Technology and Government Affairs will come to order. I recognize myself for five minutes for my Opening Statement. Good afternoon. Thanks for being here, and its been over 240 years since our forefathers declared independence and a democratic experiment began. Throughout the entirety of our existence our adversaries both internal and external have sought to suppress. Our existence as a democracy depends on free, fair and accurate elections. Today were here to talk about the best way to protect our integrity of our Voting Systems. There are over 10,000 election jurisdictions nation widethat administer elections. And even within states counties use different systems to conduct elections. A year ago last september Ranking Member kelly and i held a hearing ensuring the integrity of the ballot box to discuss potential issues with the up coming election. It was an issue then and remains an issue now. The former secretary has made clear to the best of his knowledge the russians did not alter ballots, however our adversaries have always sought to use our unique qualities to undermine our democracy. Just because they didnt tamper with results during the last election, it doesnt mean they and other adversaries wont try to do so in the next election. Our Voting Systems are no exception. This past january dhs designated the nations election systems as Critical Infrastructure, something that was being discussed back in a hearing in 2016. Its essential that states take appropriate steps to secure their voting structure. Also essential states have the ability to alter their voting structure. Im curious to hear additionally what are the chances a foreign entity could tamper with our ballot box, these are all questions and answers id like to hear today. I thank our witnesses for being here today and for their efforts to ensure our country remains free and fair. Thank you, mr. Chair. Welcome back. I hope you had a good thanksgiving. Thank you for holding this important hearing today. There is no doubt that russia at the direction of president Vladimir Putin attempted to manipulate our elections and has worked to manipulate those of our western allies. Tist a broad and coordinated campaign to undermine faith and democratic election. Today we are taking a look at another part of their effort to undermine our democracy by hacking our Voting Machines and election infrastructure. More than one year ago we held a hearing entitled cybersecurity to ensure the integrity of the ballot box. We took a look at state and local integrity of our ballot machines. Noted 21 states that hackers attempted to breach their infrastructure. In my own state of illinois the hackers attempted to breach data. Fortunately, they were unsuccessful. While we continue to learn the full scope of russias election interfeerps, one thing is clear, there will be another attempt to manipulate our elections. Whether it be russia, another nation state or nonstate actoro even a terrorist organization, the threats to our election infrastructure are growing. So what are week go to do about it . Earlier this year the researchers at def con were successfully able to hack machines in a day. It contained physical vulnerabilities like usb ports that can be used to up load malware. Despite these flaws dres are still commonly used. In 2016 42 states used them. Some running Outdated Software no longer supported by the manufacture. Updating our machines to paper based machines such as optical scanners is a step we need to take right now. Our election infrastructure is broad and contain numerous vulnerabilities. If we were going to withstand a coordinated attack, we need a coordinated defense. In january of this year dhs designated election infrastructure as Critical Infrastructure. In this announcement then dhs secretary jeb johnson was clear this designation was not going to be a federal take over of state and local infrastructure. Rather it was a designation intended to ensure the current state resources necessary to secure their elections. Since then the former secretary and now white house chief of staff john kelly has supported this designation. If designation is be successful, we will all have to Work Together, dhs and our state Election Officials must do a better job of working together to detect and solve problems. Again, i want to thank you, mr. Chairman, for holding this crucial hearing. Thank you to our witnesses for being here. I look forward to hearing from all of you about how we can continue protecting our democracy. Yield back. Always a pleasure to be with you representative, kelly. Id like to thank our friend, chairman palmer, for cooperation and work on this important issue. Now its a pleasure to recognize the Ranking Member of the Intergovernmental Affairs committee for five minutes in her opening remarks. Thank you so much chairman herd, and chairman palmer for convening this hearing today. Id also like to thank Ranking Member kelly for her leadership and all of our witnesses for joining us for this very important hearing. Im pleased were holding this hearing so essential to democracy. While there are so many issues that divide us, inintegrity of the voting process should not be in question. Regardless of race, gender, sexual identity, zip code, income, every vote should count. Every vote should count the same. I believe that voting is the last true equalizer. However, russias interference in the 2016 election and intrusions in at least 21 states Voter Registration date abases indisputable and confirmed by intelligence has not kept pace with the current and emerging threats from nations, organizations or even a single individual determined to undermine our democracy. Recently i joined the Congressional Task force on Election Security. Just as we keep our homeland safe from physical harm, so too must we harden from cyber attacks. Their message is clear. We must act now to protect our Voting Systems. In over 40 states elections are carried out using Voting Machines and Voter Registration databases created more than a decade ago. These technologies are more likely to suffer from known vulnerabilities that cannot be patched easily if at all. As we saw from the voting bill setup at this years hacking conference, even hackers with limited prior knowledge, tools and resources are able to breach Voting Machines in a matter of minutes. We should not assume that state Voting Machines are secure enough to withstand a state sponsored cyberattack. And there is no reason to believe that these attacks will subside. Congress must do its part. Yes, we must. And help states fund and maintain secure election systems. This means funding to purchase new secure election systems and voter machines, help and established certified baseline cyberSecurity Standards for those states that service them. Our democratic process relies on voters faith that their vote does count. Election security is national security, and our election infrastructure is Critical Infrastructure. With just under a year until the 2018 midterm elections, it is criticate that we understand the vulnerabilities of the past and secure our networks for the future. I thank our witnesses again for sharing their testimony today, and i look forward to this very important discussion. Thank you so much. With that i yield back. Thank you, Ranking Member. Now im pleased to introduce our witnesses. First and foremost, the honorable Christopher Krebs at the u. S. Department of Homeland Security. We have the honorable tom shedler, secretary of state for louisiana. Thank you for coming up here today. Commissioner cortez, the commissioner of the Virginia Department of elections. So thank you for being here. Dr. Matthew blaze, associate professor of commuter science at the university of pennsylvania. And ms. Susan cline at the brookings institute. Welcome to you all. All witnesses will be sworn in before you testify. So please rise and raise your right hand. Do you solenly swear or affirm the testimony youre about to give is the truth, the whole truth and nothing but the truth . Thank you. Let the record reflect that all witnesses answered in the affirmative. In order to allow time for discussion, please limit your testimony to four minutes. Your entire written statement will be made part of the record. And i appreciate yalls written statements, especially all of yall had outlined a number of Interesting Solutions to these problems as well as articulating the concerns that we have. So folks that are interested in this topic, many all of these written statements is valuable in understanding the state of where we are. As a reminder also the clock in front of you shows your remaining time. The light will turn yellow when you have 30 seconds left. And when it starts flashing red, that means your time is up. So please also remember to push the button, to turn your mike tone on before speaking, and wed like to start with mr. Krebs. You are now recognized for five minutes 4 minutes, excuse me. Chairman herd, chairman palm, Ranking Member kelly, Ranking Member demings, members of the subcommittee, thank you for this opportunity to discuss Homeland Securitys ongoing efforts to enhance secure election. In 2016 the u. S. Saw operations cleareyed the threats to our election systems remain an ongoing concern. The organizations i lead, the National Protections programs director at the department of security is leading an effort to provide voluntary assistance to state and local officials. This brings together the fbi, the intelligence commit community, nist, and other dhs sectors. State and local officials have already been working individually and collectively to reduce risks and ensure the integrity of their elections. As threat actors become increasingly sophisticated, dhs stands up in partnership to offer assistance. They offer three types of assistance. Dhs typically offers two kinds of assessments to state ask local officials. The first provides a recurring report identifying vulnerabilities in internet connected systems and mitigation recommendations. Sek second, our Security Experts can go on site. These assessments are more thorough allowing the testing. As we continue to understand the requirements from our stakeholders, well refine and diversify these voluntary offerings. Dhs continues to share actionable resignation. We share cyber threat indicators and other analysis our Network Defenders can use to secure their systems. One works with a multistate and Information Sharing Analysis Center to provide threat and vulnerability information to state and local officials. They may also receive information directly from the inkick. Notably were offering security to selected Election Officials and also providing cleanerance to other state officials. In our third category the dhs helps to identify possible incidents. It shares anonmized information with other states to assist their ability to defend their own systems in a collective defense approach. It is important to note these relationships are built and sustained on trust. Breaking that trust will have far ranging consequences in our ability to collaboratively counter this growing threat. We have established a government coordinating council. We have similarly working to formalize partnerships with a sector coordinating counsel. Within this environment of sharing critical information, Risk Management and other vital information, dhs is leading efforts to support enhanced security across the nation. Securing the nations systems is complex challenge and shared responsibility. There is no one size fits all solution. In conversations with elected officials over the last year, in working with the eoc, nist, youll hear institutions already do great work. But they provide a challenge, as we work correctively to address these and other challenges we will work to support our state and local partners. Thank you for this opportunity to testify and i look forward to any questions. Thank you, mr. Krebs. And secretary, i want to thank you again for being flexible. Your perspective and experience on this topic is important. And thank you for being here. And sir, youre now recognized for four minutes. Thank you, mr. Chairman and for the opportunity to participate today. Its important to hear the perspective of those who oversee across the country. Past, present and in the National Association of state on nast. Securing elections in november 18 and beyond is critical and important to all of us in our nations secretary of state. We are not naive to the likelihood of future cyberattacks. But we also know the use of paper ballots can just as easily open up vulnerabilities. First id like to share with you the important developments taking place through nast Election Cybersecurity Task force which was established earlier this career. In addition to helping states share information and combat Cyber Threats a task force assisted with creating partnerships including with the u. S. Department of Homeland Security and u. S. Election commission as well. Its been a key component of the council. Its designated or designed to facilitate, improve communications that as you know did not go well in 2016. Our members were concerned about the possibility of federal overreach and because the designation came without meaningful constellitation without any elected officials. My colleagues and i understood we could continue to get the same support and services from dhs without critical designation. So it seemed unnecessary. However, the designation is still with us today. Part of that work includes chief Election Officials obtaining security clearances. We have often been told by dhs they cant share information because it is classified. Hopefully these new clearances will address this problem. Ensh ensuring the integrity of the election process is important to every officer including myself. In West Virginia secretary mack warner has added an Air National Guard cybersecurity specialist to his staff. Jim condo solicited the Third Party Risk data systems in 2015 that led to his office to build a new firewall and begin regular penetration testing. Colorado secretary wains Williams Office provides software for colleagues to install on their computers squoo detect malware functions. In louisiana our hurricane season, we have one of those states for sure that are very expert in that field. Remember with the passage of the help america vote act in 2002 states were required to purchase at least one piece of accessible polling equipment for each polling place. They began updating the existing Voting System with guidelines to address the new system such as dres. Last month the eac released their latest update. The guidelines are set for manufacturing specifics at are certain standards of functionality, autoability and security capabilities. And final approval is expected in the spring of 2018. In louisiana we take pride and go way beyond any current standards with our Voting Machines. The state purchases warehouses of every voting machine in the state. We test each and every before and after elections. Once the machines are tested, a tamperproof seal is placed on them to protect against any intrusion. In louisiana because no one touches our Voting Machines except our staff, because theyre never sent out to manufacture for repair, they are not handled by individuals or companies who program Voting Machines because theyre tightly controlled by our office, we have the utmost confidence in the system. We do need to prepare, yes. We do need to continue to update our procedures and processes, yes. We are currently looking for a better practices that we can solicit for various entities and groups. And most of all were looking for the remaining 396 million that have never been appropriated to help us replace aging equipment purchased over ten years ago. Ill certainly be able for any questions. And let the record reflect youre prepared to come testify. Sir, youre now recognized for four minutes. Im the commissioner of elections in virginia, and this role i serve as the chief election official for the commonwealth and lead the Virginia Department of elections. Virginia has 133 local election jurisdictions and over 5 million active registered voters. Today im going to focus on the recommendations that are pr provided in there. And reduce the administrate chb workload for elected officials while increasing accountability in our processes. One aspect of these wide ranging efforts has been to strengthen the security of virginias voting equipment including the votish machines and electronic poll books. When i became commissioner in 2014 approximately 113 of virginias 133 localities used paperless dres. Im happy to say that all virginians voted using a paper based system. Virginia has twice been put in the unfortunate position of having to decertify voting equipment and transition to new equipment in a condensed time frame based on previously used dres. These steps were not taken lightly. They place a financial and administrative stress on the electoral system. They were however essential to maintain the publics trust. The november election was effectively voted. Our didicated voting vendors, the transition to paper based Voting Systems was incredibly successful and significantly increased the security of the election. Although its clearly possible to transition quickly doing so is less than ideal. I request you consider the following recommendations, which i believe will make these issues much easier to manage in the future. Number one, Congress Needs to ensure sufficient federal funding is available for states to maintain equipment and secure Voting Systems. This is critical need and must be addressed immediately if funding is going to be provided in time for the 2018 elections. Number two, the u. S. Election Assistance Commission has been ensuring that a set of systems, and certified test labs are available to states. Congress must ensure the eac is continually funded. Number three, congress should ensure the use to ensure the use of secure voting equipment in the future, congress should require federal voting certification. This is currently a voluntary process. Federal certifications should also be required for electronic poll books, which currently are not subject to any federal guidelines. Requiring stoif requiri requiring certifications will ensure theres a baseline across the country for securing our elections. To ensure that the individuals possible for this fundamental american right are equipped with the appropriate skill and knowledge set. Elections are an integral function of government, and we still have much more to do in virginia and across the country. Especially with the midterm elections quickly approaching. Bhiel were extremely appreciative of the work and assistance to date, the federal government can and should do more to safeguard this most fundamental american right. Thank you again for allowing me to join you today. We look forward to continuing to work with congress to ensure sufficient federal resources are available to state and local Election Officials to continue this important work. Thank you, sir. And dr. Blaze, great to have you here. And having participated and walked through the def con, i saw up close and personal what the white hack Hacker Community and Research Community does and the impact they have on public policy. And so thank you for your efforts there, and youre now recognized for four minutes. Thank you very much, mr. Chairman, the Ranking Members and all of the members who are here today. As a Computer Scientist who specializes in the security of large scale Critical Systems ive had an interest in Electronic Voting Technology since it was first introduced at large scale in the United States after the passage of the help america vote act in 2002. In particular i led several of the teams commissioned in 2007 by the secretaries of state of california and ohio to evaluate the Voting System products used in those states as well as elsewhere in the nation. I also helped organize the def convoting machine hacking village that was held this summer at which these systems were made available really to a Larger Community for the first time for the first time ever. Virtually every aspect of our election process from Voter Registration to ballot creation to casting ballots and then to counting and reporting Election Results is today controlled in someway by software. And unfortunately, software is notoriously difficult to secure, especially in large scale systems such as those used in voting. And the software used in elections is really no exception to this. Its difficult to overstate how vulnerable our voting infrastructure thats in use in many states today is. Particularly the compromise by a determined and well funded adversary. For example, in 2007 our teams discovered exploitable vulnerabilities in virtually every Voting System component that we examined including back end Election Management Software as well as in particularly dre voting terminals themselves. At this years def coneven evene saw that many of the weaknesses are not only still present in these systems but can be exploited quickly and easily by nonspecialists who lack access to proprietary information such as source code. These vulnerabilities are serious but ultimately unsurprising. The design of dre systems makes them particularly dependent on the really hurklian task dependent on the systems worse as we saw in 2016 we largely underestimated the nature of the threat to the extent these systems are intended to even be secure. That is theyre designed against a traditional adversary who wants to cheat in an election and alter the results. Theres actually a more serious adversary. A nation state or state actor who might seek to disrupt an election, cast doubt on the legitimacy of the outcome and cause a threat to our confidence in the legitimacy of our elected officials. I discuss all of these issues in detail in my written testimony. And i offer really three particular recommendations. The first is that paperless dre Voting Machines should be immediately phased out from u. S. Elections in favor of systems such as precinct, scan ballots that leave a direct artifact of voters choices. Secondly, statistic risk limiting audits should be used after every election in order to detect Software Failures in the back end systems and recover true Election Results if a problem is found. And then finally, additional resources, infrastructure, and training should be made available to state and local voting officials to help them more effectively defend their systems against increasingly sophisticated adversaries. So thank you very much. Thank you, sir. Ms. Hennessy, youre now recognized for four minutes. Thank you to chairman herd, Ranking Member kelly, to chairman palmer and Ranking Member demings for the opportunity to speak to you today. Im a fellow at the Brookings Institution focusing on cyber surveillance. Id like to begin by noting how extraordinary it is that a full year after the last president ial election theres still enduring attention to the issue of Election Security. This moment really represents a remarkable opportunity to take long overdue steps in securing federal and state elections. In order to do so, however, we have to carefully Information Operations certainly impact the broader context in which elections occur, but they are distinct problems with distinct solutions. The matter currently before these committees is narrower but no less pernicious. The Elections Security threat is not limited exclusive ely to changing vote counts. As other experts have testified here today, altering vote tallies is technically possible, however it remains difficult to do so on the scale necessarily to predictably change the outcome on a state wideand national action. Foreign governments which would need to avoid both foreign detection and u. S. Alley communities. To do so, a malicious actor needs only to penetrate systems in a manner that introduces uncertainty. This landscape increases the importance of being cautious in how we discuss Election Security issues to avoid inadvertternitily undermining confidence ourselves. Congressionally driven solutions to account for international and domestic realities. Internationally, while most attention has been on russia any number of adversaries possess the capabilities of interest to be of genuine concern. Domesticically a strong tradition of federalism, an Election Administration ensures that despite clear Constitutional Authority any proceeds of federal overreach will meet strong resistance of from states on political and policy grounds. I believe congress should adopt the following broad solutions, which are detailed more expensively in my statement for the record. First to development for National Strategy for securing elections aimed at protecting systems, deterring bad actors and bolstering public confidence. Second, provide resources to states in the form of federal funding, support and best practices. Fourth, lead the development of International Norms against election interference. Finally, congress as our primary elective body must renew and sustain political commitment to the issue of Election Security and reestablish norms that have been broken in the way we discuss Election Integrity andcomes. Thank you again for the opportunity to address you today. I look forward to taking question on this Important National security issue. Thank you. And to start off our first round of questions, chairman palmer, youre recognized for five minutes. Thank you, mr. Chairman. Dr. Blaze, what do you think is the biggest take away from the def con report . I think the biggest take away is both alarming and yet unsurprising. And that is that the vulnerabilities that we knew in principle were present are in fact exploitable in practice by nonspecialists. Heres a question that im going to direct to you and some others may want to respond to it. Im very concerned about foreign influence on our elections but we particularly in the last year and last few years weve had hundreds if not thousands of reports of domestic voter fraud. Whether its federal registration, manipulation of ballots at the polling place. Is that not also a threat to our elections . Well, certainly, you know, the potential threats to our election are very broad and include everything from the Voter Registration to the process through the reporting of Election Results. My concern as a Computer Scientists and my expertise is focused particularly on the technical vulnerabilities present in the systems as theyre designed and built. And really every expert whos looked at these systems has found that the surface attack of these machines leaves us particularly vulnerable not just foreign interference but domestic as well, wouldnt you agree . So someone with a political agenda could, if they had the technical expertise, would be as much a threat as a foreign entity. Would that be a reasonable conclusion . Particularly someone interested in disrupting the election or casting doubt on legitimacy where. Particularly the dre systems are designed, its very difficult to disprove that tampering has occurred. And ultimately thats a critical aspect of being able to have confidence in the result. One of the things that particularly concerns me is that you can be disconnected from the internet, from wifi and still hack a machine because the potential of parts within the machine, foreign manufactured parts. Can you talk briefly about that . Thats right. The design of dre systems makes their security dependent not just on the software in the systems but the hardwares ability to run that software correctly and to protect against Malicious Software being loaded. So an unfortunate property of the design of the dre systems is weve basically given them the hardest possible security task. Any flaw in a dre Machines Software or hardware can become an avenue of attack that potentially can be exploited. And this is very difficult thing to protect. Okay, we need to go to if we have some Electronic Components to back it up or paper ballots because your fall back position is always to open the machine and count the ballots. Thats right. The optical scan systems also depend on software, but they have the particular safeguard that there is a paper artifact of the voters true vote that can be used to determine the true Election Results. Paperless dre systems dont have that property, so were completely at the mercy of the software and hardware. As inconvenient as it might seem, for years and years weve relied on paper ballots. It doesnt seem unreasonable that would be a great safeguard. I want to ask secretary shandler and cortez about this. In alabama its a mixture of Voting Machines. Do you have that as well . Do you have kind of a all over the road map . Congressman palmer, louisiana is what we call a top down system. We control as i indicated in my opening comments, all of our machines, we warehouse our own machines. You know, we do have a tape system of paper behind that that we can audit specifically with three different types of processes. Its never been unproven in a court of law. And the only thing i want to add to def con i want anything from an academic side to look content. Lets talk about when you discover, and im certain the professor from the university of pennsylvania or mit or anyone if i give them unfettered access to a machine they could figure how to disrupt that machine. In louisiana or most states the machines are not linged together. Each one has a separate cartridge to itself. I guess the implication is at the point of programming, you could do something to that. I guess thats possible. And i wouldnt argue that point with someone much more learned on that subject than i. But again in a top down system, that would mean someone in my office on a commuter that is cleaned and scrubbed before an election and after would have to have access to that program and equipment in my office. The other thing thats never mentioned in the hacking of the machine is after youve figured what youre going to do, has anyone ever yet sat down and discussed and ill only give you louisiana, in a roughly 36hour period after we go into the machine, put a metal clamp like you have on your electrical box at your home with a serial number, figure out theyre going to get into 64 warehouses across our state, go into 10,200 machines undetected under camera, no one saw you, unscrew the back of the panel, do what youre going to do, put the panel back on, and figure out how youre going to put that metal clamp back on. So the point im making is that a lot of these things that we talk about are certainly possible. But i would suggest to you the amount of people youd have to put in play to commit this fraud, youd be easier to do a stomp speech and convince them to basically do it your way as the legal way. There are issues that occur from electricity to going to fires at precinct, i could go on and on, flooding in louisiana and the like. But, you know, one of the things that everybody has to understand is that all of these conversations around this all deter voter participation, whether you believe it or not. Let me just say this, mr. Chairman, i appreciate your answer, mr. Secretary. Couple of things i hope were sensitive to. One is that we dont want the federal governments involvement in this to infringe upon the states authority to conduct elections. And we other we dont want interfere in giving due diligence. I yield bank. I want to ask about your agencys efforts, dhs to9. 4 identify states about 21 states on russian attacks on their systems. Ranking member comings and i sent a letter requesting copies of the notifications you sent to 21 states that were attacked before the last elections. And mr. Chairman and i asked in unanimous consent this letter be part of the official record of todays hearing. So ordered. And i quote we ask for documents hacked by russian based systems. Earlier this week the Republican Committee staff made Crystal Clear to dhs we wanted these documents before todays hearings so we could ask informed questions. Dhs ensured us they would respond. Instead late in the day yesterday dhs sent us only an email with a short script that dhs employees apparently read over the phone to state and Election Officials. Im only asking where the documents that we requested the. Maam, im aware of the script that was provided. A lot of those notifications were over the phone. They were not by email. As to the rest of the documents, if youll permit me to go back, and i commit to you we will have a more fulsome answer for you. But as to the specifics of each document, i would have to go back and check on that. Okay, im counting on you to deliver because the telephone script is literally on 13 sentences long. It does not refer to any specific state or any specific attack. Its just a generic script that provides no Additional Information at all. And just curious about where all the supporting documents that we requested that set forth the details of the attacks. And with all due respect the telephone script does not help us do our job, which will help you in turn. You have not provided us with any information about the tools the attackers used or their tactics that they utilized or any information on the results of your conversations with these states or the steps you took to follow up. So its been more than a month since we asked for those documents, and the majority wants those documents also. Can you tell us what the hold up is . Maam, im not aware of any particular hold up. What i will say is the nature of the conversations weve had over the last, frankly, year with the states. And ive had a number of conversations with secretary shedler. By team has regular conversations with commissioner cortez and a range of other state Election Officials. When you characterize these things as attacks, i think that is perhaps overstating what may have happened in the 21 states as was mentioned over the course of the summer. The majority of the activity was simple scanning. Scanning happens all the time. Its happening right now to a number of probably your websites. Scanning is regular activity across the web. I would not characterize that as an attack. It is a preparatory step. In terms of those scripts, there are two scripts. One script was provided to states that wanted Additional Information if they were include in that batch of 21. And the other script was for those states that were not in that batch of 21. So if that context was not provided, i apologize, and im happy to follow up and make sure that you get the information youre looking for. Okay, and i just want to make sure the chairman is willing to work with me today by directing dhs to provide all it documents actually within one week. And i hope we can Work Together to get these documents as soon as possible. Hopefully in one week because this hearing is supposed toby about sush security, of Voting Machines. And our investigation should be bipartisan. Yet dhs is withholding the very documents that would help us on both sides of the aisle, help our committee understand exactly how our state election systems were attacked by the russians. So i look forward to your cooperation in working with my chairman. I yield back. Would you yield to me . Of course. Mr. Krebs, was there anything other than scanning done at those locations . There was a very small subset of those groups there was a compromise on the Voter Registration side but not within the tallying. And there was a small group also that had some targeting. So we actually whittled it down. When we talk about that scanning, it was also necessarily an election system that was scanned. Thats an additional context we provided to our partners in the state election offices. What we saw in a lot of those cases was frankly drivebys. You think about walking down the street and youre looking for a house, you knock on the door and you dont know whats there. You may be walking to a neighbors house looking for a key. Apologize for the mundane analogy. But as secretary shedler pointed out there are significant protections involved. So youll be able to provide us details who was in addition to scanning and what the nature of that contact was . In terms of the states that the information is provided to us based on trust. We just like all other relationships with the Critical Infrastructure community, the fact we dont have statutory to compel, we are engaged in if i turb around and share information tom provided with me outside of that scope of confidential relationship, tom will never share with me. This is going to jump out in this relationship, and the entire mission is a voluntary mission. That entire mission will be jeopardized if we divulge confidential information. So happy happy to provide information on those 21 states, but in terms of those 21 states, i will help you to reach back to your states. Miami, you mentioned that your state may have been one. I will help you facilitate that conversation. But today ill were sitting here, i also encourage you to ask my counter parts here from the states. Mr. Kyungen, youre now recognized for five minutes. Thank you, mr. Chairman. I want to go back to this def con article. Every piece was effectively breached in some manner. And it says in the def conreport the results were, quote, by the end of the confidential every piece of equipment in the voting village was effectively breached in some manner. Participants with limited knowledge and tools were able to undermine the integrity of these systems. Back just a few months ago when they had the worldwide cyberattacks, i dont often quite liberal mag sbreeazines i, but the editor of the american prospect magazine wrote this. This was written in the huffington post. He said last weeks cyber attack to produce the wrong lessons. The immediate take away seems to be that large institutions need much better cybersecurity systems, but theres a much better solution that cant withstand the catastrophic risk of malicious hacking should just go offline. Hackers will always be able to find ways of getting into network systems. The fantasy of ever better cybersecurity is delusional. We could spend half the gdp on Network Security and someone will still find a way to breach it. I know that we have everyone to this country to the computers and ipads and so forth, but i toll tell you that cybersecurity is a multibillion dollar hoax. And were going to spend untold billions trying to come these systems as mr. Cutner says is a fantasy. And i think the solution should be that we should go to the canadian system. I read several years ago that they had much smaller precincts used on the average of 500 people per precinct. And they use paper ballots. And i know thats oldfashioned, but i think were headed down the wrong path here. Its a path that im sure were going to go on. But i think that i agree with mr. Cutner and also the findings of this def con report. Anybody want to say anything . Ill just say louisianas not one of the 28 states 21 states, excuse me. So you can scratch one off. All right. Well, i yield back, mr. Chairman. Rank member demings, youre now recognized for five minutes. Thank you so much, mr. Chairman. As we continue this discussion today i cannot help but think about my own parents. My mother was a maid and my father was a janitor. They didnt have a lot that other people had, but they did have their votes. And i cannot remember an election growing up where they did not cast that vote. They believed that it mattered. And i would hope that every witness here today and every member of our subcommittees that regardless of if you were a billionaire or a maid or a janitor, that we would all work to protect the integrity of our Voting System nat greatest country the world. So dr. Blaze, i want to go back to the defcon report that weve talked quite a bit about today. I certainlybv y listened to som the comments my colleague mr. Duncan made about how the systems were breached. But could you please talk a little bit more about the equipment that was used to breach the systems. Was it sophisticated equipment or not, and what kind of prior knowledge did the breachers have, if any at all . I would like to point out first of all that the defcon voting village was not intended to be a formal security assessment. It was an informal opportunity for people from a Broader Community really for the first time to get access to actual voting equipment. We got five different models of voting machine and electronic poll book. Made them available. We made available the reports that had been published about these equipments in some cases. And that was it. We opened the doors at on friday afternoon, and people came in and any tools and equipment that they brought to that, they were they had to bring in themselves. There was no access to any proprietary information, no Computer Source code was available. Just the equipment and electricity. And i know some or many have criticized or questioned the vulnerability or ability to hack the systems because of the decentralized nature of the machines. Do you agree that the decentraliz decentralized nature of our elections protects us from disruptions or not so much . Its a doubleedged sword. The fact that we have highly heterogeneous systems that are decentralized in their administration makes it difficult for somebody to do a single thing that will affect us on a national scale. And that is, in fact, an important safeguard. But it cuts both ways. There is, in fact, only a relatively limited number of different models of voting equipment used in the United States, and an adversary, particularly a foreign state actor interested in disrupting our election process, has the luxury of being able to pick the weakest systems. And need only find the most poorly administered and the most vulnerable systems to do sufficient damage to suit their needs. So while it may make us more secure against somebody with onestop shopping, disrupting a national election, it actually increases our vulnerability to some disruption happening, perhaps sufficient disruption that we dont have confidence in the outcome. Weve heard a lot about the need for an audit. What type of audit do you believe would have to be performed on a paperless voting machine to verify the vote counts or verify that the vote counts had not been altered . Paperless Voting Machines essentially are Voting Computers that are completely dependent on the software that was running on them at the time of the election. There is no fully reliable way to audit these kinds of systems. We may get lucky and detect some forensic evidence, but ultimately the design of these systems precludes our ability to do a conclusive audit of the voters true intent. Thats why the paperless systems really need to be phased out in favor of things like optical scan paper ballots that are counted at the precinct but backed by an artifact of the voters true intent. Thank you, dr. Blaze. With that, i yield back. Mr. Mitchell, you are recognized for five minutes. Thank you, mr. Chairman. Mr. Krebs, could you help me with one thing. On june 21st, secretary johnson this is a quote appeared before the House Select Committee on intelligence. He said, to my current knowledge the russian did not alter ballots, ballot counts or reporting of Election Results. Has anything changed since that point in time that you are aware of . Not to my knowledge, no, sir. Weve received no information that the Election Results either at the federal level or the states you looked at were altered in terms of counts or outcomes . No, sir, i dont have any additional or contrary information. Do you have any indication that any actor, be it a Foreign Agency or domestic, actually attempted to influence the vote counts or ballot activity . I believe thats a different question. It is slightly. Correct. My understanding, the intelligence assessment is that the foreign adversary if i can back up. You said june. June of 2016 . 2017. June 21st, 2017. Former secretary johnson. Yes. Since then, any opportunity to influence is that your question . Question is did you find any indication that there was an effort by domestic or foreign influence to affect the ballot results since that point in time . No, sir. Thank you. Let me ask the group as a whole. I think the consensus is that the integrity of our elections is a National Infrastructure issue. Anybody disagree about that . Its every bit as important as our roads, ports, waterways, yet we dont investni federal moneyr federal standards on that. Anybody opposed to the idea that we invest to support that program with some kind of guidelines and states can choose as to whether they can participate or not . I think best practices would be a better word to use. I think the states as a whole, and i speak in a nonpartisan fashion, would be adamantly against the intrusion of the federal government i agree. Its in the constitution. But certainly best practices. I think there are a lot of evidence of that with some of the entities that are out there today. We welcome additional ones, certainly let me clarify, secretary. I wasnt suggesting that we impose a system on the states. Simply a Grant Program with a range of options usually Grant Programs have strings attached. It says, if you want to update your equipment that meets standards of security you can choose to or not. We can accept whatever strings come with it and you can turn it down, i have no problem. Any feedback on that, commissioner . I think resources for states to either purchase equipment or for those that have already moved to equipment to do other things to strengthen security of the election, whether electronic poll votes or other things would be something we greatly support. We do that for our highways, ports, but yet we expect magically the elections happen with local resources without support. Mr. Duncan talked about would we not be better off with paper ballots. Feedback on simply going to a paper system or paper dependent system. You are referring to a paper system at the poll location, not a mail paper ballot. Correct. I am not opposed to that. The system that we are looking at would be one that would produce, even though you vote on electronic machine it would produce an actual paper ballot that you could hold in your hand and cast ballot only at that point when you put it into a secure box. Dr. Blaze makes the point that, if you produce a paper result after you put it in the machine we have currently at least in the machines i use, a paper i dont want to call it a Cash Register receipt but for purposes of this meeting, that we can produce an audit back. There are several audits, even though i dont have a paper ballot of mr. Mitchell, i can certainly use that in a court of law and we have been very effective with that. One thing i want to mention. In this whole conversation, the segregation of the vulnerability side of the registration or poll book versus voting day. No state, no state, votes online in cyber space. I know that. How do you attack something in cyber space thats not in cyber space. One or two exceptions. Alabama with military voting. Alaska in some remote other states but a minimum amount of votes. I understand. I think dr. Blazes suggestion of an optical scan that you have the original source document that says voter 028 voted this way. Question you all are aware of what happened in the michigan, in terms of federal election, 60 of the precincts in detroit werent they couldnt do a recount because the numbers didnt match. No, sir, i am not aware. There were more voters that voted admittedly 728 or less. More votes counted than there were voters and 328 were listed as voting but the ballots didnt know. 60 of the votes in the city of detroit were not auditable. The point is you couldnt do a recount. I think something we need to encourage states to do is have an audit system where we raise the issues of why the disparities and how to prevent them. If in fact we need to do a recount, it was not possible to do it in the city and other jurisdictions. I submit for the record from detroit which was a paper scanned system. They still managed to lose enough votes that they couldnt recount. I brought that out in my comments. Even with a paper system you still have to have good protocols. Its not foolproof. Agreed. Thank you. I yield back. Distinguished gentleman from the state of missouri, you are recognized for five minutes. Thank you, mr. Chairman. I want to thank the witnesses for your testimony today. Last june the vice chair of the president ial Advisory Commission on Election Integrity, kris kobach, made a request of directors to transmit to the white house the confidential voting information history of all americans living in their state and he directed the state Elections Officials to provide the Sensitive Data to a government email address with no apparent means of securing that data. Dr. Blaze, please explain the data Security Issues with transmitting sensitive voter data over email. Well, i i am not familiar with the precise nature of the request. But as you have described it, certainly sending that kind of information over an ordinary unencrypted email system would be fraught with many security and privacy issues. If confidential voter data were revealed due to insecure transmission, could that provide means to infiltrate state election systems . Yes. That sort of information could potentially be quite valuable to an adversary interested in targeting particular polling places or individuals or areas. So information about historical voting patterns and about individual registered voters can be quite sensitive. I see. I understand your states did not comply with mr. The question. We had significant concerns related to the sweeping nature of the request and we spend a lot of effort and a lot of resources protecting our voters data in virginia, so to take that and turn it over to a commission with no sense of what it was going to be utilized for, how it was going to be stored and maintained, raised significant concerns for us so we declined to provide anything whatsoever. Thank you for that. Mr. Schedler. We likewise refused that. I want to clarify something thats been lost in the debate and why kris kobach did not clarify his position. If you look at the original request he truly didnt ask for that. What he asked for was what was available publicly under state law. After that instead of putting a period he went on with Social Security and other numbers why he did that, i dont know. It caused me a lot of heartburn in my state with hundreds of thousands of emails and facebook posts and the like. So, to answer your question, no, i did not supply that to him. I told him for 5,000 and a credit card we would be glad to supply the Public Information data that you could get on anyone from google, quite frankly, more information. But youre correct. Putting that out in the fashion it was but i do want to say this. It wasnt just the Trump Administration that asked for that. I was posed with that under three defiances to a federal judge to produce that under president Obamas Administration through the department of justice, in a lawsuit from several entities. I refused president obama and i refused president trump. So i am consistent. Let me ask you. That brings me to another question for you and mr. Cortes. Are you aware of any cases of voter impersonation in your state . Mr. Cortes . You can take it first. Congressman. I am not aware of instances of voter impersonation in virginia. No pending cases or anything like that. Not that we are aware of. We wouldnt in louisiana. We have some issues. Put it this way. If we had one its never been prosecuted or able to be proven. Dont you think its a little difficult to get enough voters to show up, let alone someone showing up and impersonating someone else . I think the real issue is and we separate the distinctions in the election system. The registration side, or list maintenance. Some states do a better job than others. I know our current president has alluded to three to five million voters. What he is referring to is three to five million potential voters on registration lists. The voter fraud would be one of the individuals who shouldnt be on there showing up at the poll and voting. It may be that. It may be more. It may be less. But i you and i know people have the same names. Yes, sir. Yes, sir. That shouldnt disqualify them from being a qualified registered voter. We need information like mothers maiden name, date of birth so we can distinguish the differences. In louisiana we distinguish them by birthday or mothers maiden name. I thank you for your engagement. My time is up. I yield back. Point of clarification. You did have reports of illegal voting in both your states. In virginia you had over 1800 illegals that apparently were reported voting. Is that correct, mr. Commissioner cortes . Mr. Chairman, i asked about voter impersonation, someone else showing up and saying that they are someone other than who they are. Thank you. And you know thats what the vote the photo i. D. Laws are all about. Right. Congressman, i believe you asked about our reports regarding illegal voters. We dont agree with neither the findings of the report or, frankly, how the analysis was done. There are a lot of problems in that that we have indicated publicly. In terms of proving our identifying individuals that are citizens or not on the voter rolls is exceptionally difficult. The processes we have in place in virginia i think capture and prevent anybody from voting illegally or improperly, and so the report you are referring to, i think, was very faulty in its analysis and took information and made sweeping, general statements without taking into account the reality, despite our best efforts to communicate with the report authors about it. Thank you. In louisiana its either herbert or herbert. I understand the problem you have there. The chair recognizes mr. Desaulnier. I both agree with you. But maybe we have a small difference of opinion. The importance of the integrity of the voting process is supreme for all of us sitting in this room, but raising legitimate concerns about the integrity of that, making sure that we are pursuing best practices in a world thats changing dramatically, i think, is what we are all concerned with. So, in that regard, i am hearing two sort of versions of things here from the panel. And miss hennessey, in your research, i have i have a quote from michael vickers, who used to be the pentagons top intelligence official who says this attack is the equivalent of 9 11. Its deadly, deadly serious, to the attacks weve seen in the United States in my view but also western democracy. This goes to undermining democracy. So we want to make sure, i would think, in congress that we are doing everything to make sure that we are ahead of it and questioning our existing system. So you made a number of suggestions. First off, is there any doubt in your research that these hacks are attributable to russia, the significant hacks . Certainly the Intelligence Community hit your button. The Intelligence Community assessment of the 2016 election assesses that with high confidence. That is supported by a large body of public data, and there is no Public Information that would counter or refute that conclusion. So, keeping in mind that we are talking about, in this hearing, the title is cybersecurity of Voting Machines and weve got lots of other activity going out there that hopefully well discuss further in congress, visavis the things we are learning about social media and data collection, but for this purpose, are we ahead of the game in your research . I read where the french and other western democracies are being much more aggressive, not knowing what their infrastructure is, but from your research is the United States doing everything we can, compared to other International Democracies who are aware of the problem . I think the short answer is no. There are two categories in which we can think about the u. S. s response. What we have been talking to today can be categorized as deterrence by denial. Setting Security Standards that make it difficult or impossible for the adversaries to achieve their goals. Theyve articulated the insufficiency of the u. S. On that front, the more needing to be done in terms of federal resourcing and at the state level. There is also a broader concept of deterrence. Deterrence through setting International Norms, response options. We are also not seeing sufficient buyin, frankly, from the top at this point to push those efforts forward in order to get the International Community both to agree on the seriousness of what occurred and also to impose measures, including those passed by congress, to ensure that it doesnt happen again. Appreciate that. Mr. Krebs, in that sort of vein, your response to miss kelly is seems somewhere in between. We know the uniqueness of the relationship as you have described it between states rights and the ability for them not to feel like were imposing on them. However, you have also talked about best practices. And it would strike me that you are in a position to be able to acquire those best practices, particularly in conversation with the Intelligence Community. Miss kelly asked you if you would give us those documents. It seems like you are equivo kaiting. You said, in order to have a relationship with the states, its based on trust. But forgive me for inferring from that there is a lack of trust in giving those documents to congress. In a federal election is strikes me that congress and the federal government has a requirement to make sure that we are pursuing best practices, in partnership with the states, not overruling them, but if Congress Asks for documents, including the minority party, strikes me that you should give that to us, the whole committee, without edits and without comments. Sir, if i may, i would like to clarify to the Ranking Member. The information maam. The information that i would provide, no question, best practices. Got them right here. Best practices are just fine to share. What were talking about is the is the trusted information that is shared on a nature of what may have been a scan or a compromise. Thats the information. We have no question of the oversight interests of the committee. Absolutely no question there. The balance we have is the Optional Mission of the department in partnership with the state and local partners in that again, that overarching Cybersecurity Mission of the department in working with our partners in a voluntary basis. Ill take that as well receive the documents soon. Thank you. Yes, sir. Thank you, mr. Chairman. Mr. Kurdirishnamoorthi. Thank you for convening todays important hearing. The sanctity and security of our election systems are the bed rock of our republic. The American People need to know, not just believe but they need to know for certain that their votes are counted fairly. My home state of illinois was one of 21 states that the department of Homeland Security informed us was targeted by hackers in june of 2016. The nsa reported that personal files for over 90,000 illinois voters were illegally downloaded by russian hackers. Mr. Krebs, do you have any reason to dispute the nsas findings that russian affiliated entities were behind the recent election data breaches . I am unfortunately not able to comment on that specific disclosure. I unfortunately would have to defer to the nsa. Do you have reason to believe that they are incorrect about that . I am not certain of the nature of the report you are discussing. I unfortunately would have to, again, defer to the nsa. To comments specifically on the details you defer to the nsa because they are expert in this particular matter and they have the intelligence and the ability to ascertain whether these data breaches occurred and who was the source of these data breaches, correct . Again, i would defer to the nsa on any discussion here. Sure. While the implications you are correct to defer to them. While the implication of russias attack on one of our election systems are concerning what i find even more disturbing is that it was part of a broader International Campaign to undermine western democracies. Such as the 2017 elections in france and germany as well as recent elections in the uk and other nato countries. Now, mr. Krebs, again, i would like to ask you a followup question. Can you assure me that dhs is working with our allies and the broader International Community, the Intelligence Community, to develop a coordinated response to these incursions . Sir, what i can speak to is the nature of the department of Homeland Securitys engagements with our International Partners immediately before the French Election we reached out to the french sert, the Computer Emergency Response team. My responsibilities are two things. Information sharing and Technical Support on a voluntary basis. Information sharing with the state and locals and ninformatin sharing with the french cert. As far as pushing back or a broader situation, i would defer on that. Earlier this month the president said he took Vladimir Putin at his word that he did not interfere and russia did not interfere in the 2016 election. Quoteunquote, he said, every time he sees me, he says, i didnt do that. And i believe i really believe that when he tells me that, he means it. Quoteunquote. Mr. Krebs, just a few minutes ago you couldnt point to any reason or dispute, you have no reason to believe that the nsas conclusions with regard to russian hacking were inaccurate or incorrect, you defer to the nsas conclusions. Do you are you saying that the president is somehow wrong to take putin at his word as opposed to deferring to the nsas conclusions on this particular topic . I would like to clarify one thingslsn real quick. I have said all along that i agree with the Intelligence Communitys assessment that the russians attempted to interfere with our elections. Good. What you spoke about earlier was some report attributed to the nsa about a specific state. That is what i deferred to the nsa on. I am not able to comment on that. I am focused on information sharing, Technical Assistance and support to the state and locals. We are in a state role. You answer the question correctly, in my view, which is that you agree that the russians did interfere in our 2016 election, or you at least agree with the Intelligence Community which knows what its talking about that the russians did interfere in our 2016 election. So are you saying that the president is wrong to disagree with that conclusion and instead take the word of Vladimir Putin that russia did not interfere in our elections . No, sir. I said i agree with the assessment of the Intelligence Community on what happened in 2016. Okay. Do you agree with the president that, in his assessment, that Vladimir Putin did not actually interfere in our election . Sir, i was not privy to that conversation. Look. I am focused on helping the state and local governments for next year. Every one of us recognized that there is a threat, whether its from russia, china, north korea or iran. You are not answering the question, sir. Yes, sir. You dont have to be privy to the question. You dont have to be privy to the conversation to be able to answer the question. Do you agree with his assessment that russia did not interfere in our elections . Sir, i again, i will point back to last years intelligence assessment. I will take that as a nonanswer. Chair notes the presence of our colleague, the gentleman woman from hawaii, miss gabbard. I asked unanimous consent that she be allowed to participate in todays hearing. Without objection. So ordered. A pleasure to recognize my friend the gentleman woman from the great state of hawaii for questions. I thank the chairman and Ranking Member kelly for holding this hearing and thank the witnesses for sharing your expertise here. I think the topics boil down to the immediate task at hand, which is seeing what actions can and should be taken to make sure that our elections are protected. For our democracy to work, the American People need to have faith and trust in our elections infrastructure and that the votes that they cast will actually be counted. And this is why making sure that our elections infrastructure is impenetrable is essential. Thats the task before us here in congress and before our Elections Officials. Mr. Cortes, i would love to hear your insights regarding virginias decision to switch from direct recording electronic Voting Machines to paper ballots. What were any obstacles that you found in implementing that change, and did you see voter confidence rise once the change was made . Congresswoman in terms of the switch to paper, i think the biggest obstacle that we faced was timing, proximity to the election. We have statewide elections in virginia every year, so we always have very little time to implement changes. I think in this particular round of decertification. Subsequent to the defcon reporting that came out the Biggest Challenges we faced were getting equipment to our state i. T. Agency for them to test and provide us with their assessment. When it came down to the final decision about what to do with the equipment, our biggest consideration was if we had an issue if there were some issue reported on election day would we have the confidence to tell our voters that the results from the machines were accurate and that we could confirm that. I think ultimately we determined in consultation with our wonderful staff at the state i. T. Agency and their assessment that we wouldnt be in a position to do that with the equipment we were using. Without the independent verification, the paper ballot, there would be no way for us to do that. I think that ultimately was the moment where, you know, decertification moved forward and we decided to have paper ballots statewide for this past november. Our local Election Officials had less than 60 days before the election. Frankly, less than two weeks before the start of absentee voting to deploy new equipment. They did a phenomenal job, using exceptionally limited resources that they have and working with not only in partnership with us but also in terms of the Voting System vendors to get equipment deployed, get ballots printed, do training, do voter education, all within that window. They pulled it off successfully. And so it, you know, give a lot of credit to our local Election Officials across the state for being able to do that. Thank you. Miss hennessey, i just came in here the last part of your previous statement about making sure that i think you used the word impossible. Making it so that our elections infrastructure is impossible to hack. Noting the defcon report that came out and the fact that it states, by the end of defcon conference every paperless electronic voting machine was effectively breached in some manner, would the implementation of Voting Machines across the country with some form of an auditable paper record create that impossibility . To clarify, i was referring to impossible to hack as a goal of sort of the deterrence by denial model. I dont know that thats achievable, though we shouldnt make perfect the enemy of the good. There is a vast improvements that can be made. Certainly we should want to move to a place in which systems are both auditable and also audited. Not just to think about how to ensure that a builtin resiliency model so in the event that there is some form of compromise, some reason to doubt the outcomes, that we actually have a system in place to verify it and restore voter confidence. A backup. Right. And then also that we actually periodically undertake those checks, right, an auditable system is effectively meaningless if we dont actually undertake the audit. This is such an important point, and i think mr. Cortes your testimony is critical to this. In answering the question of how do we ensure with confidence that you can answer your voters saying that the Election Results are accurate. I am working on legislation that will essentially ensure that whatever the systems the states choose to use in their elections, obviously that is the freedom of the states to do that, that there be some form of backup in place, a paper voter verified backup to ensure exactly that question and that we can all answer with confidence to voters that the Election Results are as a result of the votes that they cast. So i thank you all for being here today. Thank you, mr. Chairman. Going to now recognize myself for some time. First off, dr. Blaze, correct me if im wrong, i think we may have set a record here today for the number of times defcon has been said in a positive way. So all my hacker buddies will be happy about that. In dr. Blaze and miss hennesseys statements, they have talked about what i would characterize as oldschool ballot stuffing, as one threat. But what a nationstate actor or an Intelligence Service would try to do, discredit an election, is another threat. And mr. Secretary schedler, the first question is to you as the secretary of state for louisiana. Its hard to manipulate the votes in an election in your state. Is that correct . Commissioner cortes, would you agree . Not for louisiana but virginia. Yes, mr. Chairman. And dr. Blaze, and miss hennessey, is it still hard to stuff the ballot electronically in many of these states . I think its very difficult. I think the difficulty that we have is that its very difficult to prove that it hasnt happened. Sure. Sure. Its a trust issue. But when it comes to physically because of the decentralization, because many of the vote tabulation machines are not connected to the internet, are not connected to one another, because of the physical security precautions taken around the physical machines that secretary schedler talked about and many of the best practices that mr. Krebs and his organization have promoted, it makes it hard. But the use case that i am worried about is the credibility of our elections. And not being able to prove something is one of those things. And for our two secretaries of states would you agree that undermining of trust in our elections is a bad thing and something we should try to fight against . Mr. Schedler first . I would absolutely agree. [ inaudible ] microphone please, sir. In all due respect, i mean, what has happened and i think any secretary of state that would address you in all honesty is, is since the last president ial election and all the rhetoric and all the Committee Reports and all of the things that are going around this, if you dont think that has had a tremendously negative feeling to voters, we see it. I just got out of an election for the mayor of new orleans, open seat, that the had a 32 voter turnout no orleans pa risch and we had a statewide election for state treasurer. Overall turnout, 12 . Thats absurd in this country. I am not going to sit here. One of my most frequently asked questions is why, secretary schedler. I could give you a litany of ten or 15 things. One of them i know you all wouldnt want to hear. But for certain, the rhetoric that has gone around from this past election has tremendously deterred voter confidence. And its a balancing act for a guy like me and well, mr. Cortes because we are up here trying to defend the integrity of a system. For sure. And yet its being torn down as i speak. Right. Thats one of the reasons to have this hearing. Yes, sir. I am respectful of that. To get smart folks in a dispassionate way talking about the realities and then how can we identify certain things that we can do together in a way to ensure that that trust is there so that we get more than 12 . Now, i would also say that a i was at a panel in south by southwest with a bunch of youtube stars, and i didnt know any of them, but when you added all their fans together, it was almost a billion. The woman who does digital digital stuff for the rock said, if a movie performs poorly at a at the box office, do you blame movie goers or the movie . And i think in this case a lot of times we want to blame we want to blame voters when were not providing the voters something for them to come out and purchase by pulling a lever. So that is an aside. Mr. Cortes, was there any funny business in your elections in virginia a couple of weeks ago . Mr. Chairman, i think we had a thats a technical term, too, by the way, funny business. I believe we had a very successful election in virginia a couple of weeks ago. We actually i am sorry to hear that you all had a lower turnout in your statewide. We had record turnout in our statewide race for governor, lieutenant governor, attorney general as well as the house of delegates. It was a very successful we did not receive any complaints related to voting equipment, which was a first in the time that i have been there. We had a very successful day across the commonwealth, very few issues. You always get the occasional place where they have delivered equipment to the wrong place and they may open a couple of minutes late, but we had no major systemic issues that took place. Touche. To virginia. Mr. Krebs, some specific questions. How many Cyber Hygiene Services over the internet for internetfacing systems can your organization do in a calendar year . I realize thats a difficult you can ballpark it for us. Thats tough because, frankly, engineeringwise its i dont want to say infinity, but its, frankly, its very, very scaleable. So you are not concerned about the over 10,000 voting jurisdictions requesting that particular service that you feel like you will be able to meet the need no, sir. I think the challenge would be intake. Signing up the legal agreement side. Deploying. How many risk and Vulnerability Assessments can you do in a calendar year . That is a different question. Risk a Vulnerability Assessments are time and manPower Limited. In terms of the number on a given year, it would be let me put it this way. To do one risk and Vulnerability Assessment it takes two weeks. A week on site and a week report drafting. What we are doing in the meantime you have about 130 people who are able to do this function . I would get back to you on the specific numbers on the teams, but we are man Power Limited there. The reason for that, and you just made my job a little bit harder with the mgt act. But this all comes out of the same pile of assessments as federal i. T. , the high value assets. So if were going to do modernization activities, congratulations, but thats going to make my job a little bit tougher. Thats also the Critical Infrastructure community. What that designation did for the election sub sector is allowed me to reprioritize. I am now able to put requests up at the top of the list. We completed an rva last week. I reviewed the product this week earlier and its an impressive domest document. Id like to do more. Well continue to prioritize upon requests. These are voluntary products but keeping in mind that a number of states have their own resources or private sector resources. We are not looking to serve for every single state, but we are looking to reprioritize to address. The next question is for secretary schedler, commissioner cortes and mr. Krebs and maybe secretary schedler, you take the first swing at this. And this is probably better this question i am asking you this as your former hat at nass. And what role exactly does nist and the hava standards board play . Mr. Krebs, if you are more appropriate to answer that question, you know, ill leave it up to you all. It certainly assists us in certification issues and some of the outlier issues that we have, but i think its more the collective whole of nass, whether it be with the election commission, nist or any of us. We collaboratively all Work Together, we share information through our executive director miss reynolds here in washington. I think its a good thing. I wouldnt want to necessarily disband that. But i think its more looking at it as a collective whole, and our new partners in Homeland Security. I alluded that we were very much against Critical Infrastructure. We are in it. We are in a cooperative spirit, we are trying to get our security clearances done at this time and were going to continue that. Secretary, am i hearing dhs is not trying to take over . I dont think so. Not yet. Ill give you a call. How is please do. Please do. How are folks comfortable with the security clearance process . Yes. I know we are trying to get every secretary of state and i believe two additional folks yes. And your indication is that folks are happy with that process and how its going. Yes. We are. Thats the first good step that we can share some information. Commissioner cortes, do you have any information to disagree with that . Mr. Chairman, i think, from our perspective in virginia, having had a statewide election, we had an opportunity to work very closely with dhs throughout the year, preparation for that, and really figuring out how to leverage the federal resource offerings along with what our state i. T. Agency provides as well as our the Virginia National guard. And so we have worked very collaboratively with them. I think the creation of the coordinating council, i think will be exceptionally helpful going forward. When it comes to eac and nist, eacs role in this has been hasnt been as highlighted as i think it should be. I think theyve been critical in opening up the dialogue between dhs and the Elections Community as well as facilitating a lot of the meetings and interactions that have taken place. So they have been exceptionally helpful there. When it comes to nist, i think for us and i think going forward, you know, what we need to look at is the nist Cybersecurity Framework is something that our state i. T. Standards are premised on and that we utilize for our voting Equipment Security and electronic poll book security. Those standards being there are very helpful to us and provides a level of expertise and things to look for and test against that we would not, you know, with our state resources, be able to recreate on our own. So everybody has been exceptionally helpful. That is very helpful feedback. Mr. Krebs, kudos to you for your leadership in that process. And maybe to anybody at this panel, why does eac have 300 million in unspent funds . Anybody have any none of you all sit at eac . Would anybody like to offer they must have some of the hava dollars that we need. Thats what we are trying to get at, is there an opportunity there to reprogram some of those funds to help some of the municipalities that need to upgrade some of their systems. Yes, sir. That was a tongue in cheek comment. I am on their Advisory Commission. I truly dont know. Can you hit the button. Yes, sir. I do not know what that balance is. I mean, i just certainly something to look at. I think weve got to look at any and all avenues of funding because we do need assistance in the state. I can assure you. Just like federal government, states are in budgetary issues. I know certainly louisiana is and at this critical point of trying to replace equipment because of some of the subject matter were talking about here, we are scrambling to find a way to do that. I am getting ready to go out on rfp. Mr. Krebs, comments . I think what were talking about now and i wish matt masterton, chairman of the eac was here. He is iowa i think doing training. Eac has been a critical partner. When dhs got into this game last year, it was before my time, it was a brave new world. Didnt have relationships. Eac was critical in bridging the gap and developing relationships with louisiana, virginia and the rest of the states. What i nist is also a partner. I think dr. Blaze would agree that nist is probably reputationally unmatched in terms of cybersecurity, cryp tography excellence. Then on the information sharing piece, one last thing. I want to touch on the classified and the clearances piece. Clearances, as has been pointed out, clearances in the sharing of classified information is important. We are, in the meantime, focusing on that declassification effort. It is critically important that we speed up that process to get it out. Tear lines, all that good stuff. In the meantime, when something truly sensitive comes in and someone doesnt have the clearance but needs to see a piece of information. I have the capability to authorize one day readins. We have a suite of tools and services and capabilities to make sure the partners have the information they need. Thats why dhs is the belly button or information sharing with municipalities and the private sector. I believe you are the only organization that can truly achieve need to share versus need to know and continuing down that line is important. Dr. Blaze, when it comes to the kinds of systems, the actual vote tabulation machines and you have talked a lot about the scan, you know, version, are are one of the concerns i have about some of the legislation thats being discussed is talking specifically about a type of machine versus an outcome. And is it fair to say that, based on your research and your activity, that you are saying there needs to be an artifact that can be checked in the case that a system is is suspected of compromise . Thats correct. The two Important Properties are, first, that there be a paper artifact of the voter. Optical st optical scan is an example. Thats probably the state of the Art Technology right now. Secondly, we have a mechanism for detecting compromise of the software that tabulates votes. And thats the risk limiting audit feature. Put together those achieve or approach what we call Strong Software independence, which means that, even if the software is compromised we still can learn the true outcome of the election. Miss hennessey, do you have anything to add or disagree with . I would agree with everything dr. Blaze said. Thank you. My last question, chairman palmer and Ranking Member kelly, thank you for the indulgence, is slightly outside of the bounds of the hearing topic today. But as we talk about the importance of protecting our Voting Systems and trying to fight this effort to erode trust in our national institutions, disinformation is the tool that hostile Intelligence Services are going to continue to use against us. And i would just welcome and really, secretary schedler and commissioner cortes, what is the role of states in helping to combat disinformation specifically when it comes around election time . And dr. Blaze, miss hennessey, i would welcome your thoughts. And then, mr. Krebs, i am going to give you 30 seconds in which to say whatever you want to say. Secretary schedler. I mean, its the Old Fashioned way. You get out there and you communicate with people, you get on the air waves, radio, tv and in the newspaper and you combat some of this. Because i will be honest with you. I had an individual just this morning that called me or, excuse me, texted me from the previous election. And he was convinced that our machines were connected to the School Internet system, because i guess it was plugged into a plug. I dont know. But i mean, its those types of things, and in the every real day of secretary of state or election official across the country that we combat. Its just part of the job. I will tell you it has become on steroids in the last 24 months. As a member of congress, i would say i understand those concerns. Yes, sir. Thank you, sir. Yeah. Commissioner cortes. Mr. Chairman, i think its really about being open and transparent in the process and having, you know, processes in place and working as Election Officials to make sure voter are comfortable with the process and getting out there and combatting any misinformation about how the process works. I think our focus on transparency and doing things like postelection audits, having equipment that has some sort of verifiable backup, these are all things we can do to provide voters assurance that they can actually see and observe and not just tell them everything is okay. We are, i think, at a stage with our elections processes where people need to be able to understand what steps we are taking and how we are doing, you know, to make sure that things are okay, to make sure that their voting experience is a good one and that their votes with counted accurately. Good copy. Dr. Blaze. I think the most important thing from a Technology Perspective is that the Voting Technology allow us to refute those who say that the election was tampered with. Unfortunately, many of the systems in use today, even if they havent been tampered with, dont arent designed in a way that allows us to do that. I look forward to seeing a shift toward technologies that are more robust and that allow us to do meaningful recounts. Miss hennessey. To bolster credible institutions now. And so to not to sort of resist any temptations of partisanship so that there are those enduring, credible voices. The closer we get to the actual election date the higher the risk of politicization infecting that process. Comes which increases the importance of setting neutral standards now, both for the types of information that will be shared and also for response options. Thank you. Final words, mr. Krebs . Yes, sir. I think my four copanelists said it quite well. A key tenet of countering operations is shining a light on activity. We have before us some coordination work. We need to do Incident Response planning, develop a playbook. If something pops up on social media, twitter, whatever it is, we get the call, we can work to refute the information and push it out through a clear, trusted channel to the American People so they can retain confidence in our election systems. I want to thank all of you all for helping to shine a light on the activities that our states and the federal government is doing to ensure that the American People can have the trust in their elections. Thats what makes this country great is when we are faced with adversity we all do pull together. And i appreciate you all appearing before us today and the flexibility in your travel schedules. The hearing record will remain open for two weeks for any member to submit a written Opening Statement or questions for the record. If there is no further business, without objection, the subcommittees stand adjourned. [ gavel ] the House Select Intelligence Committee will work on legislation to renew parts of the foreign Intelligence Surveillance act. Fis i allows federal intelligence agencies to collect loce trofrng communications of foreigners looking for certain illicit activities including terrorism. The current authorization for section 702 expires on december 31st. Live coverage from capitol hill begins at 9 00 a. M. Eastern here on cspan3. Online at cspan. Org and on the free cspan radio app. Sunday, Hoover Institutions senior fellow john kogen on u. S. Federal entitlement programs. The programs stem from a basic human desire to help someone who is in need of assistance. Its just common all of us have it in us. For politicians its a little bit easier, of course, to do it with somebody elses money, but they still have that same basic desire that you and i do. They also have this desire to be reelected. So once that entitlement is put in place, then the game has changed. Interest groups form around prohibiting that entitlement, pressing for more assistance. Money starts flowing to politicians who protect those benefits. And the game changes. And its that desire for reelection john kogen on u. S. Federal entitlement programs sunday night at 8 00 eastern on cspans q a. Next, a Congressional Panel looks at the effectiveness of u. S. Sanctions against iran and north korea. Officials from the state and treasury departments talked about efforts to combat sanction evasion and what legislative changes could be madeo