exact nature of the procedures or modifications to address the security changes. The guidelines would be required to ensure that in specific cases the proposed changes are not introducing system instability or additional vulnerabilities. There are lesser and greater degrees of system Security Patches that would have to be examined to be determined if the impact of the system is not toward extra testing or if its something small enough to constitute as de minimis. Once again i appreciate the opportunity to provide a Statement Today and i feel that the filament or exploration of a path for keeping the voting five systems current and uptodate commotions offer software uptodate, find a way to instill trust in the certification process while being able to keep costs complete within a repo time, whatever he is able to efficiently process these changes. I appreciate you listen to my feedback and im happy to answer any questions. Thank you, mr. Peterson. Let me go backwards and start with commissioner hicks. I will folklore by questions everyone at a time because i appreciate that. Thank you. Who should be responsible to update . Should be the manufacturer . Showed it to be the company, microsoft, android, lennix or whoever . Who should pay for it . Thats my main question for today. Ill start and maybe some of the other representatives can chime in. It is a true teamwork process to deliver updates come specifically for Voting Systems, election magnet systems that reside on a closed hard network that are not reachable via the internet to apply patches. Require hands on delivery of these updates. Some jurisdictions are very mature and are fully staffed i. T. And security staffs that are able to apply updates. Others not so much and thats where vendors are stepping up to help deliver updates. Its a mix. Know what else . So we were talking about updates, a lot of the talk was about vulnerabilities. What other things are being compassionately address that . So theres security and theres enhancements. And theres a number of things you can do with windows 3. 1 versus todays latest build of windows ten, several orders of magnitude. Audio, quantity, its far better than it was in those early devices from hava find days. Thats one example. Id like to speak up for a second. We all talking about the opeRating Systems and isolate a lot. Many of the systems have many, many of the thirdparty products. There are lots of products that are out there and it updates and executed updates or bug fixes for bugs that can call it a security vulnerability. We dont need to think about the os. There are lots of other products that do put out patches that we need to be considering those as well. If i could add, not all vulnerabilities are equal. Vulnerabilities that apply to the consumer grade computer that you might have in your house where the vulnerability represents a high risk of compromise and catastrophic results is not the same as that vulnerability when applied to a close hardened isolated system. Its up to the manufacturers and microsoft is great at this, working with the Technology Providers to assess the degree of risk with any particular vulnerability. Many of us have internal teams that assess those vulnerabilities for applicability and risk to our systems. So that conversation must continue, assess each vulnerability as it is present for its applicability to the system and determine risk. I guess my last question would be, do we know numbers in terms of when i just talked about Voting Machines . Were talking whole books and so forth or i were just talking about everything needs to be updated at some point . Commissioner, i think its just as important as the patching of the thirdparty programs and opeRating System, is just our general hygiene that we use and the training that we give our customers on safe practices. Because the Voting Systems themselves are extremely mature and i would say most of us agree very, very hardened at this point. But when you become vulnerable is they did come in and coming out. Thats what we can make big improvements and thats where if we can find ways to improve the way we insert a flash drive into a computer or how we use the internet to communicate with one another or how we use multibackdrop, all these other things we can do to better, just common sense things, is going to have at least as much impact as applying a patch to a hardened system thats isolated in the room by itself and is pulled up once a year for a day. The funny thing is wanted to fill this patch i had to get five or six Different Companies to coordinate the efforts together. One of the things i was required to provide for the certification is the mean time between failure. Most of these types of printers are used in a parking lot somewhere under the hot sun and so they know how long thats going to last. I calculate how long it would last in the Voting System, use any voting cycle. Our calculation for the lab was 3000 years. At some point we are focusing our efforts on something with little impact and ignoring or not maybe focusing enough on so many other areas they could have much more in fact,. Thanks. Thank you. Commissioner palmer, do you have questions . Thank you, chairwoman mccormick. Mccormick. Going back to you, mr. Hirsch. I was intrigued by your discussion of the updates that are taking place now in indiana. Could you give us a description of that . How is that going with the tens of thousands of machines that are in indiana . Its perceiving really, really well. We had a lot of during a public process and even during the testing we conducted a lot of usability tests with life situations. I know in tennessee we actually conducted an election between the Election Officials who were voting for the own leadership. Its been in the statehouse. Its sort of for me its a nobrainer to go from windows seven to wintersteen. The difficult thing is to get certified. I piggybacked on another modification we were doing and said as long as were doing that, we didnt go from windows seven to windows ten as were so concerned with all the vulnerabilities or endoflife for windows seven. It was endoflife for windows seven beta more difficult to buy modern computers. We get our computers from large retail manufacturers. We are just a blip on the radar. We could certify something and then three months later they are no longer making it. If all of us had the funding to buy 10,000 laptops upfront we could keep handy this out like candy for the next ten years, but we cant do that. So having windows ten has been a really big advantage, just on the standpoint of able to buy current hardware. It takes years in order to get through certification with that, which is an issue. I have another product that sitting on my desk right now which is windows ten enterprise system that i would love to put it in the field next month. I convinced it works great but had to convince the rest of the world that it works great and that its going to be a good product. Im going to go through that process and in the process we will add other features, something we want to do as a company is, and even better job inventory control for our customers because we view the physical security of the Voting System as just as simple as a cybersecurity and weve seen great inroads at the state level with that, especially with the funding you provided. To that extent our industry and i dont know if the other vendors do this but we maintain an inventory for our customers. A maintain their own inventory and we also maintain an inventory for them in addition to her own inventory. We are providing better tools with our Management System for them to manage their inventory. I appreciate your comments. The one thing i wanted to highlight was the fact counties and states across the country are going through this updating process. It doesnt happen overnight. It takes some time usually but they are proceeding with this in an orderly manner. We are all focused on the issue. How are we doing for time . Id like to ask one more question. One more question. There was a discussion about the disclosure program. And how the eac could help with that. I appreciate the white paper account, cant wait to read that. What can we do at the eac . We have the Certification Program but how can we work with vendors to make that a reality, sort of moving forward . The leadership in managing the current certification and Testing Process could looking for an opportunity to expand the role of the Voting System test lab to incorporate more security testing, timely security testg and provide a conduit for security researchers to submit vulnerabilities that they found in the field or they have theorized in a lab and allowed the Voting System f and the family factors to Work Together to find a fix if necessary, a patch, and apply it during that Certification Program. We are all sensitive to the length of current Certification Program so we do not want to add to that what we would like to see a channel of communication that security researchers for the dhs Vulnerability Assessment program, have a path to comment on and help the eac and the Voting System test lab understand what a bold but it looks like, its applicability and where it fits in the Certification Program. Thank you. Thank you. Thats a great lead into a question that i have for all of you. Thinking about probabilities and what that would look like vulnerabilities and what to look like in the system, in 2015 the manuals updated to include de minimis changes for software, not just hardware. My understanding is that has not been utilized that often and certainly not to a degree that it would apply to patching in the way weve been talking about it today. And so what im interested to know about is, do you all see sort of natural bright lines . Are there places in the testing and Certification Program or in a change where you could identify i guess a sliding scale for what we need to be involved in testing that race on the type of change . I think about Something Like, for example, if the update was simply to a thirdparty opeRating System, a patch, but not impacting any of your proprietary software. Would that be a natural break . Are the others, again, that would consider changes to the regime that would allow updates if there is a vulnerability disclosed but in a timely and Cost Effective way . I welcome your thoughts. The reason it hasnt been used much is because you cant. Any level change to the Software Takes it out of the de minimis arena. If these gentlemen and their organizations have to perform any tests to assess the change, it falls way from being at de minimis determination. Its way too narrow. That sounds like we women definitional issue. I guess my question is, or back to what i sang a second ago, is there a definition or definitions that are logical . Is an opportunity for that, yes. Currently, if the Program Manual states it is the minutes, you dont have to have any testing. Does testing is required. As soon as you do anything to test that unit it jumps up to a modification which requires a full eac test campaign, test plan for the weekly meetings, the whole works. Summer between modification and minimus the next be something that allows for lasted from some type of analysis made a run some exploratory testing to say yes, its pretty much de minimis. But not de minimis. We had to do this test to see if it was de minimis or not. The de minimis requires zero testing, zero. By definition. And also its going to have to allow for some kind of change to the software. I patch to hp printer driver, to our Application Software to rid it of a vulnerability or a bug is a software change. So now i definition it can be de minimis. I agree complete with mr. Cobb that the need to be something in between. I spoke to when i talked about tears within this new tear that you could create between de minimis and modification, you might want to sub tears of what are you doing system provider, is opeRating System patch that as well dated by the opeRating System provider . Is it something in the middle, a driver for hp printers for instance . And boldly something that we change in our software, software weve offered. And do you all think vendors is modular testing a piece of that . And is that a good idea . I would say theres a role here for, as was suggested, riskbased modular testing. If we replace our upgraded version of an opeRating System, we should test whether that changes the ability of the system to boot, to be installed, to have basic functionality. Would an upgrade like that likely affect the logic of a tabulation of an election . Likely not pixel align the left of some discussion about what are these things that are the most risky because of this change, that might be valuable. This is the pathway that i was kind of cute at in my statement where theres something that we can focus towards without having a fullblown modification test effort, where we can do some research on the patch, thats in testing from them and still come up with the way that it doesnt require us to sit there and do a full modification for something as simple as lets say antivirus definitions, or even add in certificates that have expired. A lot of the systems have longevity to them. Some kind of path that goes in between them, fullblown modification in de minimis where it might be more than minimus currently defined but a lot less than a fullblown change. I want to make sure to reserve the remaining time. Thank you. For the laboratory succumb you to stick testing as well as federal testing, is that correct . That is correct. To the states of vacation process are there differences, requirements for Software Updates or patching . It really depends on the state. Some states require eac certification, for example, which you then may prevent them from adding patches or things that modify the actual certified software. But then there are other states that kind of have come just as stringent requirements but dont require any eac certification. A kind of goes a little bit of both ways. Just add to that, we are working on a project now with the commonwealth of virginia where they will decertify every system every four years. One of the reasons they want to do that is make sure that everything is uptodate and the os is not, no longer being supportive. They make it recertified, no big deal, they sign up and say you got a certification by the want to look at this exact issue that theres things that are not secure and have vulnerabilities in the field and the want to look at that every four years. For the vendors, would you do modifications to a system or a new system, do you roll out all the latest patches in that new modification of the system . I can say for our part, yesterday not only do we roll up in a secretive patches that are applicable to the situation, the environment of the particular unit, but enhancements it have to do with, could be twofactor authentication. Could it be stronger user Access Controls . Could be something to do with the easeofuse or reporting . Yes, the long answer to your short question is yes, we do. We only have a couple minutes and i know its more of a complicated question, but when you where do you build your systems and where do you get your components from . Do you feel secure with where you get your components from . You talk about having inventory and having businesses that you deal with. What are your thoughts on that . There are subcomponents made all over the world. Its a global business. Most, most if not all of the final assume and testing is domestic. We are particularly sensitive to try and use companies that are even geographically close to us, not even we do have some suppliers like on east coast, west coast, most of our suppliers are right within a 50mile radius of us. We prefer that. That being said, earlier you mentioned that election happen on a particular day and theres a deadline, and when it happens it happens. Ive always been concern from a supply chain standpoint that we are a target because we know so far in advance when that election is going to happen. If you know what the president is going to be two years of not on a particular date and time, guess what youre going to focus all of your energy to attack the system. When it comes to supply chain, its a good idea i think our systems to roll their date forward to election that i conduct a mock election with the system set to the date in the future. Thats one way of helping to protect it against any unknown things that could be buried deep inside of some subcomponent that was manufactured somewhere. Two quick comments. I agree with you, bernie. Its a Global Supply chain and ive been leveraging my experience with dod and health and Human Services to visit every primary supply we have and conduct a supply chain Risk Assessment on on the facility, their personnel and their processes so that we can attest to the into in supply supply cn security of the parts that we get. The comment about preparing for the next election, as you know that our elections almost everyday in this company. Last week august 6 there were 115 elections across the states. Every one of the manufacturers and labs is contributing to the security of each and every election leading up to the next general. We are not resting on our laurels purpura gather information from the field, using tools that the itisac in general security given us, under the supervision of the Homeland Security department we are watching these elections, talking to the intelligence community, making sure that any vulnerabilities that appear are being addressed now, not in november 2020. On that note we will have to in our discussion. I have many, many more questions im sure my fellow commissioners do as well but we have a hard stop at 3 30 somebody think each of you for being f of information you provided for us and i look forward to continue working with you on these issues as a go forward toward 2020 and beyond. So thank you very much. Thank you. The forum has ended. Thank you. [inaudible conversations] [inaudible conversations]
comparemela.com © 2020. All Rights Reserved.