With the next panel. I want to thank you all for coming back, first of all, from the break. I want to welcome my panelists up here. Thank you for being willing to participate in this discussion. Obviously, its the topic du jour, i would say, for Election Administrators as well as folks like jeremy in the Computer Science community, dealing with election cybersecurity and securing the elections process. Just as a way of background, this topic is obviously the topic du jour coming out of the 2016 election, where we saw nation state actors targeting state level election systems or registration systems as well as vendors in a spearfishing attempt in 2016 as well as the declaration of elections as Critical Infrastructure by the department of Homeland Security. So on this panel today, i hope we can delve into some of those issues, talk about the operating environment that Election Officials are in today, share the expertise that you all have, your experiences, and most importantly, what steps we are taking to secure the process moving forward looking at 2018 and how you all are moving forward prepping for both primary season, right, and november. So i do want to note jeremy gray was supposed to be a panelist from l. A. County. He came down with the flu and so we thank him for not coming and sharing that. But his expertise will be missed. I know hes greatly disappointed. You all will have to carry that extra load of not having jeremy there. I will start out first by doing introductions. Have i fo i have formal introductions but im fortunate enough to know all of you. I will do quick introductions, then tee it up with you, jeremy, after i do introductions to do quick three to five minute opening remarks. Then we will get into the discussion if thats okay. First, on my far right is jeremy epstein. Jeremy has been a longtime Computer Scientist engaged in elections research, looking at the cybersecurity challenges in elections. Jeremy was a member of the acs technical Guidelines Development committee, helping us work on writing the next version of the standards coming early 2018, april, may 2018. Jeremy also is a poll worker in his home county of fairfax county, virginia. I know it takes a great deal of pride and hes learned a lot about the process in that way. Hes affectionately known in our community as east coast jeremy because jeremy gray, who was supposed to be here, is west coast jeremy. I will try not to refer to you that way or just east coast. That was my plan if jeremy gray had been here. Immediately to my right is secretary of state Nellie Gorbea from the state of rhode island. I got to know the secretary well through the process of your Voting System procurement process. Secretary gorbea doesnt take no for an answer. She knew she wanted to innovate in the state of rhode island and pushed to get innovations into place in the state of rhode island prior to the last president ial election in 2016 including replacing the voting equipment, implementing new poll books in a number of jurisdictions and bringing about a number of reforms. So secretary gorbea and her staff were incredible to work with as they looked to innovate and improve the overall elections process in rhode island. Thank you for being here. To my immediate left is secretary of state kim wyman of washington. Undoubtedly she will talk about vote by mail so we should all be ready. The benefits of vote by mail. Secretary wyman is unique amongst her peers in that prior to being a secretary of state she was a local election official so shes intimately familiar with how elections are run, the challenges that local Election Officials face, and then the challenges that exist on the state level implementing new innovative reforms, securing the process and some of what happens when decisions are made in legislatures that impact you down all the way on the local level. Secretary wyman, thank you for being here and partaking in the panel. Finally, last but not least, David Stafford is the supervisor of elections for escambia county, florida, the pensacola area. I suggest you go down and visit david. He has a wonderful office and more importantly, its in a wonderful area. David has been a part of a National Level conversation regarding the government coordinating council, the establishment of elections as Critical Infrastructure with the department of Homeland Security as well as being a National Leader on innovating and the use of data as we heard in the last panel and technology to improve services to his voters in the county. I thank you for being here and participating in the discussion as well. Thanks, matt. I will start and i start intentionally with you, jeremy, to open the conversation and part of what i want you to discuss, im not springing this on him, he knows im going to ask him to discuss this, is discuss what it means for us to be in an environment in which nation state actors are targeting elections systems and share some of your thoughts on kind of the environment were in and where were headed. Okay. Great. Thank you very much for having me, matt, for inviting me. Thanks, everyone, for participating. I need to start by saying although i am the precinct 841 chief for virginia and work for the National Science foundation, the usual disclaimer, its my opinion only. Clearly weve seen things in 2016 many have expected. At some level for decades. Weve been talking about many of these things. In a sense, there was no surprise. In another sense, it was surprising how brazen some of these attacks were. I think perhaps the most critical thing to learn is, if you have a computer, its internet connected. Remember, in the not so distant past, we used to spread viruses through floppy disks. Those are still introducing the same risks. Talk to the iranians about a case where a nonconnected system was infected with malware to put out of Commission Nuclear centrifuges. Im not saying centrifuges and Nuclear Systems are the same things. But you cant really be offline. I spent some time as a white hat hacker, one of the good guys who helped companies. Its a given any system can be broken into. Im glad dhs is doing the sorts of things theyre doing as part of their the status, as a critical resource, but anyone who thinks thats enough hasnt looked far enough. Its you dont jump once and then youre done. Ive looked at some reports made public from dhs. They are good but they are maybe i should say theyre fair but they dont really demonstrate the level of sophistication the nations state adversary would have. The systems are uniformly vulnerable. I think any cyber expert that looked at any of these systems would come to that conclusion. We need to be focused on detection and recovery. And the average lag time from a compromise until detection is in the range of six months. Coming out on the day after election day and saying there was no compromise, thats not really surprising that you havent seen a compromise. It may not show up for three to six months, on average. Lets see. That was the first thing. I want to also focus on what we can do now, which is the move to paper ballots and audits is really important. I want to give a shout out to edgardo, i thought i saw on the agenda, from virginia who has made major pushes in virginia, my state, to get paper ballots. If you havent read the report that caused virginia to get rid of the remaining dres, its compelling reading. I dont mean compelling in the sense they put you to sleep, if anyone thinks they can use dres safely, you need to read the report. What they found was, its basically too sensitive to tell you how bad it is. That should be a message for all of us. We need to be making sure we go to the handmarked paper ballots and we need we also should recognize thats a good thing because it results in shorter lines. We were just talking about that resulting in shorter lines. I know im supposed to keep it short. I will mention two brief points, internet voting, see what i said previously, see number one. If anyone thinks internet voting is a good idea, what planet are you coming from . This is just not a good idea with any technology we have today. We do not know how to do this, when the banks and pentagon and so on cant keep hackers out, what makes you think a nation state isnt going to get into your system, as good as your people are, you dont have the resources of citibank or the pentagon or boeing or whatever to protect your systems. Its not that youre not smart, hardworking people. You dont have the resources. By you, i mean Election Officials at the state and local level, its just a bad idea. The final stake i want to throw out there is blotching. There are at least a dozen startups saying that blockchain is the answer to voting. Its one of those things if all you have is a hammer everything looks like a nail. It does an okay job solving one of the easiest parts of the voting problem and does nothing at all to solve the hard parts of the voting problem. So, blockchain is not an answer. We need to go back to basics, the things we know work, paper, chain of custody, accurate record retention, monitoring, and not assume that, oh, yes, it was secure yesterday so therefore its secure today. Thank you. Thank you for those uplifting comments. I know. Its what you do. I will come back to you to talk about not just some of the basics you talked about but ways to engage your community. Secretary . Thank you very much for putting this together. We in rhode island had a millti year relationship with your office. The kind of expertise you have has been essential to the state of rhode island. I thank you very much and your staff. In rhode island, its important to note that the panel youve put together is great. We have different styles on the panel. Rhode island is one of the original states to declare independence unlike what you may have heard in your history books. It has a fairly old Voting System that dates back to the beginnings of this country. And over the years we have modernized the way we do it. I serve as the state chief election official. We have a system that is basically a threepart system. The department of state, rhode island secretary of state is the chief election official. I handle the putting together of the ballot for the entire state. We dont have counties which simplifies things incredibly. Once we prepare that ballot and send to it the printer, it is presented to local boards who run it with the state board of elections, an independent agency that is nonpartisan and also campaign finance. Thats a brief primer. We also at the department of state run the central Voter Registration system. That whole system is one that my office takes care of. It goes to the issue of education, if you move from rhode island to massachusetts across the border or connecticut, you change the way your system works. That is a really key point discussed earlier, we need to be able to understand as americans what is the system im currently operating in so we can then talk about potential solutions and security and at the same time increasing access. Weve had wonderful collaborations with the Election Assistance Commission under the department of Homeland Security over the last few years. When i took office in 2015. This was actually my first elected term as secretary of state in an elected office, i did have the advantage of being a deputy secretary of state for four years right after it was passed and i know a number of people from the early years post that. We came in and realized our Voting Systems were really outdated. The concerns about security were an issue with 20yearold paper ballots, scanning machines on the verge of breaking down. Who has parts for a 20yearold scanner, right . I made it a point of speaking to the governor and leadership, we were able to purchase for the entire state in time for the 2016 election ballot scanning machines that really increased the Comfort Level that we had with regards to securing the election. But i will say at this point that securing an election is not theres no Silver Bullet and its not a point. Its a path. It took layers and layers of different action to take you to better risk management. As you just said, if you think youre solving it, you have other problems. We did it, went ahead and bought online bought the voting machines, we went ahead and got online Voter Registration passed, automatic Voter Registration passed and implemented online Voter Registration passed and is in the process of being implemented. We also have really done a lot of work in the education piece in simplifying how we discuss elections with voters. Basically, looking at the center for civic design for help in how do you design things in a way that people understand them. People have a zillion other things to do in life other than elections. Improving access to the ballot box, even thinking how you communicate, how do you present your information to your citizens so that they can more easily access their ballot box. So i am of the firm belief that you can improve the integrity of elections without sacrificing access. You can actually do both. I think in rhode island were in the process of showing that this can be done. It does require an incredible amount of collaboration. I dont have all the resources. Im happy to go to the eac or department of Homeland Security, organizations Like National associations of secretaries of state for best practices or conversations about how do we do this better . I think those kinds of forums are important for us to provide better elections. Thank you very much for the time and make sure we get to the other subjects. Thank you. Unfortunately for all of you now as i take notes i have additional questions. You raised a critical issue that were going to come back to which is the balance between access and security and theres no such thing as that balance, the process has to have security and has to be accessible. Thats not a balance, both are requirements. Secretary, the floor is yours. Thank you. I would agree with what the secretary mentioned across the board. Even though our states are very, very different and really show diversity across the country on this decentralized way of electing our leaders, my state, washington, has about 4 million registered voters, 39 county auditors, the ones actually responsible for conducting the elections, not only during the input of Voter Registration data but also sending ballots to voters and things and we are vote by mail. We were the second state in the country to move to vote by mail from 2005 to 2010. Its when we completely moved to vote by mail following oregon and a number of other western states are on our heels and joining us. And, you in the east, its coming. I know you dont believe us, it is coming. Our world is an 18day voting period. I think youre saying that and you certainly heard comments today about that. The dynamic of how people vote is changing and the way they vote is changing. Certainly, in the west coast. My office, just like the secretary, im the chief elections officer for the state. My state does reviews for election operations in the 39 counties and we also do training and certification of Election Administrators in our state. Many will remember our state was front and center a few years ago with the closest governors race in the history of the country. That was so much fun, by the way. I think a lot of good came out of that race and being under that microscope. It really does drive you to make sure every single voter in your state, and i think this is the goal of all Election Administrators across the country, has the same experience, has the same access, the same security level. The Election Administrators across the country, as well as secretaries of state are always working to that end, trying to make sure were being as uniform as possible so its fair across the country. In our state, we have four election vendors who provide the ballot tabulation systems our counties use that are certified in our state. And the vast majority of our voters now are using paper ballots that are digitally scanned, but we still have some optical scanned counties and we do have the use of dres, but they are voter verified paper dres, if that makes sense. And then on the Voter Registration side, our model is kind of a bottom up. The data feeds in from one of three vendors to our centralized Voter Registration database. And then we also have a number of things weve put into place over the last, probably, ten years from an application where voters can get information about themselves, very specific information, called my vote. And ill talk a little bit later about the challenges of having some of these applications. But voters can check their registration status, find out their ballot layout and what offices are going to be on their specific ballot. And ill also talk a little bit on, our state implemented online Voter Registration in 2006. And we have an i. D. Check as part of that. And one of common things youll hear today is how you implement things matters. Voter i. D. In some states is a very flashpoint hot issue. And in our state it happened on the front end, we worked with a lot of stakeholders and groups to make sure we were going to be successful in that rollout. So all of the Cyber Security discussion were going to have i think really does tie into what matters. Thank you, and i think youre right. Were going to be talking about the nuances of implication as we talk about strategies to tackle this challenge in front of us in securing the system. Mr. Stafford, last but not least. So from the great state of florida, i wish we knew what it was like to have a very close statewide election. But its a pleasure to be here. Thank you, commissioner masterson, for inviting me to be a part of this conversation. Just by the way of backbackgrou the way florida votes. We have three ways to vote. We have no excuse vote by mail. We have in person early voting thats mandated at the state level. For a period of time, theres a minimum. But then we have some discretion to go above and beyond that. And then we have election day. And thats probably been the biggest change in how elections were administered in the state of florida since the 2007 election. In 2000, 86 of the votes were cast between 7 00 a. M. And 7 00 p. M. On election day. In 2016, that number was 30 . 61 of the vote were cast in the president ial election before the polls ever opened on election day. We have about 13 million voters. My county has just about 205,000 voters. And i know for a lot of jurisdictions out there, youd consider that a pretty large jurisdiction. Thats considered medium size in the state of florida. We have a very diverse state and we have a very diverse way we conduct elections on a local level. We have been this conversation about Cyber Security, i think the point i would want to make sure gets across, in elections, at least ive been doing this since 2004. And the security the overall security ballot, in particular the security of Voting Systems, Voting Systems versus overall election systems has been front and sent center for some time. Thats been the discussion at the local level and National Level weve been having for quite some time. What i think is new is that conversation is broad to include all of things that we do in our office as it relates to Information Technology and election systems more broadly. And i think thats the thats the bigger challenge. I think its easier if you look at one or two things like ballot security, like Voting Systems technology. Its a little more difficult when you have to deal with the Human Element like human firewall training and all the Different Things we as local Election Administrators and i think at the state level as well, you want to try to provide services to the voters. You want to try provide that new technology to make your office accessible. But the more you do that, the more you expose yourself to some of these security threats. So i think thats been the biggest shift between the 2016 election and what were rapidly approaching the 2018 election. And those, quite frankly, are some of the more difficult things to address. We sit here today on almost i think its about the oneyear anniversary of the declaration of elections as Critical Infrastructure. It was over across the river where we had a presentation from the folks at the department of Homeland Security, and then i think that was on a thursday and the next day was when the declaration came out from secretary johnson. And just so everybody knows, i know theres part of a narrative theres not a whole lot that has been done since 2016. And in fact, within this year, weve the government coordinating council, which is part of the establishment of anything as Critical Infrastructure, is up and running. It was done within nine months from that initial declaration. Know the private sector, the version of that is under way as well. There has been lots of meetings. So i think that effort is moving forward. And i know from myself and my own personal experience as well as colleagues in the state and around the country, because we talk to people not just in our own states but around the country, this is something that is front and center and theres a whole lot of activity thats going on. A lot of that stuff were not going to hold press conferences in our local offices and tell you what were doing. But i can assure you there is a sense of urgency and purpose in making sure we are as prepared as we can be to address these challenges. And understanding, as the first speaker said, you dont check the box and then youre finished. Okay, were done with election security. Now we can move onto the next thing. Theres broader understanding that is an ongoing thing and we have to remain vigilant. And other thing id like to say is that theres resources out there. For instance, in pensacola we also have the Naval Air Station in pensacola, home to the Navy Flight Demonstration team, also known as the blue angels. But we also have the office there called the center for information warfare. Its where the military trains their cyber warriors. And we have a branch at the university of west florida. And they have a center for Cyber Security. And they happen to be the regional hub for the southeast for these centers of Academic Excellence on Cyber Security. So i picked up the phone and reached out to the director and said, hey, you all have expertise, can we talk. Weve begun this collaboration. And now we pulled in folks at the state level and they have these cyber range. A very robust ability to threat simulate, to do all things educationwise because theyre in the education business. Are there ways we can collaborate to bring Something Like that to the forefront that would be mutually beneficial to the folks at the university as well of us at the election offices. As well as state level, our secretary of state has gone to the legislature to ask for 2. 4 million, i believe, to do two things. One, importantly is to give resources to the local elections office. Were basically funded with the exception of a handful of dollars that comes down from the state each year, were funded through taxes that are collected at the local level, and were independent constitutional offices but our local county commissions fund us. And so the state the secretary of state has gone to the legislature. Hes gotten into the governors budget and he said we need some resources specifically to provide cybersecurity to the local Election Officials as well as to setup a cybersecurity operation, more robust, if you will, at the state level. There is a lot going on even if youre maybe youre not hearing about it. Because were kind of keeping our heads down and moving forward. And i think youre going to see a lot more of that as we approach the 2018 elections. Thank you, david. And you actually built into my first question. And actually ill start with you, secretary. I know coming out of 2016, all of you were asking, what steps can we be taking, what more needs to be done . What were the Lessons Learned and what are you doing to address the cyber posture of the state of rhode island elections . What was interesting for us, for us it was continuation of what we did pre2015. When i walked in, our systems were so antiquated, they needed to be secured. So once we did that, then what you really need to do parallelwise is to make sure you have the Human Resources that are up to the task of being able to secure your networks and being able to make sure you know, youre only going to be as strong as your weakest link. And so making sure that the people involved in the system whether that be at the department of state or the local board has the wherewithal to really take cybersecurity into their everyday tasks. So i convened the cyber summit using south virginia university, who has a Cyber Program and in collaboration with the National Guard and our board of elections and my office, we put something together to start that conversation about, first of all, like, why . This is beyond all the media stuff that might happen in conversations on cyber. This is real. There are actually people trying to hack into systems. Regardless of where theyre from and what their intentions are, and we need to protect from that. So if youre a local clerk and somebody comes to your office and says can you download this into your drive, and thats the way youre getting access into the central Voter Registration system, you need to be conscious that thats a weak link. And they need to know why they need to be part of the solution to keeping a secure network. And its about mitigating risks, not solving everything. So i would say the biggest thing we did at the cyber summit with local officials, state Election Officials that starts that conversation. And it will not be a onetime thing, were now incorporating these conversations around Technology Issues and, how do i as an election official help maintain the security of the system as we go forward . What steps are you taking in washington since 2016 . Well, 16 was certainly a year for us to learn a lot of things. And i think the hardest balance we have, and i think this is true of all Election Officials is, first of all, i think the media, you guys started paying attention to cybersecurity in our elections last year or two years ago. Weve been thinking about it for 15, 20 years. This is nothing new. The physical security, the Cyber Security have always been incorporated in what we do both at the state level and county level. I think the challenge we have is, we want to talk publicly about it. Election officials by nature try to be transparent and try to share what were doing to instill confidence in voters and the public. And the catch22 we have is, the more were talking about it, the more were waving a red flag for those hackers to say, oh, heres a good target. We had a summit that we hosted in seattle at microsoft with the association of secretaries of state. And we had secretaries and Election Officials come in from all over the country in 2015. And, boy, talk about an eyeopening exercise. That is when you get to go into their Cybersecurity Center and you see millions of threats a Second Coming in across the globe. Thats happening were having hundreds of thousands of attacks every day. The hackers have the advantage. And this is true of every person sitting in this room. And they only have to get it right once. We have to get it right 24 7, 365. So were acutely aware of that in our world. And one of the things that we did going into 16 trying to mitigate some of this was having continuity of operations plans, not only for the state but in every county. And we worked very closely with the county auditors to create those plans and really force them to start thinking of every single thing, not just cybersecuritywise but what can go wrong in an election and how will you deal with it when that happens. It gives you a level of confidence and also helps you in that crisis. So when weve got looks like russian hacking happening in our systems and we detected that in 2016, is partnering with the folks that really know it. We contacted Homeland Security in mid16 and started working with them right about the time we got the Critical Infrastructure designation nationally. And becoming a member of security organizations, those types of things helping us on just a different level than we already were doing. But in partnering with our state Information Officer as well and their Cyber Security, their group that is doing this for the entire state and those resources to educate not only ourselves but our counties. Because the weakest link we know is that one clerk thats been on the job for four days and opens an attachment in email and makes our whole system vulnerable. Thank you, secretary. Jeremy, im going to turn to you briefly and give it to the whole panel. Each person has mentioned partnerships, finding resources. The reality is, at the state level, certainly down at the local level, they cant protect these systems themselves. Major corporations cant defend themselves, yet alone small counties in ohio, right . How would you recommend Election Officials at the state or local level engage the Cyber Security community . What are the best avenues, what do those partnerships look like . I know Joseph Lorenzo hall at one point said theres white hat hackers in every town in every portion of america. Its just identifying them and finding a productive relationship. How do you build those relationships and engage that community . The way of thinking about this is election offices have become i. T. Departments that happen to run elections. Its a reality, it is a much bigger job. Im sure all of you who are Election Officials didnt come into it thinking, my aspiration is to run a giant i. T. Organization, but that is the reality of it. To answer your question, universities are a great opportunity. Many of them have students, somebody mentioned the centers of Academic Excellence program thats run by nsa. There is a program of the National Science foundation called scholarships for service where College Students who are required to be american citizens or permanent residents can get money to go to college if they study cybersecurity. So these are students anxious to work for the government, and theyre learning. And this can be reaching out to universities as a great way to get students involved, great way to get services. But the reality is, these things dont come cheap. I remember a discussion with an organization, local, that was running an internet voting pilot and they said, oh, you broke into our system. Were going to do it next year and were going to do it for free to tell us where the problems are. And the reality is professors, students, they need to be paid also. So there needs to be budget plans. It does take money to pay for these things. The universities are anxious to work with you. Its a great way for them to train students, and the students really enjoy it. Its something thats really easy to get students hooked into. And i have to tell one quick story about that. Go for it. So i was giving a talk, a much Younger Group if youll pardon me saying. I didnt say insult the audience. Well, it was a group of undergraduates. And i dont know how many of you are undergraduates. So i said, one of the challenges is poll workers are frequently older, its harder to train them to do the sort of things we need them to do. How old do you think the average poll worker is . And finally a student gingerly raised his hand and said, old. I said how old, and he said really old. And i said how old, and he said like 35. So the perception is that 35yearolds are running the elections. And we know the reality is that it isnt a 35yearold, it is in fact 37. Thats your age. Thank you. Each one of you has mentioned that you found university partners, worked with microsoft, a variety of partners in pensacola. Theres opportunities. Google is now with project shield, cloudflare is now Offering Free Services and whatnot. But part of the challenge is helping states understand what the challenges are. So what advice do you have in engaging in those conversations and bringing those folks in . And then were going to get into resources. I want to have that conversation. So id say be on the lookout for it. Some of them are going to come to you. Sometimes people are going to come to you with some ideas. Other times, you need to be on the lookout for it. Look at your own community. If you have a university, chances are there are some some portion of them that are involved in cybersecurity or even others. One of the things that i think has evolved that ive seen just again in my time in elections is the evolution of this i think charles was in here, and i think he may have stepped out. But the evolution of the relationship between elected officials and academia. I can tell you in the aftermath of florida in 2000 there was a gigantic level there was a canyon of distrust between Election Officials and those in academia. Quite frankly, i dont think there was any level of trust among those two. Im glad to see those two communities have come closer together over the years. Taking the approach we need to Work Together to solve some of these problems. And i think some of that Relationship Building has produced. We worked with dr. Stewart. We did a voter intercept survey. Again, one of those mutually beneficial things. It did not cost us a dime, and our local university had its students conduct a survey. But before we did it, we engaged people like dr. Stewart and said, hey, what kind of questions should we be asking, can you look at your draft questions and provide feedback . And one of it things we looked at was, what was the perception of voters ability to have the competence of their vote counted . It was interesting because it was quantified, the further you get away from your local jurisdiction your level of trust that your vote was counted as intended drops. It was scary for us undertaking that in the beginning because we didnt know what the results were going to be. We thought we were doing a pretty good job. We thought our voters felt like we were doing a pretty good job. It came back that 90 plus of our voters felt like their vote counts as intended, and it started to erode. That was interesting to see since 2016. What has happened since 2016, what will that look like in 2018 . Weve just started dialoguing with them about a followup survey in 2018. Getting back to your original question, youve just got to be on the lookout for it. And i think i have yet to find a person weve reached out to that has said no, or im not interested. Sometimes its a little more challenging than others. Sometimes it does become a resource issue. But youd be surprised sometimes theres a need on the organization youre reaching out to, to be able to do Something Like this that theyre willing to invest some money in that you as a local election official would not have to. So, be on the lookout for these opportunities. Get creative when youre seeking these things out. You have a lot of private sector partners that are out there particularly in the information in the Information Technology world that would love to have an opportunity to work in this space. Because we do something that we local Election Officials do, that is pretty special that touches virtually every United States citizen. They can identify with voting. They can identify with going to cast a ballot. They can identify with that fundamental right to choose those who lead them, who govern them. And so they take it seriously. And so there is this sense of duty almost that ive seen in helping local Election Officials. Ask i think you can go out and take advantage of that. Thank you. And just to drive that point home, i mean, theres resources from some of the folks weve talked about maybe locally as well as dhs. I think the challenge for all of us is understanding what our risks are. That leads us to the next question, and we can work our way through the line quickly. What do you view as the biggest risk to the process or to the confidence in the process and then what mitigation or steps do you believe need to be taken to address that risk . Ill start with jeremy. I want to throw in one other resource that occurred to me. When fairfax county, virginia, got rid of the infamous wind vote machines a couple of years ago, the General Assembly gave me about 50 of them. My wife wasnt too thrilled with that. But they have since been donated to colleges, universities, high schools and museums across the country and in some cases around the world. Were training students to understand voting. When youre getting rid of your voter machines, dont send them to the landfill. Send them to the university. This is great way to get them interested. They may come back as poll workers, et cetera, but this is great way to get people involved. Help drive that median age down from 35. In terms of, you know, what we can do or what needs to be done to put you on the spot just quickly, you mentioned the detection and recovery portion, specifically. Can you speak specifically to what the risks or the larger risks you see and specifically detection and Recovery Options for Election Officials . Well, i am not an election official, and i dont know how everything runs, so im going to speak from a theoretical perspective rather than anything concrete. But a lot of the localities, in virginia, we have 130some localities. The smallest has 1,000 voters. Doing things with small numbers, they cant do things realistically. They dont even have someone fulltime to pick up the trash much less run a complex i. T. Infrastructure. So centralizing things gives opportunities to give economies of scale. I think the big risk is because we are such a distributed election environment in the United States that were solving the problems 8,000 times over in 8,000 election jurisdictions instead of doing them centrally. Some states are coming up with a terrific way to get best practices. But i think to me the biggest risk is are we doing things 8,000 times over where everyone is trying to invent their own solution. Secretary . I would describe the risks as twofold. One is the more things change they stay the same. The risk of elections at the microlevel is huge. It could be the poll worker not remembering the changes to the law. It could be a state worker who isnt properly trained on cyber stuff. So a real effort on my part has been to make sure we train and develop professionally our staff. I mean that is something that government overall, i think, hasnt been really great at. With some exceptions, for example, Washington State because you have such a nerve center of technology companies. Its amazing the resources you have just in your neighborhood. In other states, being able to really up the skill set of your elections people, your i. T. Staff, i grew our i. T. Department by 40 because it became increasingly clear that we were much more of an i. T. Shop than a filing cabinet, which is how historically a secretary of States Office had been run. So thats at the micro level, whos operating the system. At the macro level i think the risk is something we need to give some thought to. Its the issue of transparency in democracy. Whos overseeing and how do we understand that the systems are being given proper oversight . So i look at something that i think very highly of the relationship weve been able to form with the department of Homeland Security with regards to Risk Assessment and mitigation. But i really Want Congress as representatives of the people to do the oversight over that particular executive agency. Because there are things that some of us dont have the expertise to understand, you know, whats happening exactly in that black box. So as an elected official who has to go to the public and say we have a democracy that works, we have to make sure theres proper oversight as we deal in those places, where, yes, we cant be talking to everybody about what exactly were doing. But somebody whos elected by the people needs to be in on that and needs to have that oversight. Just as we do for you know, weve had a longterm process for covert operations, but we have to start thinking about oversight of these areas with regards to cybersecurity. I completely agree with your comments. I would roll it up to the biggest risk is voter confidence and Public Confidence in our elections. And i think 16 was just the tip of the iceberg, certainly from our experience. And it comes down to communication. First, on one level, how are we transparent with the public, with all of you with what were doing and how were protecting the voter systems that we rely on that have all of your data. Thats one kind of layer of communication. How do we have that transparency but also keep that security and keep that balance . One of the things we really ran across in 16 and 17, and it goes to just the world that Homeland Security operates in and the world we operate in, is how do we communicate with them and teach them the difference between elections and, say, the power grid . We started learning early on when we had cybersecurity and learning with our team in washington and we had to explain that we need to be transparent in some things. And the best example i can give you is when there was a hearing in congress and a member of the Homeland Security team was asked to answer a question were any hacked . And the answer was yes. 21 were. And of course we were like, are we one . And of course the answer we got back from homeland, we cant tell you. Im sorry, what was that . We cant tell you. We can only tell you 21 states were hacked. And there were legitimate reasons they couldnt share that information with us. They finally got to a point they realized they needed to identify those 21 states. So we had a Conference Call and all the secretaries that were on the call were saying, you know, you might want to because they were going to call us the next day and let us know individually. And they said, you might want to have a list of the 21 states. Oh, no, we cant do that. Okay, theres going to be an a. P. Reporter whos going to start calling us and by the end of theyre going to have the list anyway. So wouldnt it be better to be in front oh, no, we cant do that. Okay, we were right. And i only mention this, not to throw homeland under the bus or anything because theyre wonderful. Its just they arent used to operating in this world of transparency that we do. And its that communication that Election Officials have to work on. And we need to get these players into our operations. Come see the king county election site in seattle. Come in and see how we process ballots. See the environment we work in so you can understand what youre protecting. And i think that thats true of the media, candidates, campaigns. Because what ends up happening is, when something does go wrong or isnt perfect, it gets spun depending on who you are, who youre trying to, you know, play to. If youre trying to get a candidate elected, i guarantee you the way that messaging happens is very different from my office or an election office. David . Well, a couple of things. One, on the communication side i think thats come up several times. Thats two points. One, communicating out to the public about whats being done to secure the elections about how elections are run, but also communications within those who conduct elections as well as those who are involved in the gathering of intelligence and sharing of threat data, et cetera. And the latter is something thats being actively worked on. As easy as it sounds, local elected officials and state elected officials all should be talking to each other and sharing information. Great. How does that work . Logistically, how does that work . What is considered a security event that meets the threshold of being shared . What is that trust level between a local election official, a state election official, whether the secretary of state or local official. Sometimes theres not an existing level of trust in those, so there may be some reluctance to share that kind of sensitive data. So thats part of what is being worked on, and what does that environment look like when there is a threat in state a, is that data something that needs to be shared with state officials or local Election Officials across the country . When you have 8,000 local Election Officials that becomes a pretty significant job to do that. So thats something thats being actively worked on. From what we have been focusing on and i think what a lot of people have been focusing on, again, a new term ive learned. Ive learned a lot of new stuff in the last year. One of them is human firewall training. And from the smart people i talk to, and i try to talk to smart people that know a heck of a lot more about the subject matter than i do, is, thats the one initial step. I think theres a whole host of things we need to be doing, but that is the one step thats probably going to get your biggest return on investment. Human firewall training. The folks receiving the emails. Because its a challenge. We want to be accessible to the public. We havent even talked about this generational gap. Ive got a soon to be 14yearold and a 17yearold. And their expectation of being able to do things with their devices is so far away from what we are currently providing. And weve hit a little bit on the issue of internet voting, but at some point there is going to be some level of expectation among a Younger Generation who are the ones least likely to participate in an election that there is some form of technology, technological advances thats going to make that process easier for them than it is currently. And so we cant im of the view, and as a jurisdiction that deals a lot with voters, weve mailed ballots to 66 countries in the last election, and i think technology can provide some improvement on that. So we cant sit back and say you cant do it, cant do it. I was part of the military voting task force and the state of florida did this last year. We reached the same conclusion. We cant be doing it now. We shouldnt be doing it now, but its not something we can sit back and say we cant ever do it. So that conversation needs to be put forward. But again, coming back to it, i think that human firewall training is something we need to look at. And looking at the broader systems. We focus so intently at ballot security and Voting Systems security that now were starting to look more intently at those other systems that we utilize on a daytoday basis that, you know, are vulnerable. Did you have a reaction . I just heard you. I agree. Eventually, like it or not, i think we are going to get to internet voting. I just think we need to make sure were actually ready when were there. And were not anywhere close to being ready today. I would concur. Were going to get to audience questions but i do have some research questions. I have afternoon an anecdote. I was recently talking to a member of the media who said i dont understanding the resourcing of elections. This is a democracy. If the Election Officials go explain to the appropriators they need resources, theyll get it. And it was meant very honestly well, it was meant very sincerely. This is democracy. So, talk a little bit about the challenge in the conversation specifically on getting those resources and addressing the need we know working in elections, a lot of times new improvements to the local golf course, which im also in favor of, which is neither here or there, so just react to that statement a little bit and then well do audience questions. So, substitute elections with Public Safety. Whats more important . Are elections more important with Public Safety . Our sheriff of our county has appealed his budget thats provided by the county board of commissioners to the governor of the state of florida because he says hes underresourced and cant provide the level of Public Safety required. So, i get that, and i think you do absolutely have to make an informed argument and go talk to those, whether at the local level or state level or for that matter at the federal level on what your needs are. But just know theres competing interests. Were not far and away above everybody else, although we may think were the most important governmental activity thats out there. And i can make an argument that it is. But know were competing with many other interests, very important interests like Public Safety that you have to provide all of these services to some level. But the other part of it is, we have to get i know i see amber out here, and theyve done a fantastic job in denver of modernizing and taking technology where theyve been able to save money. I dont think your budget has increased. But theyve been able to do far more because theyve modernized and been able to do things on a more efficient basis that allows them to free up money for other things. I think a lot of us have been doing that over the past five or ten years. Thats something you have to be more creative with the resources you do have. And other times you have to make the case. If they dont have the money, they dont have the money. But if they have the money and youre trying to decide which priorities, then you do have a responsibility. You would think coming out of 2016 and the operating environment youre in now, walking in and saying, look, were trying to help protect, recover, defend against persistent actors, thats going to take money. What has the response been . What is the reaction to it . Again, ours has been pretty good. I was going to say, like, in rhode island we modernized our election system before 2016. And it was basically, you go to them, and theyre elected officials so theyve seen what we have. And you explain. You say, look, these machines are 20 years old. They cannot be patched up anymore. Were going to have a complete failure of the system next election and i am informing you now so you can be a part of responding to that. Were all in this together. And then theres a part where you then have to deliver, and you do have to use resources wisely. And you work within your limited budgets and restructure your agency, and you build the level of trust that youre doing the work that needs to be done. And then produce result us. Every jurisdiction is different and every state has its own demons and problems and stuff. But i do believe very firmly that we have engaged in ongoing communication. I would say that 2016 and Going Forward has actually at least brought up in a different way and not made it easier but made it more approachable, that this is real. That we are in a different world than and i am actually old enough to have voted at a chutes lever machine. Pull the lever and all the levers went away and you never saw anything else in the box. It was sort of satisfying to pull that level. And i dont want to know. But we are in a changing world of elections. It used to be you did it every two years, so there was a flurry of activity for six months and then you went away for like a year and a half and then you go back again. And thats gone. Between special elections and all this other stuff thats gone on, elections has become very i. T. Intensive, very much a communication exercise with voters, with elected officials, with all different stakeholders. And it does require resources, but it requires a smart use of resources and results as much as it requires just asks. The counties, exactly as you described, are competing with law enforcement, homelessness, Affordable Housing ask things quite frankly sexier and more appealing and emotional than talking about we need to get some more computers or, ooh, that sounds like a good idea. In our state, were going out for a modernization effort where we spent about two and a half years working with our officials to identify the Business Needs at the county level and state level for the Voter Registration system. Came up with 500 business pieces, and we got the legislator to fund it at the state level to fund both the counties and us. We put an rfi out on the street to see if the vendors could conceptualize. They said yes. We put the rfp on the street. This was tracking to be live in 19, this was our goal. And we didnt have a single successful vendor. So were now reissuing that process. I mention all this, because this is the challenge. The reality is, one, getting the funding takes time and effort and a lot of work. And you dont get those immediate results. You know most of our systems, the tabulation systems were purchased in 2005. Those systems are 11 years old, 13 years old depending on the county. And were just trying to tackle the Voter Registration piece. So its hard to get voters to get it, but were continuing that effort and its again going back to communication and dialogue. Ill open it up for yeah, go ahead. [ inaudible ] is it on thank you. There are a number of open a nn source efforts, free software, free in certain senses of the world and thats in an opportunity that states are some states are taking advantage of and it may be a way to get more leverage out of the very limited dollars that everyone is struggling with is to take advantage of things that are already there and youre not beholden to a vendor. Now, it doesnt mean that theyre completely free. You may not pay for the software, but you still have to maintain it, you have to support it, you have to install it, train it. So its not like its the solution to all of anybodys problems but its worth looking at. And you have to have the staff that can manage it. Absolutely. And you have to have invested in that staff. Were in a paradigm shift in government. We have to invest. People with that Technical Expertise that are going to sit, live and breathe within state government. Right. Like i said, its not a panacea but to keep in mind the only choice is not going to a vendor and buying a proprietary product. Absolutely. Thank you. There are only 120 questions. So we should be good. Just please stand up and identify yourself, if you dont mind. Hello. Im jessica. Im a reporter with propublica. You have talked about your reasons with dhs, especially since the Critical Infrastructure designation. Im curious if you can say a little bit more about what you feel dhs appropriate role in this partnership is. Ive heard a lot of differing opinions from a lot of different secretaries of state and also what you think the limitations of that relationship are . I will lead. I was definitely one of the secretaries that was very hesitant to think that was a good idea, to go forward with Critical Infrastructure, mainly because i really believe that the investment of american elections and democracy is that its decentralized and not controlled at the federal level. I was hesitant because i i was hesitant that you could have an organization that could come in and take over. You know, because thats the the department of Homeland Security is sorry, is, you know, i said, they have a different model. They are protecting the power grid. Things that are very different from our world. But what i can say is our experience with our with certainly our local team has been nothing but positive. The depth of resources that they have and the experience they have with Cyber Security in particular is so beyond what we had access to before, and the ability, for example, to get the threat notify gaications was reinforcing of what we already know was happening in our system. So on that front, it brings me a lot of comfort to know that we have access to things like ms msisec and things with the department of Homeland Security. That said, i think were all kind of just were all working through this gingerly because the last thing i would want to see is the federal government coming in and taking over my states elections. Yeah, so i actually embraced the Critical Infrastructure designation. Although i will say that the way it rolled out was problematic, and i understand that it happened very quickly with very little communication. Having said that, knowing that it could bring in some additional resources, i was very excited. I would hope that this relationship and the way ive seen it evolve, and weve actually met with our new england team at this point in our office, is that theyre kind of like a white hat adviser and mentor to my staff. And, again, and i think that their operations in this area of elections do need congressional oversight. And some real deep dives by somebody who can kind of keep tabs on, you know, the checks and balances between our executive branch and our legislative branch of government. So thats how i i would hope think what happened with dhs is a culture its still happening. Its a cultural shift. I see Leslie Reynolds in the background. She had a very hard time on behalf of all of us trying to get them to communicate with us in a way that we all understood each other. And so communication and culture as a. In institutional cultures e very, very different, so its going to take awhile were we all find that place where were all comfortable with how this is operating. Oh. Thank you. Oh. It was me, right . Yeah. You have the mike, so its you now. Hi, susan from verified voting. I have a quick comment for mr. Stafford and a clarifying question for jeremy. As far as the internet voting issue goes, i just wanted to raise the for point of information, we work, you know, with a lot of Computer Scientists, Computer Security experts and there is a great deal of Research Going on on how to do internet voting securely, but its at the academic level. Ive been to conferences with people with equations i cant possibly fathom what they mean. Its in the white board stage so people really are trying to figure out that question. I know Election Officials express a lot of frustration that the Computer Scientists say, no, dont do this but not giving us a solution. Going to jeremys point its going to be awhile, i want to people to know there is Research Going on. People are trying to solve that problem. While theyre saying, no, theyre saying, look, were figuring it out but in the white board stage in a way to do this securely. To jeremy, i was wondering if you could speak to the email return of voted ballots. While there are only a few states that are doing whats often referred to ainternet voting, 32 states are permitting email and fax returns of voted ballots which has its own security issues. Can you speak to the advisability of doing that in the threat environment were seeing in todays cyber landscape. Do you want to go first . No, you can go but i would like an opportunity to okay. With respect to email return of ballots, i was kind of thinking of this when you made the comment about, well, what happens when someone clicks on an attachment and opens it and all sorts of bad things happen . Email return of marked ballots is just its just a welcome opportunity for an attacker to send an attachment that somebody is going to click on because theyre trying to be the best election official they can and count every ballot and theyre going to click on that attachment and theyre going to open and theyre going to get infected. And its not going to be their fault because theyve been given two conflicting sets of guidance. One is, we need to count all the ballots, and the other is, we need we need to be secure. Dont click on attachments. [ inaudible ] and so this is the problem. Email return, i mean, putting aside the fact that email is unencrypted generally speaking and so everyones ballots are transversing the internet opening for to be seen, to be manipulated, et cetera, but the part that scares me more is not the fact that theyre that the ballots themselves arent private. The thing that worries me the most is an election official who is trying to do the right thing and ends up compromising their environment. Ill say two things. One, i didnt mean to leave the impression that there is nothing going on, but the response, the initial response that always comes up is, cant do it right now. Cant do it. I feel like its my duty to say we need to at least, you know, be continuing to advance that research in that field. Thats why beyond our capabilities at a local Election Official Office to deal with that kind of stuff, but as somebody who represents a whole lot of voters so in this particular instance youre talking about, you have to put yourself i have to put myself in the position of the voter. And thats the voter that may not may, is doing all kinds of things in defense of this country and maybe has a couple of minutes to be able to complete this process. And the only remedy thats left for them to return their ballot is through an email or fax. So for that relatively small, at that point, at that point, i see youre but if youre a couple of days before the election and theyre Forward Deployed in afghanistan or Something Like that, they have no other remedy to get that ballot returned to us in time for it to be tabulated. In a scenario like this. So the idea is you have to balance out that accessibility for these voters, which happen to be even though its a large segment of people within a given election, its not a gigantic number of votes, those who are overseas that take advantage of this opportunity that may not under the Current System have any other remedy available to them for them to be able to participate in the process, which they have the right to do. Thank you. Im getting the wrapup sign, which brenda will take me down. But the good news is, the good news is it is lunchtime, and i i of all people get you to lunch on time. I dont miss a meal. So you can engage these conversations if you have additional questions for the panelists, im sure theyd be happy to engage you in those discussions. Lunch is on your own because were the federal government and were not going to buy you lunch. And then be back in one hour for the keynote speaker from dhs, which is very timely, given the discussion we had. Thank you to the panelists. Thank you all. Go get em. Thank you, im excited. Cspans washington journal live every day with news and policy issues that impact you. Coming up wednesday morning, the trump organizations business conflicts of interest. Well talk about it with Public Citizen president robert weisman. Were live from the d. C. Convention center for the 2018 washington auto show. Well discuss the future of Automotive Technology and Ride Share Services in washington with robert grant of lyft. And senator john thune will discuss todays field hearing on Automotive Technology and the issues facing lawmakers and Auto Industry regulators. Also, kurt meyers of the Pennsylvania Department of transportation shares his view on the states approach to diverless vehicles and federal policy. Be sure to catch cspans washington journal live at 7 00 eastern saturday morning. Join the discussion. Coming up here on cspan 3s American History tv, a look at how slavery is interpreted and talked about to visitors at historic president ial plantations then in an hour and a half, a discussion of free speech and Academic Freedom on college campuses. Both events from the american historical Associations Annual meeting. The house and senate reached an agreement monday to fund the federal government through february 8th. The head of the Nonpartisan Congressional Budget Office keith hall will testify at an oversight hearing about the federal budget and the effect the recent tax cut bill could have on the federal debt. Live coverage from the Senate Budget committee starts at 10 30 a. M. Eastern on cspan. A senate panel looks at innovation in the Auto Industry, including selfdriving cars, thats live from the senate customers science and Transportation Committee at 10 00 a. M. Eastern here on cspan 3. The u. S. Conference of mayors holds a News Conference that kicks off their annual winter meeting. Well hear from new orleans mayor mitch landrieu, who is the current president of the bipartisan group. Live coverage beginning at 12 20 p. M. Eastern. Follow off of these events at cspan. Org or with the free cspan radio app