State about security challenges. I want to welcome my panelists up here. Thank you for being to participate in this discussion. Obviously, its the topic day jour for Election Administrators and folks like jeremy in the Computer Science community dealing with election cybersecurity, securing the elections process. Just as a way of background, this topic is the topic de jour coming out of the elections where we saw state actors targeting systems and vendors and sphere fishing attempts in 2016 as well as declaration of elections as Critical Infrastructure. By the department of security. I hope we can talk about the operating environment. S and what steps were looking to secure the process looking at 2018 and how you are. Jeremy gray was supposed to be here from l. A. County and he came down with the flu. We thank him for not coming. We thank him for not coming. I will tee it up to do quick three to five minute opening remarks and then get into the discussion if thats okay. My far right is jeremy epstein, a long time involved in Election Research and member of the Technical Guidelines Development Committee to help us work on the next version of standards coming april and may of 2018. Jeremy is a poll worker in his home county of fairfax in virginia and takes a great deal of pride to know well through the procurement process. She doesnt take no for an answer and knew she wanted to push to get now innovation is in the state of rhode island including replacing the voting equipment and poll voting jurisdictions and a number of reforms. She and her staff were incredible to work with as they look to innovate and improve the elections process in rhode island. Thank you for being here, secretary. To my left, secretary of state, kim whyman from washington and undoubtedly talking about vote by mail, so be ready. She is unique amongst her peers prior to being a secretary of state she was a local election official so shes intimately familiar with how local elections are run and challenges local Election Officials face and the challenges that exist on the state level innovating new reforms on the state process and what happens when decisions are made in legislature that impact you to the local level. Thank you for being here and partaking on the panel. Finally, last but not least, David Stafford is the supervisor of elections for escambia county, florida, the pensacola area, for those not familiar with florida. I suggest you visit david. He has a wonderful office and more importantly in a wonderful area in pensacola. David has been a part of a National Level conversation regarding the government recording capital and infrastructure and Homeland Security as well as being a National Leader innovating the use of data we heard in the last panel and improving data to his voters in escambia county. Thanks for being here and participating as well. I will start with you, jeremy, im not springing this on him. He knows im asking him. About nation state actors targeting the elections systems and the environment. Thank you for inviting me to meet and thanks, everyone for participating. I need to start by saying although i am the precinct 41 for virginia and work for the National Science foundation, nothing i say affects the organizations only. The usual disclaimer. Clearly weve seen things in 2016 many have expected. At some level for decades. People spread viruss through floppy disks. Talk to the iranians about a case where a nonconnected system was infected with malware to put out of Commission Nuclear centrifuges. One of the good guys, its a given any system can be broken into. Im glad dhs is doing the sorts of things theyre doing as part of their the status, as a critical resource, but anyone who thinks thats enough hasnt looked far enough. Its you dont jump once and then youre done. Ive looked at some reports made public from dhs. They are good but they are maybe i should say theyre fair but they dont really demonstrate the level of sophistication the nations state adversary would have. They are uniformly vulnerable. I think any cyber expert that looked at any of these systems would come to that conclusion. We need to be focused on recovery. The coming out on the day after election day and saying there was no compromise, thats not really surprising that you havent seen a compromise. It may not show up for 36 months on average. Lets see. I want to also focus on what we can do now, which is the move to paper ballots and audits is really important. I want to give a shout out to someone i thought i saw on the agenda from virginia who has made major pushes in virginia, my state, to get paper ballots. Its compelling, i dont mean compelling in the sense they put you to sleep, if anyone thinks they can use dre safely, you need to read the report. Its basically too sensitive to tell you how bad it is. That should be a message for all of us. We need to be making sure we go to the hand marked paper ballots and we need we also should recognize thats a good thing because it results in shorter lines. We were just talking about that resulting in shorter lines. I know im supposed to keep it short. I will mention two brief points, neth voting, if anyone thinks neth voting is a good idea, what planet are you coming from . This is just not a good idea with any technology we have today. We do not know how to do this, when the banks and pentagon and so on cant keep hackers out, what makes you think a nation state isnt going to get into your system, as good as your people are, you dont have the resources of citi bank or pentagon or boeing or whatever to protect your systems. Lots of hard working people, you dont have the resources. By you, i mean Election Officials at the state and local level, its just a bad idea. The final stake i want to throw out there is blotching. There are at least a dozen startups that say blotching is a start up to voting. Its one of those things if all you have is a hammer everything looks like a nail. It does an okay job solving one of the easiest parts of the voting problem and does nothing at all to solve the hard parts of the voting problem. It is not an answer. We need to go back to basics, the things we know work, paper, chain of custody, accurate record retention, monitoring, and not assume that, oh, yes, it was secure yesterday so therefore its secure today. Thank you. Thank you for those uplifting comments. [ laughter ] i know. Its what you do. I will come back to you to talk about not just some of the basics you talked about but ways secretary. Thank you very much for putting this together. We in rhode island had an multiyear agency in your off nis and it has been invaluable. The kind of expertise you have has been essential to the state of rhode island. I thank you very much and your staff. In rhode island, its important to note what you say is great. We have different styles on the panel. Rhode island is one of the original states to declare independence unlike what you may have heard in your history books. It has a fairly old Voting System in this country and over the years we have modernized the way we do it. As the chief state election official we have a system basically a threepart system. The department of state, rhode island secretary of state is the chief election official. I handle the putting together of the entire state. We dont have counties which simplifies things incredibly. Once we prepare that ballot and send to it the printers, it is presented with the state board of elections an independent agency nonpartisan and also campaign finance. Thats a brief trimmer. We also at the department of state run the central Voter Registration system. That whole system is one that my office takes care of. It goes to the issue of education, if you move from rhode island to massachusetts across the border or connecticut, you change the way your system works. That is a really key point discussed earlier we need to be able to understand as americans what is the system im currently operating in so we can then talk about potential solutions and security and at the same time increasing access. Weve had wonderful collaborations with the Election Assistance Commission under the department of Homeland Security over the last few years. When i took office in 2015. This was actually my first elected term as secretary of state in elected office, i did have the advantage of diagnose a deputy secretary of state for four years right after it was passed and i know a number of people from the early years post that. We came in and realized our Voting Systems were really outdated. The concerns about security were an issue with 20yearold paper ballots, scanning machines on the verge of breaking down. Who has parts for a 20yearold scanner, right . I made it a point of speaking to the governor and leadership, we were able to purchase for the entire state in time for the 2016 election ballot scanning machines that really increased the Comfort Level that we had with regards to securing the election. But i will say at this point that securing an election is not theres no Silver Bullet and its not a point. Its a path. It took layers and layers of different action to take you to better risk management. As you just said, if you think youre solving it, you have other problems. We did it, went hd and bought online bought the voting machines, we went ahead and got online Voter Registration passed, online Voter Registration passed and implemented online Voter Registration passed in the process of being implemented. We also have really done a lot of work in the education piece in simplifying how we discuss elections with voters. Basically, looking at the center for design for help in how do you design things in a way people understand them. People have a zillion other things to do and life other than elections. Improving access to the ballot box, even thinking how you communicate, how do you present your information to your citizens so that they can more easily access their ballot box. So i am of the firm belief you can improve the integrity of elections without sacrificing access. You can actually do both. I think in rhode island were in the process of showing this can be done. It does require an incredible amount of collaboration. I dont have all the resources. Im happy to go to the eac or department of Homeland Security, organizations Like National associations of secretaries of state for best practices or conversations about how do we do this better . I think those kinds of forums are convenient and important for us to provide better elections. Thank you very much for the time and make sure we get to the other subject. Thank you. Unfortunately for all of you now as i take notes i have additional questions. You raised a critical issue were going to come back to the balance between access and security and theres no such thing as balance, the process has to have security and has to be accessible. Thats not a balance vote to requirements. Secretary, the floor is yours. Thank you. I would agree with what the secretary mentioned across the board. Even though our states are very very different and really show diversity across the country on this decentralized way of electing our leaders, my state, washington, has about 4 million registered voters, 39 county auditors the ones actually responsible for conducting the elections, not only during the input of Voter Registration but also sending ballots to voters and things and we are vote by mail. We were the second state in the country to move to vote by mail from 2005 to 2010. Its only completely moved to vote by mail following oregon and a number of other western states are on our heels and joining us. East, its coming. I know you dont believe us, it is coming. Our world is an 18 day voting period. I think youre saying that and you certainly heard comments today about that. The dynamic how people vote is changing and the way they vote is changing. Certainly, in the west coast. My office, just like secretary gorbeau, im the chief elections officer for the state. My state does reviews for election operations in the 39 counties and we also do training and certification of Election Administrators in our state. Many will remember our state was front and center a few years ago with the closest governors race in the history of the country. That was so much fun, by the way. I think a lot of good came out of that race and being under that microscope. It really does drive you to make sure every single voter in your state, and i think this is the goal of all voter administrators across the country, has the same experience, has the same access, the same security level. The Election Administrators across the country, as well as secretaries of state are always working to that end trying to make sure were being as uniform as possible so its fair across the country. In our state we have four election vendors who provide the ballot tabulation systems our counties use certified in our state. The vast majority of voters now are using paper ballots digitally scanned but we have optical scan counties and dres but they are voter verified paper dres, if that makes sense. On the Voter Registration side, our model is kind of a bottom up. The counties do all the input of data of the Voter Registration that feeds in from one of three vendors to our centralized Voter Registration database. Then we also have a number of things we put into place over the last probably 10 years from an application where voters can get information about themselves, very specific information, called my vote and ill talk a little later about the challenges of having these applications. Voters can check their registration status, register online, update their registration, find out their ballot layout and what offices will be on their specific ballot. I talked a little bit. Our state implemented online Voter Registration in 2006. We have an id check as part of that. Its one of those things where, i think one of the Common Threads youll probably hear today on our panel and other panels, how do you implement things matters. Voter id in some place is a flash point hot issue. In our state it happened because we did it at the front end and worked with a lot of stakeholders and groups to make sure we were going to be successful in that rollout. All of the cybersecurity discussion we will have in the next hour really dovetails nicely into how you do it matters. Thank you, secretary. I think a lot of what we will talk about today is the nuances of implementation and understanding, as we talk about possible strategies to tackle this challenge in front of us with securing the systems. Mr. Talk about strategies to tackle this problem in front of us in securing the system. Last but not least. So from the great state of florida, i wish we knew what it was like to have a very close statewide election. But its a pleasure to be here. Thank you, commissioner masterson, to be a part of this conversation. We have three ways to vote. We have no excuse vote by mail. We have in person early voting thats mandated at the state level. For a period of time, theres a minimum. But then we have some discretion to go above and beyond that. And then we have election day. And thats probably been the biggest change in how elections were administered in the state of florida since the 2007 election. They were cast between 7 00 p. M. In the 2016 eleck that number was 30 . 61 of the vote were kept in the president ial election before the polls ever opened on election day. We have about 13 million voters. My county has just about 205,000 voters. And i know for a lot of jurisdictions out there, youd consider that a pretty large jurisdiction. Thats considered pretty small in the state of florida. We have a very diverse state and a very diverse way we conduct elections on a local level. We have been this conversation about cybersecurity, i think the point i would want to make sure gets across in elections, at least ive been doing this since 2004. And the security the overall security ballot, in particular the security Voting Systems, Voting Systems versus overall election systems has been front and center. Thats been the discussion at the local level and National Level weve been having for quite some time. What i think is new is that conversation is broad to include all of things that we do in our office as it relates to Information Technology and election systems more broadly. And i think thats the thats the bigger challenge. I think its easier if you look at one or two things like ballot security, like Voting Systems technology. Its a little more difficult when you have to deal with the Human Element like human firewall training and all the Different Things we as local Election Administrators and i think at the state level as well, you want to try provide services to the voters. You want to try provide that new technology to make your office accessible. But the more you do that, the more you expose yourself to some of these security threats. So i think thats been the biggest shift between the 2016 election and what were rapidly approaching the 2018 election. And those, quite frankly, are some of the more difficult things to address. We sit here today on almost i think about the oneyear anniversary of the declaration of election as Critical Infrastructure. It was over across the river where we had a presentation from the folks at the department of Homeland Security, and then i think that was on a thursday and the next day was when the declaration came out from secretary johnson. And just so everybody knows, i know theres part of a narrative theres not a whole lot that has been done since 2016. And in fact within this year, weve the government coordinating council, which is part of the establishment of anything as Critical Infrastructure, is up and running. It was done i think within nine months from that initial declaration. Know the private sector, the version of that is under way as well. Had lots of meetings. So i think that effort is moving forward. And i know from myself and my own personal experience as well as colleagues in the state and around the country, because we talk to people not just in our own states but around the country, this is something that is front and center and theres a whole lot of activity thats going on. A lot of that stuff were not going to hold press conferences in our local offices and tell you what were doing. But i can assure you there is a sense of urgency and purpose in making sure we are as prepared as we can be to address these challenges. And understanding as the first speaker said, you dont check the box and then youre finished. Okay orb were done with election security. Now we can move onto the next thing. Theres broader understanding that is ongoing thing and we have to remain vigilant. And other thing id like to say is that theres resources out there. For instance, in pensacola we also have the Naval Air Station in pensacola home to the Navy Flight Demonstration team also known as the blue angels. But we also have the office there called the center ininformatii information warfare. And we have a branch at the university of west florida. And they happen to be the regional hub for the southeast for these centers of Academic Excellence on cybersecurity. So i picked up the phone and reached out to the director and said, hey, you all have expertise, can we talk. And now we pulled in folks at the state level and they have these cyber range. Very robust ability to threat s simulate, to do all things educationwise because theyre in the education business. Are their ways we can corroborate that would be mutually beneficial to the folks at the university as well of us at the election offices. As well as state level, our secretary state has gone to the legislator to ask for 2. 4 million, i believe, to do two things. One, importantly is to give resources to the local elections office. Were basically funded with the exception with a handful of dollars that comes down from the state each year, were funded through taxes that are collected at the local level, and were independent constitutional offices but our local county commissions fund us. And so the state the secretary of state has gone to the legislator. Hes gotten into the governors budget and he said we need some resources specifically to provide to cybersecurity to the local Election Officials as well as to setup a cybersecurity operation more robust, if you will, at the state level. There is a lot going on even if youre maybe youre not hearing about it. Because were kind of keeping our heads down and moving forward. And i think youre going to see a lot more of that as we approach the 2018 elections. Thank you, david. And you actually built into my first question. And actually ill start with you, secretary. I know coming out of 2016 all of your were asking what steps can we be taking, what more needs to be done . What were the Lessons Learned and what are you doing to address the cyber posture of the state of rightofway elections . What was interesting for us, for us it was continuation of what we did pre2015. So once we did that, then what you really need to do parallelwise is to make sure you have the Human Resources that are up to the task of being able to secure your networks and being able to make sure you know youre only going to be as strong as your weakest link. And so making sure tat the people involved in the system whether that be at the department of state or the local board has the wherewithal to really take cybersecurity into their everyday tasks. So i convened the cyber summit in Virginia City who has a Cyber Program and in collaboration with the National Guard and our board of elections and my office, we put something together to start that conversation of, first of all, like, why . This is beyond all the media stuff that might happen in conversations on cyber. This is real. There are actually people trying to hack into systems. Regardless of where theyre from and what their intentions are, and we need to protect from that. So if youre a local clerk and somebody comes to your office and says can you download this into your drive, and thats the way youre getting access into the central Voter Registration system, you need to be conscious thats a weak link. And they need to know why they need to be part of the solution to keeping a secure network. And its about mitigating risks, not solving everything. So i mind say the biggest thing we did at the cyber summit with local officials, state Election Officials that starts that conversation. And it will not be a one time thing, were now incorporating these conversations around Technology Issues and how do i as an election official help maintain the security of the system as we go forward . What steps are you taking in washington since 2016 . Well, 16 was certainly a year for us to learn a lot of things. Ask i think the hardest balance we have, and i think this is true of all Election Officials is first of all i think the media, you guys started paying attention to cybersecurity in our ealections last year or two years ago and weve been thinking about it for a long time. This is nothing new. The physical security, the cybersecurity have always been incorporated in what we do both at the state level and county level. I think the challenge we have is we want to talk publicly about it. Election officials by nature try to be transparent and try to share what were doing to instill confidence in voters and the public. And the catch22 we have is the more were talking about it, the more were waving a red flag for those hackers to say oh, heres a good target. We had a summit that we hosted in seattle at microsoft with the association of secretaries of state. And we had secretaries and elected officials come in from all over the country in 2015. And boy, talk about an eye opening exercise. That is when you get to go into their Cybersecurity Center and you see millions of threats a Second Coming in across the globe. Thats happening were having hundreds of thousands of attacks every day. The hackers have the advantage. And they only have to get it right once. We have to get it right 24 7, 365. So were acutely aware of that in our world. And one of the things that we did going into 16 trying to mitigate some of this was having continuity of operations plans, not only for the state but in every county. And we worked very closely with the county auditors to create those plans and really force them to start thinking of every single thing not just cybersecuritywise but what can go wrong in an election and what you do what that happens. It gives you a level of confidence and also helps you in that crisis. So when weve got looks like russian hacking happening in our systems and we detected that in 2016 is partnering with the folks that really know it. We contacted Homeland Security in mid16 and started working with them right about the time we got the Critical Infrastructure designation nationally. Those types of things helping us on just a different level than we already were doing. But in partnering with our state Information Officer as well and their cyber security, their group that is doing this for the entire state and those resources to educate not only ourselves but our counties. Because the weakest link we know is one clerk thats been on the job for four days and opens an attachment and makes our whole system vulnerable. Thank you, secretary. Jeremy, im going to turn to you briefly and give it to the whole panel. Each person has mentioned partnerships, finding resources. The reality is at the state level certainly down at the local level, they cant protect these systems themselves. Major corporations cant defend themselves, yet alone small counties in ohio, right . How would you recommend Election Officials at the state or local level engage the Cybersecurity Community . What are the best avenues, what do those partnerships look like . I know Joseph Lorenzo hall at one point said theres hackers in every town in every portion of america. Its just identifying them and finding a productive relationship. How do you build those relationships and engage in that community . The way of thinking about this is election offices have become i. T. Departments that happen to have elections. Its a reality it is a much bigger job. Im sure all of you who are Election Officials didnt come into it thinking my aspiration is to run a giant i. T. Organization, but that is the reality of it. To answer your question, universities are a great opportunity. Many of them have students. Somebody mentioned the centers of Academic Excellence program thats run by nsa. There is a program of the National Science foundation runs called the scholarships for service where College Students who are required to be american citizens or permanent residents can get money to go to college if they study cybersecurity. So these are students anxious to work for the government, and theyre learning. And this can be reaching out to universities and a great way to get students involved, great way to get services. But the reality is these things dont come cheap. I remember a discussion with an organization, local, that was running an internet pilot and they said oh, you break into our system. Were going to do it next year and were going to do it for free to tell us where the problems are. And the reality is professors, students, they need to be paid also. So there need to be budget plans. It does take money to pay for these things. The universities are anxious to work with you. Its a great way for them to train students, and the students really enjoy it. Its something thats really to get students hooked into. And i have to tell one quick story about that. Go for it. So i was giving a talk, a much Younger Group if youll pardon me saying. I didnt say insult the audience. Well, it was a group of undergraduates. And i know how many of you are undergraduates. So i said one of the challenges is poll workers are frequently older, its harder to train them to do the sort of things we need them to do. How old do you think the average poll worker is. And finally a student gingerly raised his hand and i said how old, and he said really old. And i said how old, and he said like 35. So the perception is that 35yearolds are running the elections. And we know the reality is that it isnt a 35yearold, it is in fact 37. Thats your age. Thank you. Each one of you has mentioned that you founded university partners, worked with microsoft, a variety of partners in pensacola. Theres opportunities. Google is now with project shield, cloud flair is now Offering Free Services and whatnot. But part of the challenge is helping states understand what the challenges are. So what do you have in engaging in those conversations and bringing those folks in . And then were going to get into resources. So i want to have that conversation. So id say be on the look out for it. Some of them are going to come to you. Sometimes people are going to come to you with some ideas. Be on the look out for it and be think about things like that. Look at your own community. If you have a university, there are some some portion of them that are involved in cybersecurity or even others. One of the things that i think has evolved that ive seen just again in my time in elections is the evolution of this i think charles was in here, and i think he may have stepped out. But the evolution of elected officials and academia. I can tell you in the aftermath of florida in 2000 there was a gigantic level there was a canyon of distrust between Election Officials and those in ca academia. Quite frankly, i dont think there was any level of trust between those two. Im glad to see those two communities have come together. I think taking the approach we need to Work Together to solve some of these problems. And i think some of that Relationship Building has produced. We worked with dr. Stuart. We did a voter intercept survey. Again, one of those mutually beneficial things. It did not cost us a dime, and our local university had students conduct a survey. But before we did it, we engaged people like dr. Stuart and said, hey, what kind of questions should we be asking, can you look at your draft questions and provide feedback . And one of it things we looked at was what was the voters ability to have the competence of their vote counted . It was interesting because it was quantified the further you get away from your local jurisdiction your level of trust that your vote was count as intended drops. It was scary for us undertaking that the beginning because we didnt know what the results were going to be. We thought we were doing a pretty good job. We thought our voters felt like we were doing a pretty good job. It came back that 90 plus of our voters felt like their vote counts as intended, and it started to erode. That was interesting to see since 2016. What has happened since 2016, what will that look like in 2018 . Getting back to your original question is youve just got to be on the lookout for it. And i think i have yet to find a person weve reached out to that has said no or im not interested. Sometimes its a little more challenging than others. Sometimes it does become a resource issue. But youd be surprised sometimes theres a need on the organization youre reaching out to be able to do Something Like this that theyre willing to invest some money in that you as a local election official would not have to. So be on the lookout for these opportunities. Get creative when youre seeking these things out. You have a lot of private sector partners that are out there particularly in the information in the Information Technology world that would love to have an opportunity to work in this space. Because we do something that we local Election Officials is pretty special that touches virtually every United States citizen. They can identify with voting. They can identify with going to cast a ballot. They can identify with that fundamental right now choose those who lead them, who govern them. And so they take it seriously. And so there is this sense of duty almost that ive seen in helping local Election Officials. Ask i think you can go out and take advantage of that. Thank you. And just to drive that point home, i mean theres resources from some of the folks weve talked about maybe locally as well as dhs. I think the challenge for all of us is understanding what our risks are. That leads us to the next question and work our way through the line quickly. What do you view as the biggest risk to the process or to the confidence in the process and then what mitigation or steps do you believe need to be taken to address that risk . Ill start with jeremy. I want to throw in one other resource that occurred to me. When fair fax county virginia got rid of the infamous wind vote machines a couple of years ago, the General Assembly gave me about 50 of them. My wife wasnt too thrilled with that. But they have since been donated to colleges, universities, high schools and museums across the country and in some cases around the world. When youre getting rid of your voter machines dont send them to the landfill. This is great way to get them interested. They pay come back as poll workers, et cetera, but this is great way to get people involved. Help drive that median age. Thats right. Help drive that median age down from 35. In terms of, you know, what we can do or what needs to be done to put you on the spot just quickly, you mentioned the detection and recovery portion, specifically. Can you speak specifically to what the risks or the larger risks you see and specifically detection and Recovery Options for Election Officials . Well, i am not an election official, and i dont know how everything runs, so im going to speak from a theoretical perspective rather than anything concrete. But a lot of the localities, in virginia we have 130some localities. The smallest has 1,000 voters. Doing things with that number, they cant do things relist realistically. They dont even have someone full time to pick up the trash much less run a complex i. T. Structure. So centralizing things gives opportunities to give economies a scale. I think the big risk is because we are such a distributed election environment in the United States that were solving the problems 8,000 times over in 8,000 election jurisdictions instead of doing them centrally. But i think to me the biggest risk is are we doing it things 8,000 times over where everyone is trying to invent their own solution . Secretary . I would describe the risks as two fold. One is the more things change they stay the same. The risk of elections at the microlevel is huge. It could be the poll worker or it could be a state worker who isnt properly trained on cyber stuff. So a real effort on my part has been to make sure we train ask develop professionally our staff. I mean that is something that government overall, i think, hasnt been really great at. With some exceptions, for example, Washington State because you have such a nerve center of technology companies. Its amazing the resources you have just in that neighborhood. Being able to really up the skill set of your elections people, your i. T. Staff, i grew our i. T. Department by 40 because it became increasingly clear that we were much more of an i. T. Shop than a filing cabinet, which is how historically a secretary of States Office had been run. So thats at the micro level and whos operating the system. At the macro level i think the risk is something we need to give some thought to. Its the issue of transparency and democracy. Whos overseeing and how do we understand that the systems are being given proper oversight . So i look at something that i think very highly of the relationship weve been able to form with the department of security with regards to risk mitigation. But i really Want Congress as representatives of the people to do the oversight over that particular executive agency. Because there are things that some of us dont have the expertise to understand, you know, whats happening exactly in that black box. So as an elected official who has to go to the public and say we have a democracy that works, we have to make sure theres proper oversight as we deal in those places, where yes we cant be talking to everybody about what exactly were doing. But somebody whos elected by the people needs to be in on that and needs to have that oversight. Just as we do for you know, weve had a longterm for covert operations, but we have to start thinking about oversight of these spaces with regards to cybersecurity. I completely agree with your comments. I would roll it up to the biggest risk is voter confidence and Public Confidence in our elections. And i think 16 was just the tip of the iceberg, certainly from our experience. And it comes down to communication. First on one level how are we transparent with the public, with all of you of what were doing and how were protecting the voter systems that we rely on that have all of your data. Thats one kind of layer of communication. How do we have that transparency but also keep that security and keep that balance . One of the things we really ran across in 16 and 17, and it goes to just the world Homeland Security operates in and the world we operate in, is how do we communicate with them and teach them the difference between elections and save the power grid . We started learning early on when we had cybersecurity and learning with our team in washington and we had to be transparent in some things. And the best example i can give you is when there was a hearing in congress and a member of the Homeland Security team was asked to answer a question were any hacked . And the answer was yes. And of course we were like are we one . And of course the answer we got back from homeland, we cant tell you. Im sorry, what was that . We cant tell you. We can only tell you 21 states were hacked. And there were legitimate reasons they could share that information with us. They finally got to a point they needed to identify those 21 states. So we had a Conference Call and all the secretaries that were on the call were saying, you know, you might want to because they were going to call us the next day and let us know individually. And they said you might want to have a list of the 21 states. Oh, no, we cant do that. Okay, theres going to be an ap reporter whos going to start calling us and by the end of theyre going to have the list anyway. So wouldnt it be better to be in front oh, no, we cant do that. Not to throw homeland under the bus or anything because theyre wonderful. Its just they arent used to operating in this world of transparency as we do. And its that communication that Election Officials have to work on. And we need to get these players into our operations. Come see the king county election site in seattle. See the environment we work in so you can understand what youre protecting. And i think that thats true of the media, candidates, campaigns. Because what ends up happening when something does go wrong or isnt perfect, it gets spun depending on who you are, who youre trying to, you know, play to. If youre trying to get a candidate elected i guarantee you the way that messaging happens is very different from my office or election office. David . Well, a couple of things. One, on the communication side i think thats come up several times. Thats two points. One, communicating out to the public about whats being done to security the elections about how elections are run, but also communications within those who conduct elections as well as those who are involved in the gathering of intelligence and sharing of threat data, et cetera. And the latter is something thats being actively worked on. As easy as it sounds local elected officials and state elected officials all should be talking to each other and sharing information. Logistically how does that work . What is considered a security event that meet the threshold of being shared . What is that trust level between a local election official, a state election official, whether the secretary of state or local official. Sometimes theres not an existing level of trust in those, so there may be some reluctance to share that kind of sensitive data. So thats part of being worked on, and what does that environment look like when there is a threat in state a, is that data something that needs to be shared with state officials or local Election Officials across the country . When you have 8,000 local Election Officials that becomes a pretty significant job to do that. So thats something thats being actively worked on. From what we have been focusing on and i think what a lot of people have been focusing on, again, a new term ive learned. Ive learned a lot of new stuff in the last year. One of them is human firewall training. And from the smart people i talk to, and i try to talk to smart people that know a heck of a lot more about the subject matter than i do, is that thats the one initial step. I think theres a whole host of things we need to be doing, but that is the one step thats probably going to get your biggest investment on return. The folks receiving the emails. Because its a challenge. We want to be accessible to the public. We havent even talked about this generational gap. Ive got a soon to be 14yearold and a 17yearold. And their expectation of being able to do things with their devices is so far away from what we are currently providing. And weve hit a little bit on the issue of internet voting, but at some point there is going to be some level of expectation among a Younger Generation who are the ones least likely to participate in an election that there is some form of technology, technological advances thats going to make that process easier for them than it is currently. And so we cant im of the view, and as a jurisdiction that deals a lot with voters, weve mail ballots to cruntries in the last election, and i think technology can provide some improvement on that. So we cant sit back and say you cant do it, cant do it. I was part of the military voting task force and the state of florida did this last year. We reached the same conclusion. We shouldnt be doing it now, but its not something we can sit back and say we cant ever do it. So that conversation needs to be put forward. But again coming back to it, i think that human firewall training is something we naeed o look at. We focus so intently at ballot security and Voting Systems security that now were starting to look more intently at those other systems that we utilize on a daytoday basis that, you know, are vulnerable. I just heard you. I agree. Eventually, like it or not, i think we are going to get to internet voting. I just think we need to make sure were actually ready when were there. And were not anywhere close to being ready today. I would concur. Were going to get to audience questions but i do have some research questions. I have antidotes, i guess, that i should appreciate reaction to. I was recently talking to a member of the media who said i dont understanding the resourcing of elections. This is a democracy. If the Election Officials go explain to the appropriators they need resources, theyll get it. And it was meant very honestly well, it was meant very sincerely. This is democracy. So talk a little bit about the challenge in the conversation specifically about getting those resources and addressing the need we know working in elections a lot of times new improvements to the local golf course, which im also in favor of which is neither here or there, so react to that statement a little bit and then well do audience questions. So substitute elections with Public Safety. Are elections more important with Public Safety . Our sheriff of our county has appealed huz budget thats provided by the county board of commissioners to the governor of the state of florida because he says hes underresourced and cant provide the level of safety required. So i get that, and i think you do absolutely have to make an informed argument and go talk to those whether at the local level or state level or for that matter at the federal level on what your needs are. But just know theres competing interest. Were not far and away above everybody else, although we may think were the most important governmental activity thats out there. And i can make an argument that it is. But know were competing with many other interests, very important interests like Public Safety that you have to provide all of these services to some level. But the other part of it is we have to get i know i see amber out here, and theyve done a fantastic job in denver of analyzing and taking technology where theyve been able to save money. I dont think your budget has increased. But theyve been able to do far more because theyve modernized and able to do things on a more efficient basis that allows them to free up money for other things. I think a lot of us have been doing that over the past five or ten years. If they dont have the money, they dont have the money. But if they have the money and youre trying to decide which priorities, then you do have a responsibility. You would think coming out of 2016 and the operating environment youre in now, walking in and saying, look, were trying to help, protect, defend against persistent actors, thats going to take money. What has the response been . What is the reaction to it . Again, ours has been pretty good. I was going to say like in rhode island we modernized our election system before 2016. And it was basically you go to them, and theyre elected officials so theyve seen what we have. And you explain. You say, look, these machines are 20 years old. They cannot be patched up anymore. Were going to have a complete failure of the system next election and i am informing you now so you can be a part of responding to that. Were all in this together. And then theres a part where you then have to deliver, and you do have to use resources wisely. And you work within your limited budgets and reinstructture your agency, and you build the level of trust that youre doing the work that needs to be done. Every jurisdiction is different and every state has its own demons and problems and stuff. But i do believe very firmly that we have engaged in ongoing communication. I would say that 2016 and Going Forward has actually at least brought up in a different way and not made it easier but made it more approachable, that this is real. That we are in a different world than and i am actually old enough to have voted at a machine. Pull the lever and all the levers went away and you never saw anything else in the box. Where did the votes go . But anyway we no, no. And i dont want to know. But we are in a changing world of elections. It used to be you did it every two years, so there was a flurry of activity for six months and then you went away for like a year and a half and then you go back again. And thats gone. Between special elections and all this other stuff thats going on, elections has become very i. T. Intensive, very much a communication exercise with voters, with elected officials, with all different stakeholders. And it does require resources, but it requires a smart use of resources and results as much as it requires just acts. The county exactly as you described are competing with law enforcement, homelessness, Affordable Housing ask things quite frankly sex yr and more appealing and emotional than talking about we need to get some more computers or ooh, that sounds like a good idea. Were going out for a modernization effort where we spent about two and a half years working with our officials to identify the Business Needs at the county level and state level for the business system. 500 business pieces, and we got the legislator to fund it at the state level to fund both the counties and us. We put an rfi out on the street to see if the vendors could conceptualize. They said yes. And we didnt have a single successful vendor. So were now reissuing that process. One, getting the funding takes time and effort and a lot of work. And you dont get those immediate results. You know most of our systems, the tabulation systems were purchased with pocket dollars in 2005. Those systems are 11 years old, 13 years old depending on the county. And were just trying to tackle the voter legislation piece. So its hard to get voters to get it, but were continuing that effort and its again going back to communication and dialogue. Ill open it up for yeah, go ahead. There are a number of open source efforts, free software, free in a certain sense of the word, and thats an opportunity that states some states are taking advantage tof it. And it may be a way to get advantage out of very limited dollars everyone is struggling with is to take advantage of things already there, and youre not beholden to a vendor. It doesnt mean theyre completely free. You may not pay for the software, but you still have to maintain it. You have to support it. You have to install it, train it. So its not like its the solution to all of anybodys problems, but its worth looking at. And you have to have the staff that can manage it, and then you have to investment in that staff. We have to invest, and people with that Technical Expertise that are going to sit, live and breathe within state government. Right. Its something to keep in mind, that the only choice is not going to a vendor and buying a proprietary product. Thank you. There should be a hundred questions, so we should be good. Hello, im jessica and a reporter. You guys have talked a little bit about your relationship with dhs. And im just curious if you can say a bit more about what you feel dhs appropriate role in this is, and also what you think the limitations of that relationship are. I will lead. I was definitely one of the secretaries that was very hesitant to think that was a good idea to go forward with Critical Infrastructure. Really because i believe the strength of democracy is its not controlled at the central level. The department of Homeland Security is you know, i said they have a different model. Things that are very different from our world. But what i can say is our experience certainly with our local team has been nothing but positive. The depth of resources that they have and the experience they have with cybersecurity in particular is so beyond what we had access to before. And the ability, for example, to get the threat notifications in 2016 was reinforcing what we already knew what was happening in our system. So on that front it brings me a lot of comfort to know we have access to things with the department of Homeland Security. So with that said, i think were all kind of just working through this gingerly. Because the last thing i would want to see is the federal government coming in and taking over my states elections. So i actually embraced the Critical Infrastructure designation. Although i will say that the way it rolled out was problematic. And i understand it happened very quickly with very little communication. Having said that knowing it could bring in initial resources, i was very excited. I would vote this relationship, and we have met with our new england team at this point in our office, is that theyre kind of like a white hat advisor and mentor to my staff. And again i think their operations in this area of elections do need congressional oversight. And some real deep dialogue by somebody who can kind of keep tabs on the checks ask balances between our executive branch and our legislative branch of government. So thats how i would hope i think what happened with dhs its a cultural shift. She had a very hard time on behalf of all of us trying to get them to communicate with us in a way we all understood each other. And so communication and cultural and institutional cultures are very, very different. So its going to take a while where we find that place where were all comfortable in how this is operating. It was me, right . Yes. Hi, im susan green hall from verified voting. I was a clarifying question for jeremy. Sfwr as far as the internet voting issue goes, i just wanted to raise the for point of information we work with a lot of computer scientists, Computer Security experts and there is a great deal of Research Going on how to do internet voting securely, but its at the academic level. Ive been to krcconferences wit equations and i cant fathom what they mean. But people are trying to figure out that question. No, dont do this, but theyre not getting us a solution. To jeremys point its going to be a while, i want people to know that there is Research Going on, people are trying to solve that problem. While theyre saying no, theyre saying, look, were working on it and were trying to figure out a way. But theyre in the white board stage in a way to do this securely. And to jeremy, i was wondering if you could speak to the email return on voter ballots. While there are a few states doing whats often referred to as internet voting, 32 states have its own security oilissuesd can you speak to the threat of doing that in todays cyber landscape . You can go. With respect to email return to ballots, i was kind of thinking of this when you made the comment about, well, what happens when someone clicks on an attachment and opens it all sorts of bad things happen . Email return of marked ballots, its just a welcome opportunity for an attacker to send an attachment that somebody is going to click on because theyre trying to be the best election official they can and count every ballot. And theyre going to click on that attachment, and theyre going to open it and theyre going to get infected. And its not going to be their fault because theyve been given two conflicting set of guidance. One is we need to count all the ballots and the other is we need to be secure and dont click on attachments. And so this is the problem. Email return i mean putting aside the fact that email is uncrypted generally speaking, and so everyones ballots are transversing the internet, open to be seen and manipulated and set raw. But the part that scares me more is not the fact the ballots themselves arent private. The thing that worries me the most is an election official whos trying to do the right thing is ends up compromising the system. I didnt mean to leave the impression there is nothing going on, but the response, the initial response that always comes up is cant do it right now, cant do it, cant do it. I feel like its my duty to say we need to at least, you know, continuing to advance that research in that field. Thats way beyond our capabilities at a local Election Official Office to deal with that kind of stuff. But as somebody who represents a whole lot of voters, so in this particular instance youre talking about, i have to put myself in the position of the voter. And thats the voter that may not may is doing all kinds of things in defense and maybe has a couple of minutes to be able to complete this process. And the only remedy thats left for them to return their ballot is through an email or facts. So for that relatively small at that point but youre a couple of days before the election and theyre deployed in afghanistan or Something Like that, they have no other remedy to be able to get that ballot returned to us in time for us to get it tabulated in this particular scenario like this. So you have to balance out that accessibility for these voters, which happens to be, even though its a large segment of people within a given election, its not a gigantic number of votes, those who are overseas who take advantage of this opportunity that may not under the Current System have any other remedy available to them to be able to participate in the process, which they have the right to do. Thank you. Im getting the wrap up sign, which brenda will take me down. But the good news is theres lunchtime. And i of all people get to luncheon time. I dont miss a meal. If you have additional questions for the panelists, im sure theyd be glad to engage you in those discussions. Lunch is on your own because were the federal government and were not going to mumbai ybuy lunch, and so be back in one hour. Thank you for the panelists. Thank you all. Go get them. Well be back with more from the election assistance summit in just a moment. Congress has recessed for the weekend holding only pro forma sessions friday. And on cspan well bring you discussion about russian hackers. On cspan 2 remarks by george w. Bush Homeland Security advisor francis townsen. And a town hall meeting on the republican tax bill. And a look at trends in u. S. Manufacturing. And over on cspan 3, treasury secretary Steve Mnuchin will talk about tax reform and the debt ceiling. This week the Supreme Court heard oral argument over Voting Rights in the case of the ohio secretary of state verse a. Philip randolph institute. And you can follow the courts Upcoming Schedule of oral arguments on cspan. Org Supreme Court. Search all their appearances on cspan. And with Supreme Court video on demand, you can watch all of the oral arguments that weve air at cspan. Org Supreme Court. Now, back the to Election Assistance Commission summit. After a brief introduction well hear from the acting deputy under secretary for National Protection at the department of Homeland Security. All right, well go ahead and start back up. I appreciate you all trying to get back from lunch in an hour in d. C. Is difficult even if the food court is just down stairs, so thank you. Were at the hour of the program for the keynote remarks. Acting director of homeland cu