Directors, government representatives and International Technology companies to talk about what state and local governments need to improve their systems. if you could silence your cell phones electronics i would appreciate it. Im going to take the role now. Vice chair ben hovland. Commissioner thomas hicks. We have a quorum of the commission. Good afternoon. Thank you for joining us today at the u. S. Election system to examine the security challenge Election Security faces ahead of the 2020th president ial election. This vital conversational providers with a better understanding of ways the commission can help jurisdictions address a variety of Security Issues including those that stem from aging Voting Technology. When Congress Passed the help america vote act of 2002 that established the eac is the only federal entity solely focused on supporting Elections Officials on the voters they serve. Part of our charge is to be the nations clearinghouse of information on the Election Administration produced this responsibility that brings us here today and guides her Election Security effort. The eac prides itself in convening the right people at the right time to address significant issues in this event is yet another example of that work. While there are plenty of News Headlines that can service the backdrop for this conversation we are not here to address any one development or specific media report. We are gather for conference of work on this issue and to hear from three panels comprised of well respected members including secretaries of state state election director, federal partners in the state, electionn professionals and representatives from the election industry. Todays format input could not be more timely or important or the Election Security is friend of mine for everyone especially those on the frontlines. The eac recently released 2018 Election Administration and Voting Survey revealed that nationwide these Election Officials reported 334,422 pieces of equipment to cast and tabulate votes in the 2018 midterm elections. Election officials are responsible for each and every piece of that equipment. We know they rely on the eac or federal partners and election vendors to provide the resources and support they need to help make the election systems more secure and resilient. We all have a responsibility to provide that assistance. It is my wish that we leave todays forum with a better understanding of the challenges election ministered his face, the ongoing innovative approaches that they can use to ward off security threats and how all of us in this room can help administer elections the garner Public Confidence in the end result. I will not ask my fellow commissioners to make Opening Statements. Vice chair benjamin hovland. Thank you chairwoman smoke remake. Im pleased we are holding this form in such an important topic. Rep lee six months since commissioner palmer and i were sworn in the eac has been highly focused on the role of Voting Technology. Their first action with a restored cordless to start a 90day public comment. On the voluntary Voting System guidelines. We held three Public Meetings on this new draft version of the principles and guidelines during which we heard a significant step forward to modernize Voting Technology. We also discuss how the voluntary nature of the bd sg results in a system where the full value was only realized as a guideline in the eacs testing and Certification Program are utilized across the country. In other words we should strive to create the testing and certification system responsive to the needs of the election official and provides access and security to the American Voter as lame American Voters deserve. Speaking of the testing and Certification Program or he recently added Jessica Bowers and Paul Alpha Meyer who have brought decades of experience with election equipment and tese directors team. We are lucky to have such talented individuals working here but im confident their agency in the testing and Certification Team specifically will rise to the challenge before us today and work with Election Officials Voting System manufactures, Voting System Test Laboratories as well as the federal partners from the National Institute of standards and technology and the Cybersecurity Infrastructure and Security Agency assisting us to develop processes and procedures to incentivize the efficient deployment of patches or updates to Voting Systems in the field. Doing so is crucial to the security of our election system. Such a rates do not exist in a vacuum. Earlier i mentioned their work on vdsg and we are working with their partners in drafting a technical requirements crucial to developing the nextgeneration voting equipment. These efforts should complement the important conversations happening everyday in the election field. On issues like assessing and mitigating risk and todays threat environment are adopting a coordinate Vulnerability Disclosure Program so potential issues can be reported and fixed before they can be exploited. Todays form will be an important assessment identifying areas where we as an agency can do more to improve elections technology. While it would be nice to solve everything in the next three hours i suspect therell be this will be more of a start than a finish that we must get the job done. You must strive to maintain and improve testing and Certification Program that provides real value to the Elections Community without adding unnecessary burdens or costs. If there are avenues were recent agency can do more programmatically or administered of lee we must consider such suggestions. Legislative fixes are necessary we should identify those areas for members of Congress Without delay. And look forward to todays conversation would like to thank all the witnesses for being here and engaging with us on this important issue. Also before i turn it over id like to thank eac staff for all their Work Together. Thank you. Thank you vice chairman hovland. Commissioner palmer. Thank you chairman mccormack. Id like to thank your witnesses for participating in todays hearing. As well as those who are here or on line for this important discussion. Todays forms a chance to revise meeting clarity about where Election Security effort stand ahead of the president ial 2020 election. And how the eac can lead in the fifth is to make our election system and infrastructure strong and secure. This new type of warfare state and local Election Officials are on the frontlines for democracy. I full confidence that our Election Officials will prepare and train for the 2020 election and in the end they will get the job done for the American People as they did in 2016 in 2018. Because of unique role that Congress Gave us and the fact that we work closely with state and local Election Officials in a number of areas we must take your leadership role. The question today is whether or not we are adequately planning and establishing lines of medication to Election Officials with the necessary information to prevent and recover the many attempts at rest Ransomware Attacks or other the destruction of the manmade disasters on potential for strikes honored democratic ideals. The three and 80 million appropriate by the congress is going a long ways in preparation on the fundamentals of elections however as Dwight Eisenhower said in preparing for battle i have always found it plans are useless but planning is indispensable. As we look ahead at two days later panels im eagle or eager to hear a number of die and mx including challenges faced by election leaders and election System Security and the federal partnerships put in place. I look forward to learning more about how election vendors and Technology Industry leaders are working to address software used in election systems, your opinions about the value of establishing a coordinated Vulnerability Disclosure Program as well as your input about how the eacs testing insert the Certification Program in voting in this country can provide mor. As an official unfamiliar with the challenges we face of the men and women who run the elections process. It and have to face difficult decisions that stem from limited resources and seemingly unlimited needs including the ever revolving and growing it to be associated with securing elections. My goal is to conclude this meeting with a better understanding of Election Officials need and concerns as well as suggestions for how industry leaders, federal agencies it congress and others can best support local efforts to secure elections. Based on our nations elections systems is on the line for protecting that will take all of us working together in todays forums is that opportunity to do just that and demonstrate a commitment to our nations voters. Thank you for participating in todays form and i look forward to robust conversation on these issues. Thank you commissioner palmer commissioner thick steel have an Opening Statement . Yes i do. Good afternoon of welcome our witnesses to the eac security election for him. I thank all of you in attendance and watching on line and in our overflow room on this very interesting topic. With next years president ial election less than 15 months away and pleased to be joined by my fellow eac commissioners in a timely and essential discussion but as i travel across the nation to visit election offices give presentations or attend conferences Election Security is often the centerpiece of those conversations. After the 2016 election it was clear that her nation needed to look under the hood of its election system. We identified a number of areas where we need to do better and a lot of progress has been made. Including improvement of committee patients between state and local election leaders in federal partners to support their work. While todays form will likely provide even more evidence of the progress we have made its also a chance for us to collectively identify opportunities to further advance and further advanced than in cooperation including how we expand the market for election equipment and better track change. The challenges faced by Election Officials today are often tied to aged voting equipment or lack of resources. Suspect we will hear some of their looked at in todays testimony as well and in reality the eac reflects the daytoday work including todays form and all of our ongoing efforts. For example impreza work we did last after congress appropriated 380 million in muchneeded Financial Support to states and territories through the eac quickly and responsibly got these vital resources out the door. Today we continue to provide oversight and guidance of all these funds. Her most recent conversation with those who receive these funds project 85 of the money is likely to be spent by the 2020 general election with at least 90 going to replacing aging voting equipment or improvements on security and resilience. We know that more resources are always welcome in my goal of the commissioners and i have pass that along with their interactions to members of congress. Todays form is a perfect opportunity to examine ways all these entities in this room lawmakers federal agencies election manufacturers and others can Work Together or continue to Work Together to improve security and strengthen voter confidence. Also a chance for us to remember our efforts must not undermine access to the polls. As work to make elections more secure continues we must also safeguard the statutory rights that every eligible american can cast their vote independently and privately regardless of ability. I look forward to todays form and again thank your participants for being here and being a part of the work to help america vote in a way that is secure successful and accurate. Thank you. Thank you commissioner hicks. I would now like to invite brian eubie to make remarks on the half of eac staff. Thank you. Commissioners by way of introducing the agenda we will have three panels representing three flights of test mice arranges for secretaries of state, then the eac testing and certification director Jerry Deering from kentucky and other stakeholders related to certification and Software Changes including our federal partners dhs as well as microsoft. The third panel represents many of the eac register voting equipment manufacturers as well as test labs. Jeffrey hail from dhs has been participating in another meeting this morning and will the arriving after that panel begins on the second panel today for some reason as typical beginning here in time for that panel we will move into the third panel. One final comment though about today when microsoft windows7 was a topic that started this discussion and we are very pleased that microsoft is here but todays topic is much broader and today well talk about risk aware that essential to security but i want to acknowledge risk at a different level today that all of you as commissioners have discussed security and safe certification issues with Election Officials vendors congress and other stakeholders on by pausing to discuss these items today in an open meeting to engage in public dialogue with a clear end result that is unknown is a risk and i hope all will see and appreciate the leadership role the commission is taking in this regard. Similarly the election equipment vendors and microsoft have taken a risk to come here today to talk openly about the Security Issues the election industry shares. I know you as well as eac staff appreciate their willingness to come in. Beyond those who are speaking today we have received comments for the record from opensource Election Technology institute, easy vote, center for democracy and technology and dominion voting. The statements are available for the public in attendance and will be posted on our web site. This form represents one of the broadest Public Meetings of Election Security ever held certainly the largest ever eac with 13 individuals at the hearing today with that background i handled things back to the chairwoman for introductions that reference panel. Thank you director. Her first panel is right now just secretary Denise Merrill is on her when she will be joining us shortly so we will start with secretary arduin. The honorable carl everett is the secretary of state arrest in the baton rouge secretary or were he brings a wealth of knowledge to the office having served as interim secretary of state to me until his election. And First Assistant secretary of state for eight years prior to that. Currently secretary arduin serves as treasurer of the National Association of secretaries of state and the of the structure subsector government coordinating counsel. Secretary arduins will include voting equipment for the state protecting the security of sensitive voting and hightech protections for the election and commercial thank you madam chair and vice chair and commissioners. Mr. Newby mr. Tatum and staff its a pleasure to be here a pleasure to represent the great state of louisiana. Most importantly its so important to be here to discuss important issues to securing our future elections. In november of 2015 microsoft announced that they would no longer sell windows 7 computers as of november 2016. On september 6 of 22 microsoft announced the end of support for windows 7 with the january 14 of 2020. In december of 2018 i informed the governor of our state that windows 7 operate systems conflict with the states legacy Voting Machines for early voting and election day. Also provide i also provide information for the resources that would be necessary to move louisiana forward in the elections processes. In the summer and fall of this year we are switching out 250 windows 7 pcs in all registers voters offices with windows and pc. Clerks of courts as already received windows 10 virtual laptops used to conduct qualifying uploads to the States Election Registration Information network system. How does this affect the state of louisiana . This has been a costly endeavor replacing all seven, windows 7 computers used in the registrar of voters and clerks of Court Offices with windows 10 virtual lap tops throughout the state over the past two years well over 250,000. Thank you. Currently the state is leasing Voting Machines with its current vendor until the request for proposals process is completed and awarded to a vendor due to the windows 7 endoflife issue. Police machines require the use of windows 10. This endeavor has cost us just the leasing of these machines in excess of 2 million. We have been diligent in keeping the files up dated in our system all laptops are scanned regardless of whether or not they are connected to the internet prior to each election. We send strict direct this to all registrars clerks and secretary of state Election Division staff stressing that they are never to insert random, memory sticks and it is laptops. Or charge their phones or any other device. We also discussed a great deal when training and or support staff to meet regularly in person during the Testing Process of her voting of how critical it is to follow the strict directives. In addition they are instructed to never insert a memory stick issued by the secretary of States Office into any of the computer regardless of all memory sticks are scanned for viruses upon retirement to our office as a preventive measure. That means any hallmark environment used by your local elections officers. All of this has led us to additional security measures. I would like to say additionally the cost of windows 10 desktop has been 670 per machine and that does not include the cost to configure, test, deploy, train or maintain. All windows 7 equipment is air gap to meeting none of the devices ever touch an internet connection. All are updated with virus definitions are scanned for viruses before every use. By the end of the year all units will only be used with Password Protected memory devices or iron keys. How the Software Upgrades affect our office . Updates can be mandated in inopportune times and caused the exim preparing for elections leaving us short on time to get everything completed and tested. Installing an upgrade in the properly testing the app rate would be detrimental to our system. Being methodical and thorough and establish an infrastructure to control the climate and adhere to retain his critical protesting in various environments such as developmenn with one week between each with production schedule around the election calendar or cycle can be and usually is very timeconsuming and not a corner that we can afford to cut. Up days can occur, excuse me. As an example of an important patch comes out three or four weeks before an election that causes us to wait to implement because we cant interfere in the election process that is already in motion. Update can encourage down time and require troubleshooting to identify and resolve upgrading software. For example during this last qualifying due to a situation a cyber incident in our state not affecting our election system but certainly of concern because it affected local governing bodies we had to install new pcs this very cycle. These new pcs once turned on because we werent able to have a timeframe that we normally have and that we referred to earlier began implementing new up dates as soon as they were turned on. This stopped the entire ability of and width or local entities that could use them and thus affected the clerk of Courts Office which then caused issues with qualifying. This is a graph. Microsoft sends patch up its every second and the update, we provide through development tesd we perform production. Deployment and then we deploy. How Software Update upgrades affect travelers. We perform extensive upgrade teh detailed instructions on the usage of the new unit. Upgrades can sometimes cause issues that only occur due to their system being slightly different from the secretary of States Office. For example if we order ab one to 23 which doesnt exist to all parties of the a. B. 123 ensure uniformity in updates. Nonuniformity makes fixing issues more difficult. How remediation of attentional foam of release can be addressed. Eac is making it quicker and cheaper to certify upgrades. Certifying components versus entire systems whether its Voter Registration or Election Results publishing vote devices or vote tabulations is helpful. Using common data formats is important. For example vendors are used with the same output format either through scanners r d aris so they are booked to certify tabulation components using automated test under the standard series of results output. Assuming the common input the Election Results are able to make sure that the component output is expected to encouraging asymmetric decryption on data transfers is more port and then integrity and authenticity. Data transfers could be between our election system or the theory standards and ems and vice versa. In integrity and confidence we authenticity are the most important asymmetric and christian offers us that not symmetric inc. Encryption. Implementing for future equipment purchases requires devices to apply implementation of future equipment for devices to apply Security Patches and firm updates no less than three months after release from the manufacturer. We will also report any commercial offtheshelf equipment to remain within the mainstream support window of the manufacture and be upgraded and eac certified for use within one year of the release of a dates or manufactures. When accommodating technology in general we require additional layers. What i mean by additional layer is Password Protected thumb drive to password data. Requiring additional layers of protection are costly and timeconsuming and lead to stronger measures when reacting to threats. Reacting to threats cutting off local exits to networks out of an abundance of caution. Implementing these additional layers can quote unquote break them. What i mean by breaking things is after deploying new windows 10 all bandwidth which i referred to earlier my talk was as convenient as one collated site that we had to block temporarily. Vendors will state you can force the updates but it will write eac certification fees leave our officers vulnerable to anything that happens. Eac certification in our opinion is of the utmost importance. How remediation of vulnerabilities can be addressed and im closing now. The little red light is blinking at me. Reaching out to you on the vulnerabilities we face today in todays world. Stressing to them that while additional security measures may be cumbersome they are absolutely necessary. The sooner this is understood and accepted the easier it will be transitioning to these new means of ensuring secure elections in maintaining the integrity of our election system additional security will soon become Second Nature and be accepted as common business practice. Stayed in for the most part local Election Officials understand what is at stake and are vigilant and efforts in securing our elections for its important to note that we are doing Election Security before 2016. Unless you been an election official and never actually have put on an election theres a huge air gap by federal officials, elected or appointed regarding the relative our process and procedures versus the magnitude of speculation going on in washington d. C. Election security is not a partisan issue. What is partisan is using Election Security to create fear among the electorate on partisan policies which have absolutely nothing to do with the Election Security. Thank you secretary arduin. Id like to welcome the secretary from connected to the honorable disney star was elected to a third term as 73rd secretary of state on november 6, 2018. As connecticuts cheap Elections Official and Business Register shes focused on modernizing elections Business Services and improving access to public records. Since taking office secretarial has expanded democratic participation ensuring every citizens right and privilege are protected and every vote is cast actively. Secretary merrill has worked on Voter Participation through on line Voter Registration. She is improved democratic accountability and integrity of the series of Rapid Response processes for election day problems. Secretary merrill was elected president of the 2016 17 term and served on the wards adviser to u. S. Election officials are prior to her election to secretary of state served as state representative from 64th district for 17 years. Thank you secretary merrill and welcome. Thank you and apologies for my delay. My flight was delayed. I dont know why. They havent told us. As you just heard but did have the privilege of being the president during the 2016 election. Sometimes i think i true the short straw but it was quite an experience. As such it was very involved in the reactions to what happened in the 2016 elections and thereafter in terms of setting up different communication structures and other structures to start to deal with the cyberSecurity Risks that we just became aware of really during that time they were aimed at the election systems in our country. I think all of my colleagues would agree we have come a long way since then in terms of setting up lots of Communication Systems and other systems so that we can have a better response if we do uncover some of these problems during elections and we have a much better understanding. Many of us have availed herself of the services of the department of Homeland Security over the last couple of years and connecticut is no different. We have done them but first i should paint you a little picture of connecticut because its quite different than what my colleague was describing in indiana. First of all connecticut has the distinction of being the only state that basically has no county. What we have is an election situation where we have 169 very small towns and very independentminded, really the administrators of the election. My office acts as the advisory body. We do however of course the Voter Registration, voter registry which we have one of the earliest voter registries and we have is the same vendor for almost 20 years. We started out and salman acquired by other companies. Most of what we have done has been through that company, that vendor. The Voter Registration system has had many upgrades over the years but it is how then managed by our state i. T. Department that i have almost no i. T. Staff of my own insecurity is all managed under fire eac department. As my colleague has said many of us have been doing security on the voter registry which in our state is one of the biggest databases we keep for many years and although we did of course avail ourselves of anything at heads over and was told by our i. T. Staff the most of it was redundant. I guess different products do Different Things but essentially we were one of the 21 states that were essentially told that they had seen probes in our system. None of them got in and i am not going to technical as secretary arduin and my presentation. I will give you an overview of what we have done rather than getting into the nittygritty but i would just say that the most important thing that happened last year was the release of the three and an 80 million id like to tell you a little bit about what we have done with it. Bearing in mind we have taken a very conservative view of technology and connecticut although we have one of the original voter registries and we do not have an election Management System as do many states. We have not adopted a system. We do have an organization which is very very valuable called the yukon voting center. I think at this point we may be unique in the country in having the services of the Computer Science department based, part of the Computer Science department for lack of a better Word Division i guess in the trust test equipment. They evaluate equipment they evaluate systems and they of course are completely non partisan objective. They are not vendors. They are not selling anything and that has been a very big help to us. They also every election test all the computer chips that are in our tabulators. Our tabulators, we have been using the same tabulators since they were purchased many years ago and they served us very well. We have a fairly strong audit process after the election although i would like to see us do more with another process just because i think right now Peoples Trust is the most important thing. I think the stronger and audit process we can have the better off we will all be. I think the next thing id like to do and connecticut is an audit but we do have one. We added 5 of all the precincts in three offices after the election. We used to do 10 but its really a machine audit. Its proven to be 99. 9 accurate. In other words its working. The cards are tested both before and after by the yukon voting center. The Election Officials send them to the Voting Centers and a check them to make sure they are programmed properly and they mail them back. We do nothing on line. That is why when we did get dollars from the state to purchase electronic poll books at the time it seemed like a very good idea. This was about five years ago. Its much more efficient and its much more accurate. But when they evaluated three different versions of electronic poll booths they advise us not to purchase them because they did not think they were and i think the reason they offered it at the time because its rather surprising to be honest. A lot of people are using them. They said their question was about recovery and what happens if a crash. I think we are on the verge of having a solution to that. The more important question i had was yes its sure we are going to order people not to connect them to the internet but they are capable of being connected and even that was enough to have questions in their mind at the time. We are still looking at it but we are taking a very conservative approach. Likewise with their election Management System which is quite sophisticated and has lots of bells and whistles and it has the capability of uploading the results from the tabulators and have some other software the need to make that happen. We do require them to type in the results from the tabulator. We do not feel comfortable with having that information uploaded even from the memory stick so like i say conservative approach , and that has its share of problems too. If you can imagine 159 small towns. Many of our Election Officials come in once a week. Some of them dont have many computers. There are towns that have no computers deliberately. Ive had many a fight with several mayors of this issue. Its a challenge. We have cities also so thats the challenge we face. We have taken our 5 million which was our her allotment from the standard 80 million and spend a good deal of it on something called the Virtual Desktop which as i understand it and i am not a techie here but it does two things. It solves the problem of the microsoft seven. We dont really know what what operating systems they are using in their town could we gave to microsoft seven at the time. We installed all the equipment with the original system however apparently if you use the Virtual Desktop which essentially allows us to login to every desktop on the system and to help see whats going on because we spent a great deal of time on the phone with people who cant login, who dont know how to do whatever function it is they are looking for. This would allow us to override their system and as i understand it would be used microsoft operating system so as i understand it that will make it not necessary for us to go with buying all new operating systems. We have also had to spend some of our money on use tabulators. Tabulators we have now are coming to the end of their useful life. We purchased them two decades ago and that is a mystery and computer talk. We are looking at purchasing with i think as i recall 500,000 or almost 1 million of the money with use tabulators because at this point we have no funds for buying an entirely new system. I have not even price it out. Im planning to have a committee put together that will look at what we are calling the future of voting because we dont know where its going and thats always the case with any kind of computer i system. I would say might dig us to ask of this organization is to hustle up with the certification and standards. We are going to be in a position where we are going to have to replace our Current System within the next few years. We have been very satisfied with the usage of the systems. We have gotten used to them. We have paper ballots. I think theres a great deal in our of trust in our system because we do use all the best practices. I can see theres going to be a big need for us to have a lot of information from a source that understands this and knows where the field is going. So that would be my request really. A 5 million has been in valuable in helping us maintain what we have and do better. We have a plan that goes on for several years. A lot of it is training because we have lots and lots of local officials to connecticut is unique in that county clerks managing elections in each of the 169 towns. We have two registrars of voters one from each party. Well you also have a town clerk who does absentee ballots in that sort of thing. Its a very decentralizes would like to say system but there is lots of training involved. These are not folks who are familiar with technology necessarily. Some are and some arent so i think our biggest challenge is training and making sure people change their passwords and know what the dishing email list. So very basic actually. That wraps it up. Thank you very much for having this hearing and let us talk about what we are doing out there. I feel like we are in a pretty good place at the moment. Thank you secretary merrill. Like to open up for questions for the commissioners and ill start with the secretary merrill. Given the city jurisdictions in your state are you comfortable with the level of visibility and control that your office has over the state security as it pertains to Voting Systems equipment and software . When it comes to the voter registry, yes because the state is spending its resources on security and its housed in our i. T. Department called do it. We wont go there. And i think they do a very good job of it. The system itself is getting on in years and we have a significant upgrade again in the next few years we are going to look at another up rate. It is difficult to manage. I have made some proposals to the state legislature to have a little more centralization and bring back the county level of government but to no avail so i think we are going to be your er it works a markedly well for some purposes. For example i can imagine trying to hack elections tabulators. So unimaginable really. Im comfortable at the moment and i can see two or three years from now maybe not. Secretary do in you mentioned [inaudible] and computers from windows7 and windows 10. Do you have the tools and resources necessary to combat such incidences and what if you learned from those things you were discussing . I learned from the incident that you are only prepared when something happens. Basically you dont know exactly what to expect until you are in the situation. I was very pleased with how my staff react did and the steps that we were able to take. Think its because these unique system of louisiana being a topdown system. We immediately quarantined or system. What we knew was with some having windows 7 ends very few having windows 10 we knew there were vulnerabilities there. What we were also, because the very thing that we have been doing for a strict inventory if you will which parishes had windows 7 units and how many. Those were the ones we immediately banned from the system permanently from the moment it was brought to our attention. The incident affected some local governing bodies and never touch the election system that knowing there were some who interacted with parish governing authorities we felt the need to shutdown the system. We decided to take money that had been allocated from self generated revenues within our agency and not Purchase Centers for the clerk of Courts Offices which we had initially intended to do and utilize those funds to buy the windows 10 units. Given we felt like that was a much more secure opportunity and need and our system moving forward. Thats basically what we did. We were able to move fast. We quarantined the whole system immediately and we were able to shut off local access. The next step was when we knew which parishes had been hit leann quarantines the other parishes in those parishes quarantined until that we are able to bring them back up and we did one parish at a time. If another parish was hit with took them offline and continued that process. It was very successful. Im very pleased and thankful for my staff reacting very quickly but again it takes that type of an incident for you to realize how quickly things can happen within your state. I immediately with what information i could contact to the president of nass and asked for a Conference Call with the secretaries because we were told this to be much larger than a one state attacked. The importance here madam chairwoman is that information is key for Elections Officials. If we dont get information we can protect their systems. The timeliness of the information is absolute and for us to be able to make sure that our systems are secure we have got to get that information as quickly as possible whether its a local partner or a state partner or a federal partner. Sometimes we just dont get it. Thank you. I have one question for both of you if you could give me a quick shot. How do you feel that dates . We are talking about microsoft seven and the updates to systems when youre running several elections in a year how do you work that into your schedule . Youve got youve got primaries and you have early voting sometimes in the general elections. How do you fit those up dates into your system without schedule . The best we can. As i stated in my presentation for tuesday at dates the monthly tuesday updates when they come in the problem for us is and i would imagine for any election official once we start the call for election preparation there is no stopping it. The timelines are so detailed and especially with jo kava. We have a deadline to meet. We can avoid those deadlines and so even if a patch comes through we may have to delay the information of that patch because i said earlier it takes time to adjust to each incident. It affected our ability to do qualifying on line because of the patches that were being automatically updated and we have to stop that process in the Registrars Office because the clerk was not able to do their job. The very delicate operation. Its very concerning to us and i think thats something that eac needs to delve more into in order to make sure our voices are being heard with our vendors whether the microsoft or voting equipment. Again we are unique. We do not have any form of early voting. We have the one election day which helps in a way but we dont do anything in the uocava period, the 45 days. Again we dont really know what our local towns are running. We really have very little control over their local systems and so the Virtual Desktop hopefully will override that problem. We wont be able to do a pilot until this year in our elections so well be able to pilot it this year but hopefully will be in place in 2020. Up until now we can patch or on systems and thats the basic voter registry but Everything Else is really at the local level. Secretary merrill. Thank you. Thank you all for being here and appreciate your testimony. Secretary erdogan you were talking a lot about and its obviously expensive. Its not just taking out your phone and hitting update. One of the things that send some to me is the costs associated with this. That is people and labor in addition to equipment. One of the questions we get asked a lot by congress is about the 380 million this secretary merrill mentioned. Do you all see, would it be useful if there was obviously federalism would split up that there were consistent federal funding stream specifically toward security upgrades, maintaining equipment may be implementing programs like illinois cybernavigating program where you have stayed a sElection Technology experts that assist counties, parishes and towns with fewer resources. You think thats something that would be helpful and needed . Of course resources are always helpful and necessary. I would say what we have been doing in louisiana is that we set aside our 5. 8 million of funds strictly for the new Voting Technology to purchase new equipment. What we have been doing is absorbing and are budget all the cybersecurity needs that we have which is growing exponentially each and every year. What we would hope for is that the federal government does make Additional Resources necessary that there be no Strings Attached that each state is different. Just the two of us sitting here we have explained how different our states are to the cultures are different and the voters have different expectations. We all have the same expectations which is a secure environment for our elections and that everybody is accurately counted and everybody gets to participate who wishes to participate. I would say this. The federal government providing Additional Resources would be helpful but the federal government also needs to communicate to the states that they have an absolute responsibility. I am no different than my colleagues here who are constantly asking for Additional Resources to fend off cyberSecurity Issues, to update equipment and to do what is necessary to secure our elections and offer people the right mode. In addition to that we are taking on common louisiana we have a strong responsibility. We have all the i. T. Operations for elections in my agency and the do that for the locals as well. We provide obviously as i have said equipment to the old. That takes a lot of money. All partners, perish in local, state and federal need to cooperate and Work Together on this funding issue for resources for securing our elections. Lets face it we are all in one large ship and thats the ship of american if we are working together to secure elections and fund our elections appropriately then what are we here for . Secretary merrill. Yes, i would concur with that recognizing that states have very different capacities for funding their elections. Connecticut for quite a while, we funded most of what we have done through bond funds which is perfectly appropriate because its equipment and infrastructure for the state but not every state can do that. Right now connecticut is willing to do that at the moment were the budget crisis has been going on for four or five years now. I think they are certainly a role and that would be very helpful to my state i know because the reason we have not gone forward with providing more local equipment upgrading their operating system and so forth is because we dont have money for that are traditionally its been funded by parents. I agree with my colleague that the states have responsibility here too but like i said they have the capacity for doing things and i think its imperative that the country and the state and the local government and all as you say Work Together to do this. This is one of the fundamental operations of government. You are going to privatize elections so its time we put some dollars behind it. I think this is a really recent developments. You know it was only in 2016 that we realized there were all these Cyber Threats and so forth so we have reacted pretty well in the short term with what we can do. In my state for example its much more efficient i suppose to control security for these big databases from a central level and i respect that. It actually makes a lot of sense. As long as i have someone in my office who can work with them. We have to take the same attitude overall that we work on it together and we are able to articulate her particular needs and that you provide some sort of framework for that, for the funding. I do think some funding needs to come from the federal level. Thank you. I want to be sensitive to our time so i will hold off any other questions until my colleagues go. Commissioner palmer do have a question . Just a few. What i hear from both of you as the priority is your chief election official in your states as you need to raid your Voting Systems and your registration systems and these are fundamental to electoral process. That is where most of the money would help your state. Is that a true statement . We have our job to do. Get those out so the manufacturers can Design Equipment to those standards. Thats all i have. My state is about to embark on a process and we will be dealing with standards set in 2015. Much of that blame this on the federal government for not having a functioning eac with a full commission but im very thankful that we now have a full commission and you all are working very hard that we are now behind the time because of that in 2016 snuck up on this very quickly. We all reacted as quickly as we could with the resource that we have. The fact is im going to have to go a little bit further as i stated earlier in the requirements that we will have to work under that arent necessarily even issued by you all yet. Thats very concerning to me not to mention all the various legislation rolling around congress that could require this i have one followup question. Is the congress looks at different Grant Funding potential or otherwise one of the things we hear and im fairly comfortable with my observations work at the state level that the executive Branch Governor of the i. T. At the state level has a lot of protections that secretary merrill talked about it. We are concerned that the small counties who may not have those resources. Do you have experience with how those monies could be used in a way to help those localities upgrade their local i. T. Systems be more resilient in warding off some of these attacks . Yes. I would say thats exactly what im doing with the money that i got, the 5 million dollars. By instituting Virtual Desktop we essentially have given them more capacity. Maybe thats the direction others could follow. We havent tested it out yet so i dont know how its going to work out but rather than purchasing 169 towns with new equipment might be better just to try to work with what they have as long as its Virtual Desktop that takes care of the security part for all of them. And then training. Its all local Capacity Building really so yes you are right. My biggest fears of vulnerability at the local level thats exactly what we are working on. That was exactly my fear and it almost came to fruition. By the grace of god it did not put there taking those steps because we were able to retain Election Night eve in our system and not be forced into a consolidated system along with the rest of the state agencies. Then we were able to control their own destiny if you will and work with those local Election Officials to secure our environment and continue to secure our environment and trained them on our environment. Being able to see it from a larger picture, 30000 feet if you will that was the right thing to do for our state and we continue to be able to predict vulnerability and work with vendors outside to look for newer ways to secure our system. It gives us the ability to quickly react versus having to go to the state and ask for permission. Im not saying its not irking for others but it is an important component for us. Job for your stay. One of the things that i wanted to ask is a little bit about the overall train i know that the secretary of state and other Election Officials. You have more than one job. Is not just to run elections but there are other aspects as well. Are there other portions as well that he did tax collection or other aspects, that you have to have updates done and how are those Updates Incorporated . Oh yes absolutely i am among other things a business registrar so i have the other largest database in this day and we are constantly updating it. It helps that we use the same vendor. For both systems. We have historically for many years. Thats right, but its not as critical and you dont have that one day, i always like to compare an election to giving a wedding. You have that one day, everything has to go right. Unlike the business registry where there is a constant deadline in this and that, we dont have the same issues in that sense. I also am responsible for the commercial registry in the state. Louisiana. Is the same thing, we do use the same as well. I think we have the same gender as well. [laughter] it is a constant concern because the system also is being constantly scanned and probed and business Identity Theft is a growing phenomenon. We are projecting businesses as much as we are protecting the elections. As secretary merrill said, thats an ongoing process. Election day is critical. We have early voting, a seven day period of early voting in the state of louisiana. That is critical as well. Voters have to check in. They use our system on a daily basis. There is concern. We dont have electronic boat books and given the situation where we are, i will never ask for electronic phonebooks. You have to now be looking for things that you didnt necessarily have to look for before. As we say, cybersecurity is not an in game. There is no finish line in cybersecurity. That reminds me of something you said earlier about having plans for your plans basically and it reminded me of former heavyweight champion mike tyson saying everyone hamza plan until they get punched in the mouth. I figure that we are plans ready for 2020. I think theres going to be a lot of swings at us and i dont necessarily think were getting it hit hard but there are going to be a lot of attempts for folks to hit us. I think that states are doing a good job of planning for that. I would put a plug in that, the dac that i teach training for electronic officials in my i have participated in a couple of those. I am director in testing. Im on this team and we been going upstate, if there is an opportunity to taken advantage of our training approach. Definitely do that. I think you folks have done a great job. With the election process. The last thing i would ask is a little bit more of other than money, what can the federal government do for you. No Strings Attached, but in terms of [laughter] it is more of what sort of things can we help you with. Moving forward in 2020 and 2022. Can you convince microsoft to not charge us for the three years of support after january. [laughter] that would be a good start for us. That is pretty expensive, i think arco was 300 and something dollars per unit. This moving forward for a threeyear period that can get quite costly. If we are unable to replace all of the windows seven units. When i am telling our locals is whatever your parents bought for you, put aside. Its not worth the threats. They dont have the money because they just buy the systems. They just bought the new equipment but they didnt buy in the piece. Hustle up with the certifications. [laughter], i mean, really that is a short answer. But also just thinking out loud here, i can hear a decision. You keep forgetting the Maintenance Cost and all of the systems is a very large ongoing cost. Maybe that is where the state should be because thats not something we can expect money every year from the federal government. But infrastructure costs light might be where we could use the most help because thats the kind of thing they pay once and then maybe the state should be picking up the ongoing cost and together with the tab of whatever iteration in it is different in different states but that would be my short answer. Certification standards because people as you hear are out buying things right now and they need help. Thank you. Thomas to extend my sincere thanks for both of you for being here and i appreciate your comments. Thank you very much. Thanks for having us. Calling up panel to please. [laughter] [inaudible conversation] [inaudible conversation] [inaudible conversation] i want to thank you all for being here for our forum this Important Information for us. We want to learn from you what we can about these issues that are critical at this time. I didnt do secretaries go a little bit on time but i just wanted to let you know that the clock is set for five minutes. If that is yellow it one minute and then the red light comes on when your time is up. I want to go ahead and introduce the panel. To my right here, is our director of testing and certification jerome. In this role jerome assists jurisdictions with developing processes and procedures for risk. He published a white paper to private provide a white paper on elected. Things to consider before conducting a pilot. Prior to joining the ac, at the colorado secretary of States Office for ten years, where he served as the Voting System Security Systems lead and project manager. Next to jerome is jared doering. State election director for kentucky. Kentucky state board of elections. He is working campaigns and Election Administration for over ten years. He is working the public and both at the local and state levels including the state of louisville and california. His private sector work includes startups located in the bay area and boston. He is a graduate of the university of cabernet berkeley. He studied engineering. Next to mr. Nehring is janine is the director of strategic product checks for microsoft. Her work focuses on the growing threat of mass nation that attacks against vulnerable Democratic Institutions globally. This includes increasing the campaigns of elections and distribution of information as it affects the processes. Shes worked previously to this role with political it informations with their data and emerging technologies. Prior to joining microsoft in 2014, was the Vice President for political accounts where she worked closely with president ial and senate cramped campaign customers. She has over 15 Years Experience of political technology, she has been recognized as one of campaigns elections rising stars. Also received the American Association of consultant, 40 under 40 award. Next to jenny is matthew scholl. Matthew is the chief of the Computer Security division in the Information Technology operatory at the National Institution of. His responsibilities include used by the government and internationally cyber research. And Cyber Security programs. He also leads next participation with Cyber Security national and Enter National ftos. In Testing Programs. It is also a Us Army Veteran and currently has over 20 years of service. Finally we have our friend jeffrey l. The director of Election Security. The initiative of Cyber Security and infrastructure. He has supported apprentice or seller or focus on Election Security for Cyber Incidents of 2016. He has been instrumental to the eac ongoing collaboration with chs. Thank you so much for being here. Thank you so much for all of you for being here. I will start with you jerome. And will just go on down the line. Im sorry about that, im not great with microphones. [laughter] good afternoon Sharon Mccormick and vice chair and commissioner plate and giver todays farms. In taking the leads on the testing and applying Software Security up software for voting information. I want to also think the catalyst for participating. Personally i greatly appreciate and value your input and i look forward to hearing your thoughts. Ive been heavily involved in the testing for over ten years actually 12 years now. I have literally installed the software and thousands of boating devices in my career. I would just like to highlight that once the certified that system is certified through requirements and that moment in time. Our Testing Certification Program Manual provides guidance on changes to Voting Systems that i can talk about more in detail if time allows. But recognizing we have limited time today, id like to hear more from our panelists and i am glad to answer any questions you will have and i just want to lay the groundwork because we do have limited time as some of you know in this room i can talk about this stuff for a long time. So i will refrain and allow others to have the opportunity to express their thoughts on this matter. Thank you jerome. Mr. Darren. Nature, misdirect or make an commissioner for having me here today to participate in this important subject. My name is jerry. I am the Southern Region full national. I am also the executive director for the kentucky state board of elections. Prior to my current position. I worked both in the public and private sectors. I am glad that we are here today having this conversation. I am also wishing you couldve been taken place a little bit sooner. Microsoft announced it was ending support for windows seven several years ago. In 2014, it ends is support in windows xp. This is not a first time experiencing this as a community. Since the passage act of 2002 half, increasingly relying on technology. Every state replaced punchcard and lever machines and it created the voluntary Voting System guidelines and the Voting System Certification Programs. The move away from lever and punch card machines was designed to move the active voting to a more modern technology. Yet the move to any technology requires ongoing maintenance. Technology is not a static and is in a constant state of induration. Operating systems firmware and software all require ongoing updates to maintain both functionality and security. As of august 2nd, the msi sac is out separate updating advisors in 2019 alone from vendors ranging from mozilla and google to oracle and microsoft. Anyone who has tried to use a laptop or cell phone, knows that keeping Technology Current and patches critical to maintaining this lifespan. The welldocumented funding issues and election minutes duration mean that the state and local Election Officials need their voting equipment to last as long as possible. When we invest in new technology, we do so knowing that we may not have the funding to do so again for another ten to 15 years is in some cases sometimes longer. But he are dedicated technology. They are kept under tight security. They work hard to keep machines patch. As moot with most things in elections, our ability had to do so varies by state. In kentucky, after theyve been certified be the eac, they are Operation Maintenance takes place at the cantilever which means that the common officials to update and patch Voting Systems after patches and modifications are approved by the state. Our county offices and officials like many around the country are severely under resourced. Other states handle patching and updates differently. Most of us cannot compel our local election jurisdictions to update the equipment. We can strolling we encourage it but we cannot require it. Further in many places, the local jurisdictions must make originals with their Voting System services providers. Directly to have Voting Machines patched. This can come as a fairly heavy significant pricing. Every dollar counts. And personally, that means that patches are not made when they should be oftentimes. There are challenges within a national Certification Program in different states have different needs, laws and structures. But insistent nationwide is our certification process represent a moment in time. The vendor submits a certification that uses an operating system firmware and software that is essentially time gaps old but when that system was developed. But we all know that it is not how Technology Works rather that we all know that it is not how Technology Works. More importantly, that is not how bad actors work either. We need to balance the need for certification with the eminent security needs of Election Officials on the ground. Were time and resources are truly investments. Last month, i participated in a conversation about coordinated ball in the doherty on capitol hill. Eac cybersecurity and infrastructure Security Agency. Vendor community and technologists as well. A lot of smart energy and it did heirs out there want to use their skills were good to make our elections more secure. We need to develop a process which hackers can communicate vulnerabilities. The vendors need to also be able to respond quickly to avoid fixes before those vulnerabilities are exposed. It is not enough to find and report bugs. They must also be away for systems administrators to quickly digest and remediate these issues after the notification. Beyond hacker communities, some vendors have already worked with sessa to have a critical predicate evaluation of the road is systems conducted at national laboratories. To take advantage of the Cyber Security expertise that our federal government can offer our sector. The assessment conducted by design is a more indepth than the security testing performed by the Voting System test labs or missiles. As part of the eac certification process. But eac currently does not have a procedure in place to incorporate these results into the Voting System certification process. This means that we also must conduct security testing. This makes it timeconsuming and expensive for putting system manufacturers trying to make their systems more secure. They also must develop a process to quickly certified medications made by the Voting System vendors to be addressed to address potential vulnerabilities in the assessments. Certification needs to be a stamp of approval that tells us our technology is secure. Not the obstacle of more secure systems. Our Current System is certification upgrades and patch work ultimately leading issues with common endoflife cycles. As we are saying with windows seven. At a community we must come together to adapt quickly in the light of an ever changing light service. Create a Certification Program that can accommodate a constantly and writing environment that we are now in. There a lot of an intelligent individuals working on this. We need to continue to Work Together to develop a more efficient process at a federal level to drive these muchneeded modifications patches, and upgrades. Thank you again for the opportunity to speak to you today and i look forward to your questions. Thank you mr. Doering. Welcome. Thank you for the opportunity to join you today to discuss the important issue of securing our elections. My name is jenny i am the director of strategic product projects for microsoft. Its decision to engage more directly on it Election Security comes from the companies believe that building and maintaining systems is a job that cannot be accomplished by one organization alone. It takes participation from all of us. The federal government state and local government, election system vendors, technology sector, academia, and voters themselves. To come together and drive solution. Thats why last year microsoft formed the Democracy Program which works with a variety of governmental and non governmental stakeholders. To tackle issues around campaign Election Security. This brings us to the top of the conversation today. Election security and certification reform. We given a lot of consideration to the role that microsoft can play to be an impactful partner to the Election Community. One thing i want to know is that many of you are familiar with senior photographer at the Microsoft Research and the ever present advocate for the elections. The idea that advanced photography could come alongside current voting processes, and enable new voters to know that their vote was correctly counted, was incredibly appealing to us as a team. Thats why we announce the creation of election guard. An open door software kit that will allow winners to build a functionality into their system. Weve been working a lot side many of the election vendors to identify how this technology might interacted with their systems. One section of Microsoft Technology in the us which is getting a lot of attention is the issue of windows seven endoflife. A quick background i think weve already gone over, the coming out several years of ago the windows 2020 would end. We are committed to helping our customers remain secure as a modernize the systems. We understand that some customers will need more time. Which is why will offer security updates to customers who are still running windows seven other system. Details are still the billing worked out about cost and process. We will have more information to share in the incoming weeks. What they will cost and how. I will assure you that microsoft will allow and see that customers have access to security updates that are straightforward and affordable. We are committed to protecting our elections and are dedicated to doing our part. I also want to highlight a related issue that is already been brought up this afternoon. Protecting our election systems against vulnerabilities is extremely important which is why we should also be focusing on how to remove unintentional incentives. Theyve been required recertification after patching and or updating a system. In our perception, there is a lack of clarity. About if and how the security Software Update can be applied to a system without triggering the comprehensive recertification process. We should stop giving Election Administrators the options and choice of using election choice in applying Security Patches and taking their systems out of suture certification. I did look forward to discussing this and other and i welcome of their questions. Thank you. Thank you. Thank you for having me. My name is Matthew Sanders and technology where i leave the Computer Security Division Within the Information Technology lab. One of my missions and one of the many things we provide as part of the computer to Security Division is a set of tools references, and information to assist organizations state and local, our federal governments partners as well as us industry and securing their technologies and their infrastructures. In these toolsets that we provide, we have a series that of both document terry guidance to assist clients, this will allow an organization to make critical decisions about setting up a program and then making the critical Business Decisions about prioritization and timing and application of patches and updates to important systems that they use in order to achieve their business objectives. We also provide guidance not just on patch management and Configuration Management. Implementing maintaining security for both endpoints and backend machines again to support these business objectives. Not just document terribly, guidance but we also provide tools to allow for the automated implementation of security configuration. This will allow for toolsets to identify items and points operating systems that are in spak and secure. If not, to allow for other toolsets to remediate and enforce security if needed. It also provides references for organizations to identify if they are vulnerable. One of the references that we provide is the us National Loan billy database. Honest. They categorize and incorporates every known publicly declared Information Technology tech and publishes it in a machine readable format. We also provide this then provides a metric forum to decide how to prioritize patches, and whether or not a patch is critical to them, and the Information Technology that they use. I would like to echo some things that were said by the prior speakers as well. This one several conformance and Testing Program specific to cybersecurity attics. It is incredibly important for any Certification Program to clearly communicate where the certification balances light. Between upgraded and patch versus maintaining a certification to a version number. Often we give organizations and Business Risk rather than an Information Technology or cyberSecurity Risk decision. In maintaining a certification versus patching of vulnerability. Clear concise communication on the intent of the Certification Program and especially in the deny make environment that Information Technology exists. This is critical so that folks can make good risk decisions balance with those Business Decisions and maintain the security of the products. Thank you for having me here today and i look forward to answering any questions you may have. Thank you. Good afternoon. I want to thank you for the opportunity to speak today. I also like to thank you for considering me and are all here today. I serve as a director of the Election Security initiative agency. My teams mission is to ensure election stakeholders have the necessary information to manage risk to their systems. Within our charge we oversee the coordinate field engagements provide Technical Assistance contribute to the National Security apparatus and support vendors and the electric alters the advancement of advancement. Our support comes at no cost to our partners. We see annealed need to do the fundamentals like understanding the different of integrity availability and confidentiality on the systems. Like ensuring systems are able to detect and recover from exploits. We offer several services on security. Education, promoting emails promoting the online presence, securing Important Information in transit. In developing incident response. Weve been thrilled by the engagement and the community. All 50 states and several major vendors participating. This hearing is timely. We are discussing the endoflife of windows seven. Two of the most common wall and abilities are unsupported systems and immature patch management. Election officials are asked to update their systems. Improving Vulnerability Management Software Patching can reduce one of these risks and for the other, it cannot solve the technology deficit. The most recent grant funds is one way you can address those risks. Because ive touched on the ball and abilities that we seen out in the field it is worth noting that although we put a large portion of our efforts focused on the security practices of internet connected databases and networks, this is the highest available ability for the vulnerability of attacks. To that end, weve invested in providing openended vulnerability systems and Voting System. Its called critical product evaluations. Again encouraged by the mentor encouragement. Several have completed it and more keyed up to do so. Voting systems and other components the vendor was tested. We believe there can be complementary relationships between the assessments and the compliance since assisting. We see an opportunity to work with you to come to finding a process. Perhaps now more than ever, the eyes of the Security Community is on us. It also brings a wealth of information for us to benefit from these processes. I believe they will look to the eac. Because of the leadership roles, serving as an honest broker, security and testing compliance we are in a position to provide additional value to the Election Community through improving on an ability disclosure and management. Put another way, any coordinated Vulnerability Disclosure Program will only build as it effective as the certification and Testing Process. We work with these challenges across the set several sectors. We provide identify and discover vulnerabilities, and the Management Program where researchers turned to us for assistance in vulnerability coronation disclosure. With this wealth of material we look to you for how we can integrate our information with our policies and processes. In a manner that allows adaptability to emerging risks. Including the availability to provide patching in a timely fashion. We value your partner ship. We look for future opportunities for bringing our expertise together. It nears to come in support of Election Officials. In queue. Thank you. The program that you are discussing is that the idaho lab program . Sumac yes and they are working out of the Idaho National labs critical product evaluation. I just wanted, last time i heard there is just a couple of vendors. It sounds to me like you have more vendors now. Open ended vulnerability testing, yes and increased interest as more half more of the community has discuss their experience. How are those experiences going . I believe the vendors would be best to speak to their experience but the feedback we have gotten has been positive. There is a lot of discussion about hardware and Software Validation and how components can be potentially hotbox. Obviously this results in a level of information that we get to will with the vendor following the assessment on vacation opportunities. Screamac thank you. You describe some of the resources that you have for the Election Community as far as vulnerability. Do you have some sort of resource to help the localities with Data Recovery after a compromise . , correct, we do have guidance and document terry guidance only. Recovery operations, as well as protection against malware, some guidance specific to read somewhere and protection against rent somewhere. Some of those specific threat models. The services we have for that, would be most useful would be the document terry guidance and the recommendations we have for a setting of those types of programs. We hope it doesnt get that far and we actually take preventative measures first but i just wanted to know about the Data Recovery because its very important to us. We do look at those rate Data Recovery. Its one of the things we need to make sure we take care of it as well. You provided us or microsoft sick provided us with a security rating system. You categorize this different vulnerabilities that are critical. How often do you categorize a update or Security Patch as critical. We heard that how many you mentioned over a thousand security updates so obviously a different level. How often are we looking at critical. Thats a great question which i am happy to answer. I am not familiar with how often. We do categorize them and emphasize which ones are critical. You also have [laughter] security vulnerabilities are scored in an open standard called a common vulnerabilities scoring system. We have to have an actor met with the government is called a cbs as. It is just a scoring system that rings one through ten. With several underlying criteria that make up the underlying score. That score, one being low and ten being critical and then some gradients in between has been used to apply to how important a patch might be with reference to a vulnerability. So it is a common scoring system that is used not by microsoft but by all vendors who participate in a standard scoring capacity. This is the severity metric i mentioned early air which misuses in publishing our vulnerabilities. Thank you and there is also a separate index right explain ability index may be. Correct, as part of that score, there is likelihood and severity, the type of attack it might be focused on, the confidentiality attack and ability attack, the excludability index are measures that look like at remotely or locally, is it tooled or is it new, the level of expertise that might be needed, so there is several individual items that have to be assessed by an expert. To make that decision to decide how critical that vulnerability is. Windows seven is a topic that began this conversation. As the communication been between the elections Vendor Community and microsoft as far as figuring out what needs to be done to go forward to address that issue question right. Is in a very positive express. Weve been working with the Mentor Community on other initiatives as well. They let us know it was a concern they have and they are working towards resolving. The trying to understand what role i can soft can play in assisting them. Its been a positive working relationship. They give us the opportunity to take some time to begin our taking on how we might address the Election Community specifically on this issue. Obviously is something that impacts all critical customers of ours. All customers jen general. But the communication and the working Vendor Community have been very good. Good here. Thank you. We hope that issue gets six as best as it can in that system can get updated. Its probably a resource issue for many. Its very important for us to know. Mr. Goering you are talking about the fact that most of the patching and updating is done at the local level. What is your assessment at the Technical Expertise and competencies of your local officials. Who are responsible for these security upgrades and patches . I would say that is just like the general public, it varies drastically. What i definitely can say, both as a state director working very closely with the local administrators is that they care incredibly deeply about elections. It is there one part of the job that they have that is widespread whether they are doing marriage license whether they are doing registrations for vehicles and boats, but often times elections isnt the thing that most of these individuals care deeply about in a way that manifests in how their daytoday functioning is. There are often times not dealing directly with elections but they are still calling us because they still have technical needs that need to be filled. At the local level, it is where we are most severely in need of resources. They are not the individuals themselves but that communities are the weakest link within the structure. They are drastically under resourced. Many counties in my state if you were to show up in the town at 6 00 p. M. , mcdonalds is often times the busiest place in town and is not because people are eating there. Is because people are using the free wifi. This issue can be magnified by hundred and 20 county clerks and their deputies and there are other states that obviously everyone does it differently wisconsin has 1800 local administrators that they are working at the municipal level. If we are failing our local administrators, we are not doing our jobs and part of that must be resource allocation and i say that specifically because i have clerks that might have one or two staff members. They are not digitally native so these are individuals that are working on analog systems for their whole entire career and were not asking them to participate in what is National Security questionnaire right. We are talking about local communities that are having trouble finding roads and water bills in hospitals and we are now also asking them to take part in the dissent against foreign state actors. The cliff that is looming before us is that we are failing to find them appropriately for critical and under structure. Part of that to come back and answer question is that some of my counties have amazing it staff because there are large and they can be funded and it might be a large city not counting that a lot of my counties are incredibly under resourced which means that the backend, they dont have it staff. While we provide as Many Services as we possibly can to them from a state perspective, i am also staff strapped. I was talking to someone just a couple of days ago that if you had money come your way, would you do with it. Illinois Cyber Navigator Program is one of the first things i would do with it. Having individuals to be able to that are trained it staff that understand security that understand the clerks needs directly at the local level, to be able to travel state and build relationships that are trusted. The clerk has to be able to trust these people. Something sharp to be able to help them with their it needs an estate help secure their systems and teach best practices is an ideal situation but is a longwinded answer to say we need more. At every level of government. Yes maam. We were talking about patches, if there is a patch and it is said to be a minimus. Who tests for that . Whether it actually is a diminished bachelor and whether it would require a modification of the system. Cnet this is where it gets a little more complicated. If our phone our home computer hamza cash we can connect to the internet and update organism network and do that. When it comes to a patch for venting system, it may appear to some to be just a minimalist and we are just doing this one thing but what we have to look at is this Vendor Software applications and how it reacts or interacts with it. One patch, we are just doing this one thing and addressing this one vulnerability or multiple or whatever. They may have some tides from their Software Application meaning that the software that aids expose, if you do that, then this is going to mess up this part of it. So then it gets way deeper than just the minimalist and in our Program Manual we going to modification and it would be considered a one point oh system for instance, it would then go to a 1. 1. In the modification and so that would require more testing from the Voting System test lab. There have been ideas quoted around in the community recently about one idea that i heard recently was for abutting system manufacturers to self certified. That might be a good idea, but with like everything discussed, we need more discussion around what that even looks like for instance for me and my end and we trust that. I am naturally more skeptical about things just in general, and just the idea of the Voting System manufacturers says we are going to sell certify doesnt sound really good to me. But it might be a good idea if we have a good program to oversee that to ensure that if you have multiple vendors and they are self certifying that they are following the same procedures and processes and policy. That is Something Like i said that would need more discussion but it was an idea that it is my work. But we dont know. We just cant say Software Patches in a blanket statement are a minimus because it is just not. If some of the test labs have opportunity to talk more about that and give us more details and say the handson stuff, they do that day in and day out and that is their livelihood and they can talk more in detail about things that they run into that have come at them. Thank you. Thank you. As mr. Lovato said, some of may be more appropriate for the next panel but i do think that the diversity of the experience on this panel in particular could be useful so mr. Dearing had talked about finding that balance between certification and security update and i was obviously certification means something. The reason we have is to attest to a quality of the system. In this environment of looking at security updates and balancing those. I am interested to think about obviously the minimus has been brought up and we sort of have modifications, i recently had a conversation with someone from another industry that talked about sort of a traffic light system. A different levels, it would hit different pieces of i guess testing in order to be recertified area did art have there been things that you see mr. Scholl that nist or mr. Hale through other Critical Infrastructure where you have a certification environment that require these updates and does and if that works well question mark. Let me ask the first part where ive seen it. The same part about working well i have to think about. [laughter] the knicks maintains the National Calibration system. So we have a National Voluntary Laboratory Accreditation program where we certify calibration labs across the country to conduct certification activities on behalf of the nation. We have significant experience in standards conformance activities. So much of what you are calling certification to some extent is a an assessment in a station that a product has met a specified standard. There is a balance then that we have been discussing around the level of rigor and trust that is being extended to the product. This is versus the risk and the failure of the product to meet the standards. And how that we wish to balance those risks. The costs are always there, ti time, dollars, and impact to innovation and technology are on the cost side. Assurance and risk monitoring is on the benefit side of it of the security program. So we do programs everything from what was mentioned vendor self meditation or vendor self acquire, while you are putting trust directly into the vendor, you are also putting the liability directly on them. So the vendor themselves are the ones actually making the attestation versus a second or third party which is then a removed set of a liability. So again there are these balances that everyone must look at. Some do it well. Some of learned lessons over difficult Business Decisions about maintaining a certification for business purposes, which is one type of risk. Versus a cyberSecurity Risk of patching and then potentially losing your certification. For example, devices that the food and health administration, we device certification to ensure that good Security Risk decisions are made and maintaining security of medical devices in a balanced way with a medical device certification as well. They are an organization was look at this very heavily and has put out recent guidance on how to maintain these balances. So that might be a model and potentially you could look at. Thank you. There are a couple of things that come to mind where the changes kind of get pushed down stream for validation. Transportation aviation and medical devices come to mind. Thus may not have the same unique factors of the Election Community that election day doesnt move as you all know. How you are time bound with that temporal nature sets and urgency about when these systems cannot be touched and when they must be patch. I think that there is some unique factors here that really drive a call to action earlier in the process and perhaps other testing can allow for. Thank you i think a lot of that from my perspective is about legates ld. Where you find vulnerability edited has been identified, what level of criticality doesnt have and where does it sit at the certification process area doesnt just get put back in line with all of the other certifications that we need or do we say hey there is a triage process here where we can say if an exploit is found and it seemed to be highly critical that the damage it could do, and going back on some of the standards that we use around this, how do we drive what best practices are. Certification part of the specific exploit so as not just a onesizefitsall for every vulnerability, is vulnerabilities are different. I think you are asking a question earlier about when high Critical Issues command, how often do they come in, by their very nature of the random and sporadic right. But when they do come in, it is so imperative that we do eight address at them in a meaningful way. I know the one thing i would love to see from the eac is, you guys are so perfectly the center of hub of communication between all of the sector whether that is Election Administration is at the local and state level, our Security Partners are vendors, we look to other sectors for best practices and i think the automobile sector are setting standards ten years and 15 years ahead of time. They are letting them know that here are the goals that we would like to see is a sector whether that is omissions level, safety for shears that will be expected to be put into cars as they are coming off of the line. The eac, you guys have a Certification Team, give engineers here, you have the ability to also produce research. That can guide our sector as we move forward. Having the vendors to be reactive when issues like windows seven, even though we all know there is a lifecycle to things. We all know that. What happens at the next lifecycle and. In my small perspective i would love to see that what the eac idea is as we move forward not thinking about what happens currently today but what happens five to ten years from now. Whether im in elections in my current position ten years, i dont know but when i will say is that we are making decisions today that will determine the success or failure in that timeframe. See i thank you. I am conscious that my time is expired. Mr. Palmer do you have a question. Sure i like to just tease that a little bit more. There was discussion about imminent Security Risk versus certification and sort of how do we address the one issue. I believe the one issue that someone mentioned risk. There is a risk of failure. Of that product. That sort of begs that we need to make sure it operates as a Voting System and that there is no Significant Impact that though there is a patch that it works as designed. Securely. The liability risk, not only on the vendors but on the entire community is there is a failure with that. But i would like to, if there are some comments about how we can waive that risk. I am doing something as was said with a patch at some sort of self assurance testing by the vendors, some sort of limited or abbreviated testing by eac. Is there any ideas on how we can have a procedure in place to sort of if not absolutely necessary go through the entire summit certification to assure there is nothing that is going to resolve in a catastrophe. But will meet the needs of addressing the risks that are associated with some sort of imminent sort of Vulnerability Assessment. Can you say that in a more abbreviated way. If you tell me exactly, i will give you more directive answer. From a local or state perspective as well, they might inform us if there was an immediate change that is necessary but you are looking at attunement certification progr program. What would you do in your circumstance. In state of kentucky, you have to balance the risk as well. Eac, we may not have necessarily abbreviated hole here between the change. What sort of program can we instill to make sure we are limiting our risk of failure by addressing and it addressing the problem from a security perspective. In kentucky we certify systems at the state and top level at the state. Yet the purchasing and the maintenance of the systems are done at the tiny level. If a vendor were to come in and tell us we found a fairly critical vulnerability. That is something we are going to work directly with our counties. But at the end of the day, we cant force them to do that. This is part of definitely a negative. Having local rule and local administrators and a diversity of our election systems from a holistic perspective is vital. How do we balance the need. I dont know if there is necessarily an answer to that. I think as we were talking earlier, it needs to be triaged. Each item has to be looked at and see if it is something that rises to the level of where i need to literally drive to every single one of my counties and help them patch whatever that beat. Do we determine that to be a minimalist. Further impact that in the ideas what happens when and if we say hey, it needs the certification process and now becomes a public issue and a vulnerability exists. Part of my job is not to just protect the system but the reputation of the system. That is one of the most important jobs that we do is protect the reputation of election systems. People dont vote, its not working. How do we balance that need to act appropriately and within jurisdictional boundaries of whether or not we have the right to work with that individual and enforce that act on them. As well as maintaining the security of our system in the eyes of the public. I dont know if theres a direct answer. Do you does anyone else have a comment in them. Youve raised some of the issues on how there is a balance between risk. Sumac there is a balance between risk. Michael pallas expressed it quite clearly, is not just security rest is reputationals Public Confidence and there are other factors that are looked at. When it comes down to in the end is that what is the meaning of this certification. Part of it is Public Confidence and trust, not just for those who are running the elections but the public as well. Who is the certification of authority. Earlier had talked about communication being extraordinarily important. I am a Certification Authority for several very small cybersecurity modules for use within the federal government. I have run across very similar situations where than communicating to all of my stakeholders there is a patch that no matter what it does to the current certification, this is the important thing to do now. That then becomes a risky decision for the Certification Authority that alleviates the users of the responsibilities of those of the reputation or Business Risk issues as well. In its a difficult thing to balance and so some of it is looked at local but any Certification Authority can do when a decision is made along those lines to assist with that. It is extraordinarily helpful. Yes john, along the same lines. I see that the issue and to pieces. One seems relatively simple and the other is a lot more complicated. The one is what we can do that eac to address this certification. Of view. I think there are solutions to that. We will take along with our federal partners and our partners in the Vendor Community and that is an easy list. I think an easy list, who knows. Where it is complicated is as jared was pointing out, you cant force depending on how the state is organized, you cant just go into a Counties Office and say update it now. They have to do it. That will take more work on that and even if we had something this etto the vendor is liable for it. Well then the vendor could just go bankrupt and skim out of town and it still the government state local federal government is left holding the pieces to this. Another issue on that, say, it could possibly happen that especially next year when there are so many primaries and they are staggered throughout the us, is the first state to hold the primary systematics, state number 27 is later on in the year and they have systematics, it will in between that time own abilities are going to be discovered. Because of the way our structure is this is our certified system and this is what we are using for this election, how do we address that if all of a sudden our first date says so i was operating on a rollable bunting system, this is where that complexity really comes in and the fact that jeff stated earlier, the one thing about elections that almost no other industry has to deal with is the deadline. Election has to have a nun on election day. There is no other time for that. That is how i see this issue is that one piece we can work on and have guidance even on how you implement a patch but with further discussion is how does it look when okay bac has the certified system with all of the latest patches. Yesterday i flew back from denver when a pilot came on starting about the fact that this airline in the industry bill 53 of this type of plane so relatively small portion and in the system of air travel. So my question and with those aspects and those hundreds of thousands and what sort of timeframe and i should have asked this of the last panel but with the updates toward vulnerabilities but are they updating on other aspects as well . Not just the operating system overall . That is the first question. So that is probably better than the vendors have a much better understanding. But we do need to draw a distinction that there is a conflation between those systems that are in the certified category those are the devices de minimis or otherwise that the certification concerns come into play those that are running windows seven and are updating through windows ten or having that constant update for patches is a different story. There is a complications as the secretary mentioned around doing those but those that have certification concerns versus normal everyday patching and those considerations thats not something we would necessarily have access to that information. One thing i want to point out is not every system runs on windows theres also android and linux. That was my next question what is the percentage between windows and android and how do they do updates quick. The question would be better for the next panel for sure. And working with a de minimis with those and it is completely voluntary. And to ask a question of the last panel with the postal union and i know its a little wonky it is a fairly large subject with the Election Company one coming men to pull out which allows us the ability with contracts with foreign nations 45 days before the election and fortunately my requirements and then to decide if they pull out. But i am concerned of how i notify my voters how do we educate them to say there is a potential ticket clock clock go upwards of 2060 and well that gives me great concern of the overseas voters that leads me to think i have voters that are protecting the right to vote and might not have that ability but if there is anything they can do to intervene on some level not all states are on federal election cycles someone is coming up in several months so if you can give us guidance for how we should be notifying the voters to be more fully involved in the experience and my fellow commissioners and i can talk this through to see how we can improve the process the 2019 with overseas voters and those trying to influence our elections. Those who were living overseas and then they were denied so we work with a couple of states to say can you alleviate those issues and i hope we can work with the Postal Service and whoever else to alleviate the issue going forward. This is helpful to get your points of view and take into consideration as we move forward now panel three. [inaudible conversations] [inaudible conversations] third panel thank you for joining us i will go through your bios we have a hard close at 3 30 p. M. So talk quickly or abbreviate your statement. But we want to hear from you. Im starting at this and. A bostonbased company from election auditing clear ballot certified news for elections and counties in ohio colorado, washington, oregon as well as vermont and maryland. And with that healthcare Information Technology. Next to will is chris, Vice President of securities. And in april 20 at 1 2018 operational and infrastructure security. And those to ensure those best private practices to review and improve operational procedures and with the enterprise infrastructure as well as external security thank you for coming. The chief quality officer the longest continuously operating system manufacturer in the United States under his leadership to achieve the first certification in the nations history over the past 12 years bernie has been responsible for leading elections after hardware development, Quality Assurance system certification. Next to bernie is ed smith director of Global Services in which he joined in 2001 the Voting System industry and later moved to the Vice President physicians and to clear ballot group. These are led by many state and certification campaigns as well as operational functions supply chain and appointment so with that certification for the United States region leading federal and state texting and growth compliance prior to testing in addition , certified systems across the United States also serving as delivery manager for the los angeles project. Next to ed is jack Laboratory Director which he cofounded of a National Institute of standards and technology accredited National Voluntary Accreditation Program Voting Systems Test Laboratory located in alabama eac accredited laboratory over 18 years of development and test experience of solid background implementation objectoriented analysis and design providing Technical Expertise and guidance to those arenas including federal and state certification Voting System manufacturers and accepted as the subject Matter Expert and test and certification. Currently serving as election bodies providing technical guidance and expertise for the examination and reexamination of those systems to federal and state requirements. At the end of the table we have Jesse Peterson certified Security Specialist and it consultant 20 years of experience in computer related field including Hardware Software functional and performance testing, networking and network design. Nineteen years of security experience including implementation and prevention of solutions patch management detection and removal of Malicious Software as well as managing firewalls. Serving as a Security Specialist where he works at voting manufacturers and state agencies to validate and verify electronic Voting Systems with those requirements for federal certification also on state security Voting System requirements. s experience physical and Software Related security analysis and testing of electronic Voting Systems and Vulnerability Assessments Risk Assessments physical penetration and networking and protocol systems and architecture assessments. Thank you for each of you to be here today i look forward to your comments. Welcome. Thank you. Thank you to the staff and my fellow panelists. This illuminating discussion i will be brief so have more time for discussion i had the Vice President at clear ballot. We believe security is not just a regulatory requirement that a business imperative and one of our core values. We use as the foundation of our security strategy. In addition to securing her own it infrastructure its important to incorporate Security Best practices to go above and beyond. And there are some chronic features like hand marked paper ballots and collection audits. We are excited across the industry as coordinated Disclosure Programs so we can leverage the expertise of the industry and the broader community. And finally as a vendor we aim to certify new versions of our systems to get them out to our customers as often as we cancel forward to continue to work to certify as often and as securely as possible. Thank you. Thank you. Good afternoon chairwoman mccormick and commissioners, thank you for the opportunity to talk to you. I am the vp of security and chief Information Security officer. Not only do i do that im also the chair of the election Industry Coordinating Council of a team of manufacturers, many represented here 27 all together entities of Technology Providers advocacy groups who are focused to advance election securities in our nation. When i look around the room at the panel you have assembled today in the witnesses you brought forward the state of our nations Election Security is better than reported because of the focus on Election Security and our state and local Election Officials this is where they shine when it comes to protecting the integrity and validity and reliability of our nations elections. Im thankful for the eac leadership and i believe as we talk through these issues today of windows seven and vulnerabilities consider the eac is the right place to observe leadership and perhaps to empower the Voting System test labs to take on a security testing role because the certification process now in place that nearly all vendors comply with could be modified to embrace security testing to meet the needs of 2. 0 and beyond and eac is the right body to oversee that and further protect our elections ecosystem. You may be aware various election vendors are partnering with the iti sack to look at vulnerability disclosure and earlier today a white paper was really a was released were many major election tabulation manufacturers have contributed to understand what that might look like. We are excited to move forward on that issue but we need the eac support as you have heard from other Panel Members that coordinated Vulnerability Disclosure Programs will not work the testing and certification process unless its modified to accept that input. I will close with the comments dhs and the organization to exert leadership in the field are state and local election Election Officials are more empowered and aware and focused on Election Security and cybersecurity than they ever have been before and is making a measurable contribution to awareness and protection through their risk and Vulnerability Assessments and the testing that election manufacturers and jurisdictions are going through that needs to be resourced and continue. I will close i look forward to your questions and advancing the knowledge of Election Security and where we need to go. Thank you. Thank you chairwoman mccormick and commissioners and staff are hosting this event and i think we all agree that cybersecurity and the security is a primary concern for the public right now with good reason. Is something that has been concerned with throughout history we are not new to the table to protect our system. In the past the way we have done that in most vendors have done that is by complying with the Certification Program that basically locks down the system in a way that is configured quickly and tested and thoroughly and then isolated from the surrounding world. We consider each individual device as a separate election that we are empowered to help customers to protect so we are protecting tens of thousands of elections leading up to and including election day. We have several initiatives we have taken up the last few years in response including a diamond member of a hotel chain now traveling to all the Security Initiative and information sharing meetings we have attended. Micro vote has spent almost three years certifying our system to move from windows seven to windows ten with a great percentage of our system go we are currently upgrading 7000 Voting Machines in the state of indiana. And hundreds of servers through windows ten. We are adding a vp component as well for that state up until now has used very successfully our dre for decades that we continue to upgrade. That is a large project for our company but very worthwhile. We began developing that vb one vp path a year and half ago and began the process just to get certified in the state over the past month so we are looking forward to conduct the audits and having a paper back up to the internal raid in different technical things we are doing to keep up with the threats we all face but ultimately what we are most progressive about to enforce is a new Service Called pec s postelection cybersecurity suite which we have been champing for several years because we feel the eac certification that we took initially we took three years to gain from our system in 2007 through 2010 a modified for another year, sold the first eac certified system in 2011 took us four years. But in that time the system significantly improved from that process with the eac. To leverage that we feel its important the systems be carefully configured and identified and protected and if there is an intrusion that we can detect that and we have tools to do that as a system identification tool that comes with every certified system. So our pecs cybersecurity sweep leverages our certification of those tools to make sure they have conducted an election with integrity. We have jurisdictions with as he was 20 precincts and some have 720. You have to have a Voting System that can scale to all sizes im very proud we are doing a bang up job but our motto Company Quality and show Assurance Statement we assess they are 100 percent satisfied. That is a job every one of us does. We have these three roles cio. The cq o and cis though and all of us at the company consider all of these rules important for all of us to maintain. Thank you for bringing us together and i look forward to your questions. Welcome mister smith. Thank you madam chairman. Im sorry madame chairwoman thank you for inviting us today so that security elections derives from many sources but today i will confine my remarks to providers and those that maintain their own infrastructure. And vigilance and over security threats and threat of pollution and development by the providers with those cycle times through certification which by the administrative ability and capacity and with preparation of better inputs make sure job easier to a letter of offer better and faster inputs that allow some changes as some earlier comments to the certification process it is monolithic and making the comment of a time capsule that is one way that i what im saying requires longer cycle times that the eac has improved and have attended some meetings and saw the origins and i am familiar with people who aided the eac in the formation of the test and Certification Program before the eac stood up for the Certification Program and therein lies why certification is so monolithic because peoples backgrounds in some cases in the Space Program and certainly with apollo once you sent the rocket up there is a much you can do with the software. That a focus on security even back then allowed for monolithic certification that we see today but with us secretary that was invited and as my time with the systems as a predecessor to accept the test report for security updates followed by administrative review loan review and approval by secretary staff and thereby they generally had the most up to date software across the us because of the flexibility in the certification process. So that some things to think about. Another comment i would like to make providers need to bake insecurity and monitor for threats. And to manage their products to keep them updated looking at myself in the mirror and other providers i think there was a gap in Product Management to have windows seven come obsolete while products were in certification or had not even entered certification yet without operating system microsoft publishes the information when it will go obsolete and as providers its incumbent on us to Pay Attention to that. And last eac does have an emergency procedure for certification to build on those comments but its not meant for something wide ranging like the os patch and other patches that i will speak to but it is a specific situation so that isnt applicable although it comes up sometimes as a solution to moving forward with that certification. So now ive given all this background so i would like to make a proposal. So the eac can build from existing certification as well as clauses if you look at volume one section eight to speak to Quality Assurance and Configuration Management there is a requirement to come off the shelf and those can be built with relative ease first to require a simple expansion to include security updates. What does this do . Also to be provided with a Quality Assurance program they would use to approve on a rapid basis the patches to the system the eac could take those procedures and once approved give them back to the provider. So what does this do for you yorty have a vetted procedure that comes forward with a patch. You could very quickly benchmark your procedures. If not send it back to the provider. If so enable the expertise to evaluate that upgrade and then added to an existing certificate. Wes patches may be the least risk because they test those already but try to have replacements and Application Software written by the provider is the most and theres a place and therefore thirdparty thats in the system and in a sense it follows the future procedure that your own technical staff are evaluating changes to the system but you would tear up to go even below that certification one that would help to have technical reviews and they provided expertise and security and Database Management one was a former elections administrator to provide expertise to augment the considerable expertise on your staff over the years and presently. I believe those were funding constraints and thats a shame because thats where congress can act to restore funding to have these to the eac. Thank you. Thank you madam chair and commissioners. Thank you for inviting me today to speak at the forum like to begin by stating this is a second time i have been before the commission of the united States Election on Election Commission i hope it stays that way since 2004 over 201 14 years the issues are not new i believe at the first meeting in aurora colorado late 2006 early 2007 we had these discussions this was before there was an adoption on the first manual and the history struggled find a balance of the configuration and the ability to update the system for security vulnerabilities. With a Configuration Management this includes commercial offtheshelf products hardware and software and proprietary software and hardware during the process it is required to be documenting all pieces of Hardware Software that accompany for testing the discussion comes up in the past Configuration Management argument that with the everchanging Security Landscape it is more important to find solutions that tip the balance of the scale from 100 percent configuration is 0 Percent Security updating thirdparty products to what is manageable and more secure. The arguments put forward for Configuration Management as a certified system and how do we know the system is updated and will function the same as tested and certified cracks these are questions in the last we have seen have updates with the Application Software ceasing to function at all that assumption with that latest patch already would be signed so the argument for the Security Side if you have a vulnerability to tell the hacker where to start and this is true the Security Professionals i have dealt with pull their hair out the moment i tell them there will be no updating of the system and in their field this is the first and most important thing to do. Discussing trying to find solutions to this issue we have thought about allowing them to do an analysis to determine or allowing a number of minor updates to create update modifications which is something that commissioner was asking about and creating test cases during certification to know that the system is updated later after certification. Made even talked about allowing updates with the system even though it has not changed these are just a few of the ideas kicked around over the years hopefully the discussion today can provide the commission with useful information to make a determination how we can move forward and thank you madam chair for the opportunity to speak on this topic im happy to answer your question. Good afternoon chairwoman and vice chair and commissioners. I would like to thank you for having me here today. As you know we are one of two that are currently testing in the lab. Soi is the independent Test Authority for the Voting System certification since it was first establishing the program in 2001. Soi had a long experience of credentialed Voting Systems with professionals and experiencing every system in the us today and as such soi participates in the department of Homeland Security counsel for the election infrastructure subsector. As you can see those compliances are dedicated to helping the election system to evolve in the process and procedures used to test and certify Voting Systems. And then to encompass a way to address the current lack of system to facilitate the federal certification test and the accessibility and security testing and that the test labs have that expertise for the standards in the understanding of Testing Systems without certification and to get to the field and the importance of having standards in the process flexible enough to accommodate the necessity to maintain current uptodate systems and the need to provide the infrastructure with vulnerability patches is a wellknown issue. What is a professional opinion of myself to expediently make specific Security Issues to the already certified voting solutions. Those at a specific point in time the testing and certification for modifications with a certified Voting System and the documentation that is minor in nature and further determines that the minimus change and this is the process to determine guidelines how the certified Voting System to have that expedited path for patches and firmware updates and malicious head potential for their security enhancements. And with a form of certification in this process can be a time consistent effort not only from the labs from the eac and can hinder the process of the Voting Systems to the modification process and the Certification Program in a timely manner so to have that specific type of change process to make it easier for all parties involved in to acknowledge there could be guidelines and definitions of the exact nature of procedures of modifications to address those security changes. And in specific cases with the system instability with the greater degrees of patches that would have to be determined if that could warrant extra testing are to be constituted to minimus. I appreciate the opportunity to provide a Statement Today that the development or exploration to keep those current with patches and Malicious Software detection to find a way that instills trust in that process while keeping cost to when everybody could efficiently process these changes i appreciate you listening to feedback and thank you for your questions. So now i will forgo my questions. I appreciate that. Who is responsible for the updates . The manufacturer . The company cracks microsoft or android or linux or whoever . That is my main question for the day. It is a true team work process specifically for election Management Systems with that networked are not reachable to bypass and with the delivery of the updates and then to have the fully staffed it and the staff that could have updates and others not so much. That is where vendors are stepping up to deliver updates. So talking about updates and vulnerabilities and to talk about that as well. Yes. There is shook one dash security and enhancements and with that several orders of magnitude and that is far better and thats just one example. I would like to speak to that but talk about the operating systems in many of these and with apache there are a lot of products that are outdated and then to think there are lots of other products that do put out patches. Not all vulnerabilities to do a high risk of compromise with results that is a vulnerability when applies go with any risk of vulnerability at applicability or risk and that conversation must continue to be presented for applicability to the system to determine risk. And not just voter machines. Or everything needs to be updated at some point. It is just as important as the patching of thirdparty programs in the operating system and the training and those are extremely mature and they are very heartened at this point in that data coming in and coming out that flash drive into the computer and all those other things that they can do with common sense. At least as much impact to apply a patch to what is isolated in a room by itself and then to have five or six Different Companies to coordinate their efforts and what we required to provide for the certification most of these are used in the hot sun so they dont know how long that will last in the calculation was 3000 years. And then focus the impact efforts with little impact and not focusing enough on the other areas with much more impact. Going back to you Mister Hirsch i was intrigued by your discussion taking place can you give a description of that . It is proceeding well. With that Development Process and testing they have usability test with those Election Officials is nobrainer to go to windows ten but it is to get certified. To piggyback on another modification and then to be so concerned with those vulnerabilities it is like seven made it more difficult to buy modern computers. And with large retail manufacturers who were just a blip on their radar. So we could certify something than three months later they no longer make it. If all of us have the funding to buy the 10000 laptops up front we could hand those out like candy for the next ten years but we cannot do that. So having windows ten is a big advantage just to have current hardware. And then to get through certification which is an issue. Another product is sitting on my desk right now which is a windows ten enterprise system that i would love to put out in the field next month. And then to convince the rest of the world that looks great works great and it will be a good product so i will go through that process and add other features what we want to do as a company to do an even better job at inventory control for customers. Because the physical security is just as important as cybersecurity and we see in roads at the state level especially with the funding provided. So to that extent, our industry maintains an inventory for customers they maintain their own inventory in addition to our own. We are providing better tools for them to manage their inventory. I appreciate your comments but to highlight states across the country this doesnt happen overnight but they are proceeding in an orderly manner. One more question there was some discussion about the Disclosure Program and how they could help with that and i appreciate the white paper account but with that Certification Program had we work with those vendors to make that a reality . The eac leadership to manage the current set of certification to look for an opportunity to expand the role to incorporate more security testing to provide a conduit for security researchers to submit vulnerabilities they found in the field in a lab to allow the Voting System and the manufacturers to Work Together to find a fix if necessary and apply it during the Certification Program. We are sensitive to the length of the Current Program we do not want to add to that but we do want to see a channel of communication through security researchers or dhs Vulnerability Assessment programs to have a path to comment on to help the eac understand what vulnerability looks like and where it fits in the Certification Program. Thats a great lead into a question i have for all of you. So thinking about vulnerabilities and what that would look like in the system in 2015 that manual was updated to include to minimus changes for software not just hardware but my understanding is it has not been utilized that often and certainly not to the degree it would apply the way we talk about it today. The way we talk about it today. Natural bright lines . Are there places in the Testing Program where you could identify a sliding scale to be involved based on the type of change . So if the update was to a thirdparty operating system and not impacting any proprietary software is that a natural break . Are there others that we could consider changes to the regime in a timely and costeffective way. I welcome your thoughts. And change to the Software Arena if they have to perform a test to assess the to minimus change that is why. And then to have that definition issue. So is there a definition that is logical . Right now currently the Program Manual states you dont have to have any testing. And then jumps up to modification between somewhere of modification to perform dad analysis and then to do the test if it would be minimus or not. Zero testing. Zero by definition and allow for some type of change to the software to the hp printer driver to rid of the vulnerability or above. And with that assessment and talking about peers and within the new tier to create to minimus and modification so what are you doing is that something in the middle with hp printers for example in what we have authored. And you think that modular testing is a piece to that and is that a good idea as suggested riskbased if we upgrade the system that changes the ability to have basic functionality with an upgrade like that but the tabulation of election so to allow the labs to have discretion that are the most risky because of this. So this is the pathway that i was getting at in my statement if there is something we can focus toward without having a fullblown modification to do some research and have some testing and still come up with a way it doesnt require to do a full modification with something that simple or adding in certificates that have expired for go a lot of these have longevity to them. So that goes in between fullblown modification that is more do minimus currently and a lot less than a fullblown change. And to do state testing there is a state certification process and with those Software Updates or patching quick. It depends on the state that require certification and adding patches with the certified software. But just to add to that with the commonwealth of virginia and then no longer supported and to be recertified administratively with that certification and these are things that are not secure. And then to look at that every four years. So with all the latest patches. And for our part, yes and those that are applicable with any and harassment enhancements with stronger Access Controls and with ease of use and reporting along answer to the short question but yes we do. We only have a couple of questions but where do you build your systems and where do you get your components from . And inventory in businesses that you deal with. What are your thoughts on that . There are subcomponents most if not all is the final assembly and testing and then to try to use those that are even geographically close to us and we have suppliers on the east coast and west coast within a 50mile radius and we prefer that. And that being said you mentioned that elections happen on a particular day and if there is a deadline it happens. I have always been concerned with the supply chain standpoint we are a target because we know so far in advance when that will happen. So guess where you focus your energy to attack a system cracks and its a good idea to roll forward to conduct a mock election to a date in the future thats one way to protect against any unknown things that could be buried deep inside of a subcomponent that was manufactured somewhere. I do agree it is a global supplychain. Leveraging my experience to visit every supplier that we have with that Risk Assessment and their process so that they can attest to the supply chain security. And there are elections almost every day and then contributing to each and every election and then to use those tools for the center for interNational Security with that Homeland Security department and those vulnerabilities would appear no now. And to end our discussion sure commissioners do as well we have a hearts up at 330 thank you very much as we go forward and beyond 2020. Thank you. [inaudible conversations]. On cspan two. Tonight with secret intelligence, next Arthur Harland on airport surveillance. Annie jacobson explores cia cobra operations from the cold war to the present. Talks about the United States shadow war with russia and china. And historian vince discusses his book wor