comparemela.com

Overseeing the administration of federal elections. And todays hearing will help us to fill the responsibility by providing an opportunity to hear from the vendors of most of our countrys Voting Systems. This is the first time the ceos of the three major vendors have appeared together in a congressional hearing. The companies they represent provide at least 80 of the estimated 350,000 Voting Machines in use today reaching over 100 million registered voters. However, despite their outsized role and the mechanics of our democracy, some have accused these companies of or f other suggest theres an insufficient regulatory structure for the sector. In the committees may 2019 hearing on Election Security, Lawrence Norden wrote in his testimony, i quote, there are more federal regulations for ballpoint pens and magic markers than there are for Voting Systems and other parts of our election infrastructure. So there may be more work to do and much for congress to learn about this industry. Many have concerns about Voting Systems with Remote Access software. And i want to make sure that companies no longer sell Voting Machines that have Network Capabilities. In 2019, according to a report in motherboard, a group of Election Security experts, they uncovered that back end election systems in at least ten states despite one companys claims that its systems were not. We need also to understand supply chains. In december 2019 a Study Released by a supply chain Monitoring Company showed that onefifth or 20 of components in a popular voting machine came from chinabased companies. Furthermo furthermore, close to 59 of suppliers within that machines supply chain had locations in either china or russia. Interos didnt name the vendor but said it was widely used. Ive also heard concerns about the ownership and control of voting machine vendors. Public reporting indicates that all three of the major Voting System vendors represented here today are privately held or are partially controlled by private equity firms. I believe its in the Public Interest for congress to better understand who could financially benefit from the administration of our elections. There are also, of course, threats to our voting infrastructure. We learned in special counsel muellers report that russian Intelligence Officers targeted employees of Voting Technology companies that developed software to manage voter roles and installed malware on the company network. We also know that our own voluntary Voting System guidelines have not been substantially upgraded before the iphone was even available. It then took the eac another decade to make small changes which were adopted in 2015 almost five years ago. So theres more we have to do together to bolster Public Confidence and trust in our election systems. That is why this congress has acted. Last june the house passed hr2722, the safe act that would require individual durable voter verified paper ball t los, would require risk limiting audits, prohibit wireless and internet connectivity, and create accountability mechanisms for Election Technology vendors. The bill awaits consideration in the senate. Just last month, congress appropriated 425 million to the states to improve Election Security. This builds on the 380 Million Congress appropriated in 2018. Securing our elections should not be a partisan issue. Election security is about upholding a democracy of, by, and for the people. The American People be they republican, democratic, third party, or no party at all. Our democracy is resilient, but it relies on everyone having their vote counted as cast. I now recognize our Ranking Member mr. Davis for any Opening Statement he may wish to make. Thank you, madam chair. Especially also thank you for holding this necessary and longoverdue hearing that ive been looking forward to since the beginning of this congress. And i want to thank our witnesses for being here today to discuss the important issues regarding elections and Election Security and elections administration. My agenda since becoming the Ranking Member of this committee has been and continues to be focused on nonpartisan and effective oversight of our nations elections. Which are maintained by the states, not the federal government. But that does not mean that this committee and the house itself does not have an important oversight role to play in securing elections. Our witnesses here today have state, county, and local jurisdictions as clients. Who know their electorate best. We also have witnesses who have experience with running those elections. But we know that threats from foreign actors to our nations elections are not going away. It should be noted from the Senate Intelligence committees report on the 2016 election, there were, quote, no indications that votes were changed, vote tallying systems were manipulated, or that any data were altered or deleted, end quote. By russia or any foreign actor. Dhs assistant secretary manfred said in the senate intels opening hearing in 2017 that, quote, we do have confidence in the overall integrity of our electoral system because our voting infrastructure is fundamentally resilient. End quote. While we have faith in the electoral system, we still have a responsibility to strengthen the relationship between states and the federal government to ensure that americans votes are and will continue to be protected. There has been some disagreement with my colleagues across the aisle on how best to accomplish this mission. But i believe our goal is the same. Instead of getting into a winded debate today between paper versus electronic, state versus federal, lets focus on things in the federal reach that need improvement. Areas where we may come to a bipartisan agreement as weve seen in this Committee Many times in the past. This committee created in past the help america act of 2002 which provided muchneeded funds to states so they could update their Election Security and voting infrastructure. And created the Election Assistance Commission or eac. One notable requirement of hava was for the eac to create a set of specific a set of specifications and requirements against which Voting Systems could be tested called the voluntary Voting Systems guideline. Or vvsg. The eac adopted the virsfirst v in december 2005 and provided an updated version in january of 2016. Now we are currently waiting for the eac to produce the newest guidelines vvsg 2. 0. This year our committee should also hold a hearing with the eac to discuss this voting Guideline Development process and several other processes within our jurisdiction. Perhaps we should not only focus on the eac but instead hava itself. The help america vote act was originally created in 2002 following the 2000 president ial election. Its many issues with ballot marking devices much like well be discussing today. There have been many developments in Voting System technology that are not addressed in the original hava language like epollbooks and registering data bases. Its been almost 20 years since this law has been updated and with the recent developments in Election Security and technology, its time to modernize these laws again and incentivize new more secure Infrastructure Development from vendors like each of you. Also lets recognize the steps weve taken this congress alone to secure our elections. As chairperson said, the fy 2020 National Defense authorization last month contains several provisions related to elections security. Most involved providing congress, federal, or state agencies with information about election interference. Something that was in the Election Security bill i introduced hr3412. It also requires the director of National Intelligence in coordination with several other agencies to develop a strategy for countering russian cyberattacks against u. S. Elections. Another provision i had in my bill. In addition to the ndaa, the recent appropriations as chairperson lofgren said including 425 million for territories to make general improvements to the administration of federal elections including upgrades to Election Technology and security. Much has been done but we still have much to do. Which is why youre all here with us today. A fundamental right of our nations ability is to choose our leaders. The American People deserve that right to be protected. We should secure and protect our nations elections without partisan politics and i hope we can remember that not only during this hearing, but also for the duration of this congress. Thank you, madam chair. I yield back. Thank you. Gentleman yields back. All other members are invited to admit an Opening Statement for the record. At this point, id like to welcome our witnesses. Thank you for being here today. Joining us are the president and ceo of election systems and software mr. Tom bert. President and ceo of dominion Voting Systems mr. John paolos. And president and ceo of inner heart civic julie mathis. Id like to introduce each witness. Tom bert became president and ceo of election systems and software in 2015. He joined ens in 2008 leading sales, customer services, operations, and the product departmen departments. Before joining ens, he developed his general management and leadership at mcmaster carr, a supply company. And Anderson Consulting where he served in a variety of executive management roles. John paolos is the founding president and ceo of dominion. He leads the business operations. Since its inception in 2003, dominion has grown to support over 1200 jurisdictions across north america. He holds a bachelor of arts in Electrical Engineering from the university of toronto as well as a masters of Business Administration from ncad france. Julie mathis joined hart in 2014 but became its ceo just nine days ago, so congratulations. She has previously served as president and cfo of the company and prior to joining hart, she served as Vice President of finance at dell. Miss mathis holds a bachelor of Business Administration degree in accounting from the university of texas at austin and is a certified public accountant. I would at this point ask unanimous consent that all members have five legislative days to revise and extend their remarks and their written statements be made part of the record. And without objection, that is so ordered. Id also like to remind witnesses their entire statements will be made part of the record and the record will remain open at least five days for additional materials to be submitted. At this point, i would ask each of the witnesses to rise and hold up their right hand. So that you may answer this question. Do you swear or affirm under penalty of perjury that the testimony you are about to give is true and correct to the best of your knowledge, information, and belief so help you god . The record will reflect that all three witnesses answered in the affirmative and we will first recognize you, mr. Bert, for your testimony. Thank you. Chairperson lofgren, Ranking Member davis, and members of the House Administration committee, thank you for the opportunity to testify on the vitally important subject of elections security. My name is tom bert and im ceo of elections systems and software. Im encouraged to see the growing tension to Stronger Security in elections and thankful for the recent funding provided by grgs under your leadership. Founded 40 years ago, ess was roughly half of our employees live and work. Others live or work locally near where we provide products and Services Including employees who reside in california, georgia, illinois, maryland, North Carolina, and ohio. Let me be clear and unequivocal with you. Ess is committed to doing everything we can to safeguard our Election Security. It is why each of our employees goes to bed and wakes up thinking about. Additionally i want to make sure that ess supports federal mandates for the following three policies. First a paper record for every vote cast. Second, postelection audits of these paper records. And third, more rigorous standards for the security testing of voting equipment by a federally controlled regulatory body. Id like to elaborate on a few of the many examples ess has raised the bar on itself for Election Security and called on congress to raise the bar on the entire industry. First as mentioned, it is important than a paper trail be required for each vote cast. Ess has stopped selling machines that do not produce a paper record as the primary voting device. Second, we support and applaud the increase in dedicated resources coming from congress. State and local officials, the Election Assistance Commission, and the department of Homeland Security. We embrace our partnerships with these bodies because we believe that collectively we can provide necessary and Continuous Improvement in Election Security. While the recent appropriations bill including additional elections related funding from congress, we believe the federal government needs to devote these resources to state and local jurisdictions on an annual basis. Third, id like to highlight just a few of the many important steps ess takes to bolster Election Security. Every ess system we field undergoes rigorous testing. Since 2009 ess has certified 22 unique Voting System releases through this federal Testing Program. Our standard procedure is to conduct thorough and pervasive Penetration Testing through our hardware and software using the same modern security tools that hackers use to make sure our equipment is secure before it ever enters the federal program. We recommend increased eac funding for security testing. Managed at the federal level with standards and testing methods that are applied evenly and comprehensively to all providers. All ess tabulation firmware and software are not only housed domestically but are written exclusively inside the United States. Ess engages an independent third party to regularly test samples inside the Voting Agreement that our programmable devices. We do this to validate the supply chain and ensure no back door tampering has occurred. Ess voting machine components are produced in certified manufacturing facilities and the entire Voting System is managed by a change order control process. All of our Voting Machines are performed in nebraska. We are working with our providers seated here with me today to create the nations first coordinated vulnerability disclosure for elections equipment. Designed to provide for even greater testing of Voting Systems through the use of ethical hackers. Because we strive for Continuous Improvement in all facets of our business, they are continuous, ongoing, and dynamic. Finally i want to be clear that we do not believe we are perfect. On rare occasions, machines falter and humans make mistakes. When these circumstances arise, we always do Everything Possible to remedy the issue and ensure that final Election Results are reported accurately. As i noted previously, we strongly urge congress to require an auditable record of every vote cast. While we are proud of the actions weve taken to date, we recognize this is a race that has no finish line. Ess is committed to continually enhancing the security of our products for the long run. We take nothing more seriously than our role in supporting our nations democracy. Thank you for your time and i look forward to your questions. Thank you very much. Wed be pleased to hear from you, mr. Paolos. Thank you very much. Chairperson lofgren, Ranking Member davis, and distinguished members of the committee, thank you for the opportunity to testify today. My name is john paolos of dominion Voting Systems. We are a u. S. Owned company that provides services to jurisdictions across 30 states and puerto rico. I agree with the importance of the issues being raised by the chair and Ranking Member regarding Election Security at todays hearing. American elections safeguard and preserve the freedoms guaranteed by the u. S. Constitution. At dominion, we take pride in our small role in ensuring voters they can have confidence in secure Election Results. We go to work every day understanding this important responsibility. By way of background, i formed the company with my partners in 2003 as an engineer and entrepreneur in Silicon Valley. We are one of the only independently operating of those 76 in the industry today. Dominion with us founded on three key pillars. Security, transparency, and accessibility. The company abides by these principles today. Driving advancements for auditability and directed by state and local Election Officials. Supporting elections is a fulltime proposition for our company. This past year alone, dominion assisted state and local Election Officials in conducting nearly 300 elections. Complete with a rigorous public scrutiny that comes with it. Dominion is constantly innovating and certified enhancements and new features per state and local requirements. For 2020 we have been working closely with jurisdictions seeking to upgrade their Voting Systems. Older end of Life Technology is being replaced with Certified Solutions that produce paper records for auditing and resilien resilience. This comports with recommendations by dhs. Consistent with our founding tenate tene tenets, this starts with our people. Including annual mandatory background checks and Awareness Training for every employee in the company. It includes companywide adoption of advance digital protections and a defense and depth approach to cybersecurity. Moreover, we actively engage with the eac, dhs, and other trusted third parties to maintain and enhance our security. Including potential supply chain risks. Finally, we all we meet all independent testing requirements and requirements set forth by individual states. This includes source code reviews, Penetration Testing, and postelection audits. In terms of transparency, dominion systems fully support independent Third Party Audits and reviews of all election data. For example, in 2018, the state of colorado used dominion systems in conducting the first statewide risklimiting audit in the United States. This effort was so successful, it has become a benchmark for other states in verifying with high confidence that equipment tallies are accurate and reliable. To round out our company mission, we are committed to voter accessibility. Our systems ensure federal protections for privacy and equal Voting Rights. And ballot casting options for all including American Service members abroad. The existence of nation state threats means we must actively defend against attempts to undermine faith in our democratic institutions. In this regard, we hope to see congress continuing its work with state and local Election Officials to keep election systems secure. We commend congress on its bipartisan investment of an additional 425 million to help Election Officials modernize their infrastructure. In closing, we remain fully committed to providing technology that supports free and Fair Elections. This includes support for an industrywide Vulnerability Disclosure Program for Voting Systems. We urge you to continue supporting and incentivizing realtime threat information sharing from the Intelligence Community. Streamline certification options for patching and updating, and reliable standards for Voting Systems. All of these efforts will help make the voting process for secure. Thank you again for the opportunity to share our companys perspective. Thank you so much for your testimony. And now our final witness in this panel, miss matthews, wed be pleased to hear from you for five minutes. Chairperson lofgren, Ranking Member davis, and members of the committee, thank you for opportunity to speak with you today. I am the ceo of hart intercivic. Hart began as a paper ballot printer and has grown organically one new customer at a time to become one of the top three Voting System providers in the country. Our customers are local Election Officials and our business is built on partnering with them to enhance their processes and ensure they deliver secure, accessible, and transparent elections. Our products include the software and devices that these Election Officials use to create ballots, capture votes, tabulate votes, and audit the results. Our systems are regulated as each is certificated through the processes before any local jurisdiction purchases them. Its also important to note whiches a tect pekts hart does not serve. Hart does not build the products of voter check in at the polling place or any other aspect of election or data administration. These aspects of the election system and their vendors are not currently regulated. Im in washington, d. C. , this morning because hart strongly believes voter System Companies are one of the many critical players. I can tell you much has improved over the last few years. But we know that challenges remain. So what has improved . First, what is improved as a company is our products. We are proud our Voting System is one of the newest on the market. Rather than patch updates, a new product designed from the core to meet standards. Further describes. Second, what has improved in industry . More agile when it comes to cybersecurity threats as a result of the department of Homeland Securitys designation of the American Election system as Critical Infrastructure. Because of that designation, a Founding Member of council a group of diverse elections related to address resiliencies and practices. Similarly, a Founding Member of as well as an active member of the eia. Free assessments and educational materials. But the biggest improvements have been to our ability to coordinate around cyber threat information and disclosures. So where else can we all continue to evolve and adapt . Number one, continual evolution of the Voting System guidelines. We strongly support the process to roll out standards. We have submitted our comments during the Public Comment draft and are in regular communication to provide further insights to inform the new standard. We share your frustration over the slow adoption of the new standards yet hart has enhanced the security of our products while awaiting the standards. We urge to continue other Election Technology especially areas of high vulnerability such as Voter Registration, electronic poll books and Election Night reporting. Number two, speed up the federal certification project at the eac. Allow Additional Resources to be dedicated to the overhaul of the vvsg and enhance resources at the eac. The more resources and funding that congress can dedicate to the eac, the sooner we will be to bring the next generation of products to market. Number three, ongoing vigilance over cybersecurity practices within our industry. The most important shift in institutional attitudes is that security is not a static process. At hart, we recognize that methods will evolve and so we must continually adjust to new risks and adapt with new technology, new processes, and new policies. In conclusion, much has improved over the last few years. Not only are there new products on the market with enhanced security protocols, but the election industry is much better informed, more coordinated, and more aware. But this enhance awareness also highlights the clarity that securing is a race with no finish line. It will take constant vigilance, funding with partnership, and koocoordination to ensure that elections are secure each and every year. At hart, our goal is and always has been to provide Election Officials with accessible and secure technology. We dedicate significant time and resources ensuring our products meet and exceed the latest security standards. Because of this, we are trusted partner of local officials who run elections in our country. Thank you and i look forward to answering any questions you have. Thank you and thanks to all of our witnesses for your verbal testimony as well as your written testimony. We will now go to the time in our hearing when members have an opportunity to ask questions for as long as five minutes. And ill start. As we all know and weve recognized the concern about Election Security has been heightened since the 2016 election, weve had reports from our Intelligence Community that we should be on the alert for threats, especially foreign threats to the security of our systems. Right now there are no federal reporting requirements that mandate disclosure of crucial information about some of your key Business Practices or experiences. And id like to know from each of you and this could be a yes or no question. Would you support requirements concerning the following five ite items. First your cybersecurity two, any cyberattacks youve experienced. Three, personnel policies including whether background checks and other procedures are in place to safeguard against safeguard attacks. Four, details of corporate ownership and foreign investment. And finally supply chains for Software Patches and installations come from, how theyre transported, and how theyre kept secure. If you could answer whether you would agree to all or if there is some you would object to, why. I would say yes we support a requirement for all five of those requirements that you listed. Thank you. Chairperson, we would agree with that as well. Thank you. As would we. Very helpful. As you know, we have passed a pretty robust bill in the house. Its pending in the senate. And perhaps your testimony will encourage them to move forward. Id like to talk about supply chains. As i mentioned in my Opening Statement, concern has been raised about components. The interos report showed that a majority of suppliers within a widely used voting Machine Supply chain had locations in either russia or china. They didnt indicate which company. So id like to ask each of you. Do you have components in your supply chain that come from either russia or china . Chairperson, we do not have components that come from russia. We do have a limited number of components that come from china. What percentage would that be . I cant give you a percentage, but with respect to this issue, the potential for a back door threat doesnt relate to a piece of plastic or metal. What should be concerned is the programmable devices. What type of components come from china . Can you tell me the nature of them . Our ds200 which is a i dont want examples. I want do any of krour chips, softwares, or just a piece of plastic . In our ds200 we have one of the nine Programmable Logic devices that we actually source from a u. S. Company based in california in the heart of Silicon Valley that produces that programmable device in a factory in china. Okay. Thank you. The it wasnt our company in the we would welcome thank you, madam chair. Thank you again to the witnesses who are here. That is 100 secure . No. No. No. To your knowledge, has a foreign state hacked any of your vote tallying election machines . No. What then was the primary target of our foreign adversaries in the 2016 election . Mr. Burt . Well, Ranking Member, i think there are potentially differing public views on that. But what i can say is that as you asked a minute ago, weve seen no evidence that any of our Voting Systems have been tampered with in any way. Mr. Poulos . I agree with that statement. We feel the same way. Cant speak to what the primary purpose was of the attacks. But theres to our knowledge, no evidence on our systems as well. Well, you guys already answered that. Miss mathis, do you know what was attacked . Do not have personal awareness of that. I think there were such wide systems in illinois. Where do these state Voter Registration databases come from . Ranking member, its various depending on do they come from any of your companies . We do host Voter Registration systems. We do not. We do. Theyre actually required by the help america vote act. And also to your knowledge, are there any that require excuse me are there any parameters in hava that require the state Voter Registration databases . I believe the language in hava as it relates to Voter Registration is limited at best and im not aware offhand of any specific language it pertains to . Do you believe its something that we should address . I do. I think its a gap in the oversight of the Election Administration or Election Assistance Commission. And i believe you can put pollbooks into the same bucket with Voter Registration. Are you all members of the coordinating council . Yes. As well as the isac . Yes. Okay. How do these entities increase vulnerability disclosure . You know, prior to 2016, there was no communication between vendors and those entities. And there is regular sharing of information, of threat information as well as routine meetings. Many facetoface to make sure the lines of communication are open at all times. How many different disclosure programs are there currently . To my knowledge, were part of one and currently working on several more with my colleagues here. To create further disclosure programs. How do we ensure these new programs are adequate to. I think its important to Work Together with the cybersecurity experts that have already been involved through the designation as Critical Infrastructure. Ensuring we understand the appropriate disclosures. Would you say it is riding on the topic of Election Security since 2016 . Would you all agree . Yes. Im actually happy for this increased attention. I believe its put an important issue to the forefront. Im concerned about the incentive for outside groups to mischaracterize the threats facing our elections. Is this is a concern that each of you share . Yes. I got one yes. Yes. Yes. Thank you. I didnt think cspan could see you guys nodding your heads. Over the past several years, theres a lot of pub police si. Have you reached out to participate . Ranking member, we have had discussions with them but not provided our equipment to them for testing. We reached out to dfcon this year in 2019 interested in a more collaborative Penetration Testing with stakeholders. Weve reached out with one organizer and had a plan. We actually did send our modern certified equipment to dfcon. But in the days leading up to that event, i think there was an internal disagreement within the conference. So we ended up not working at that conference. But if its not dfcon, were committed to that. How about you . We have actually submitted our systems through the dhs Penetration Testing process through national labs. So weve gone that route. But not dfcon . Not dfcon. I recognize now the gentleman from maryland. Madam chairman, thank you very much. The Consumer Product Safety Commission advises manufacturers of products to identify all reasonably foreseeable hazards associated with use of their products to include safety warnings and steps to reduce risk of accidents in the user guides. And requirements like this for Motor Vehicles and warnings put in lots of different owner manuals. Would you support a requirement for Voting System vendors to identify security risks associated with use of your voting equipment and recommendations for users to mitigate those risks such as manual audits of paper ballots and go down the line. Mr. Burt, start with you. Thank you. We would support any requirement that applies to all vendors in our industry that would help educate both the users of our systems and anyone who interacts with them. I would agree with that statement as well. I would support any initiative that Congress Puts forward. We would agree with that also. Very good. There has been some reporting recently about the lobbying elections. Of the field. The procurement process. Of our contract. The reports indicate that ess spent 425,000 lobbying city officials dating back to 2014 before being awarded. Is this just Standard Practice in the industry and. We hired our first ever consultant to help us in washington educating federal officials indicating who we are as a company. In this case, it was used to help procure a contract, right . It was used to educate any of those involved about who we are as a company, the values we hold, and how we conduct our business. Okay. Did you also get involved in making finance Campaign Contributions . No. Do you guys no, we dont make Campaign Finance contributions. You do spend money on the lobbying side . Yes, we do. At the state and local level. Correct. And miss mathis. Our involvement in lobbying has been minimal primarily to help us be educated in certain jurisdictions. Okay. Im curious about whether each of your companies engage in adversarial testing. We have in the past. Its something were looking to expand in the future. We do routinely. Weve hired third parties to have Penetration Testing. Through a dhs. We have been involved in that same Penetration Testing approach. Do you routinely allow academic researchers to test the quality and integrity of the products without prescreening them . In other words, do you generally permit outside investigators to come and check it out . Well, we have not involved academics who havent been prescreened with the coordinated Vulnerability Disclosure Program that were working on with our colleagues. The idea is to have a firm be able to manage a network of white hat ethical hackers to broaden the access to our systems without making this information open to the public. Okay. Congressman, we have done that in the past. As far back in new york in 2009. We found the exercise was useful. And we are looking forward to doing more of that within the confines of a realitybased scenario of testing. Okay. And miss mathis . We would support the appropriate disclosure of that information. Its important we not undermine voter confidence in making sure we evaluate the type of disclosures necessary. Okay. Finally i remember from my days in annapolis that there was sometimes the champions of security in the process. I was wondering would you try to eliminate that . Most recently with the Public Commentary around the marking devices, there is a concern regarding the format of how the ballots are printed of how the voter record and that sometimes. I yield back. The gentlemans time is expired. Gentleman from North Carolina. Recognized for five minutes. I believe each of you mentioned in your written testimony frustration with the voluntary Voting System guidelines. Update that is ongoing elections assistant commission. This frustration has been shared by others in the election industry as well as this issue seems to have a lot to do with an equated hava. What can we do to help update the hava . Ill start with you mr. Burt. Thank you for your question. I think that the eac given the resources and funding they have do a very good job that sometimes it is how much we are to do given the resources they have. I think we should ask them to broaden the scope and purview of their oversight and to do that, of course, they need more funding and more support. Okay. I would agree with mr. Burts comments. I would add to that particularly a particular example as it pertains to patching of Third Party Software such as windows where a patch is ready available. And its sometimes very cumbersome and timely to get that to customers. Miss mathis, anything to add to that . I would agree with those comments. All right. How has your relationship with the dhs involved . How have state and local authorities responded to dhs . A couple of these who wants to take it. Is dhs cupful these who want to do these. What type of services does dhs offer you. Lets start with what type of services does dhs offer you . Several different programs. Weve taken part of a physical security review. Product testing. And in terms of the evolution of that relationship i would say it was zero four years and and helpful for us and the customers we serve. Mr. Burt, is dhs helping you to supply foreign chains . They are not. I thinks that an opportunity. I think the vendors are eager to work in partnership with the federal government to make sure were foelg best practices and faf guard to the best of our acts our voting equipment. Any evidence that russia has hacked any portion or part of this, either as the dhs discovered that or assumed or suggested that or anything of that nature . No, weve never received any evidence or commentary that suggests that. No, no. Miss mathis . None. Final question here, and if we can expand a little bit on this. Has each of you hired an executive level chief Information Officer . We have. We have. We have extended internal Security Team and we have a cissp expert on our staff. Mr. Polis, what are the qualifications . We have that bifurcated in terms of corporate its and product secured. Two different sets of yierkts. I cant list them to you off the top of my head. Mr. Burt . We were fortunate enough to find a gentleman who was the chief Information Security officer for health and Human Services at the federal level and hes been with us for a couple of hears. He has vast experience working with various Government Agencies in that capacity. Let me stay with you mr. Burt. Why is a position like this especially relevant in developing equipment for modern elections . I think as we look forward, it is necessary for someone with deep Technical Expertise to advi advise the company in its actions, to do everything we can to protect the equipment and services. Mr. Polis, the same . I agree in terms of a deep understanding of best practices and where the state of the art is evolving to. It really benefits the security of the products. Really quickly for the three of you, if you were to give yourselves a grade, one out of ten, ten being excellent, as far as your attendtiveness to make sure there is no kpupgs, nothing nefarious, how would you score your company as far as the time, attention and resources youre putting into this . We spend a great deal of time. Our effort i can honestly say is as strong as we are capable of. We are always looking to find ways to improve and partner with other agencies improve our ability to mitigate any risks. Mr. Polis . The security of our products and ichb structure is a key priority for us and it is reflected in not only the amount of time and resources we spend to do it. Same thing. We absolutely dedicate, its in our dna, pervasive against everything. If this doesnt work out, you may have a career in politics, since none of you gave me a number or answered the question. I yield back. The other gentleman from North Carolina, mr. Butter field. Thank you for convening this hearing today. I cannot think of a debate we could be having right now except for the war crime act. This is important to our democracy. Thank you to the three witnesses for your testimony. Mr. Burt, i want to talk specifically about North Carolina. You know i represent a district in North Carolina. Theres been a lot of controversy surrounding your companys elections, officials in my state. Some have refefrd to what trans spied as a bait and switch. I hope its unwaurnted. Can you please explain to me why you waited so long to tell North Carolina officials that you did not have enough Voting Systems to cover the 2020 primaries . Thank you for that question. I have read the bait and switch comment. We apride for the system five years ago, wept through the testing. The report was written. It went to the state board for approval. Then it disinvolved. This was not a quorum at the state board for our four years. That system we got tested five years ago finally just got approved. We immediately went in after that and got our latest and most secure system updated. And it is that system, the most recently certified system that weve delivered to the citizens of North Carolina. So if a bait and switch means we decided to send the most recent and secure system to the citizens of North Carolina, that is what we did. Im informed that your company admitted installing Remote Access soft ware on some of the systems. Were any remote wireless equipped systems stoeld sold to Elections Officials in my state . That practice happened between 2000 and 2006. No system that we have brought through the eac Program Since 2007 has been equipped with any Remote Access software. We have confirmed there is no system out there today that has a Remote Access system attached to it. Miss mathis, do you support federal legislation to expand the use of post election audits like risk limiting . We absolutely do. Mr. Polis . Absolutely. Mr. Burt. Yes. Do you think all audits can be conducted on all the Voting Systems that you sell . We have a subset of our product that actually does not permit risk limiting audits. There are other audits and testing that fulfill a fully ability to confirm the accurate results. All right. Let me ask you, mr. Polis, what do you do to secure that your subcontractors and manufacturers follow best industry practices on cybersecurity . Do you conduct background checks . On our direct subcontractors, yes. And for manufacturing partners we make sure they adhere to iso standards. Mr. Burt . Same thing. Background checks on the contractors. Any of our manufacturing partners are all iso certified. This is not a cursory background check . Detailed background check. Thats part of the iso certification. Miss mathis, you as well . Yes. Are you aware of any Cyber Attacks in which the attacker gained unauthorized access to your internal systems, corporate or consumer data, miss mathis . We have not. Do you have any evidence that this has happened . We do not. Mr. Polis . No. Mr. Burt . No, we do not. See how im doing on time. All right. Back to you, mr. Burt. We know you are committed to no longer sell paperless machines, but you are selling the express vote with an auto cast future that has the voter to skip the verification of the paper record. Given the primary criticism of paperless machines was that they did not have a voter verified audit paper trail, do you think its correct to say that you will no longer sell paperless machines, but youre selling a machine that can record votes without a paper trail . Congressman, i dont believe, im not aware off the top of my head, of any customers who are using that particular product in an auto cast fashion. I believe all the customers who are using that product present the palate back to the voter for verification in one way or another, either through a screen or by kicking out the piece of paper. And final for for miss mathis, currently listed on your website is a varity touch. Meanwhile there is a clear consensus among experts that the paper ballots are needed. Why do you continue to sell a machine we all know that puts the integrity of the voters palate at risk . We actually believe they are secure. And its not just hearts brief. But we have had those products federally certified through the eac, have gone through extensive accredited test lab, testing, certain states have sthoez, they comply with all standards and all our extensive security protocols that we have throughout the varity platform, including extensive multilair defense and depth secure protocols. Thank you. Im out of time. I yield back. The gentlemans time has expired. Well have a second round of questions so that we can further explore this. The gentle lady from ohio is recognized for five minutes, chair of our elections subcommittee. Thank you, thank you all very much for your testimony. Just a couple of questions. Let me first say that i understand this is a business with you all, but i think my colleague mr. Butter field said it best, it is critical to our democracy, and your equipment is purchased with taxpayer dollars, so there are some things we do expect and some information we expect you to give us. As i say that, let me also say that im from cuyahoga county, ohio. We have es and s machines, but we have 13 different Voting Systems. When we talk about ensuring the security of our systems, what we find is that we probably need more trained examiners because we have so many different systems. So let me first ask, do you support increasing the number of testing labs so that we can test voting equipment examiners . Yes, we do. All of you . Absolutely. Yes. Secondly, its my understanding that the testing standards that we currently use date back as far as 2005. Were in 2020 but were using standards and so what we have done is basically say to the windows people, you determine what the upgrades and security should be, because youre dancing to their tune, not to the eac. Is that how you see it as well . Congresswoman, i think there is an opportunity to update the standards and broaden the program to include more security specific testing. I dont understand the question. Well, youre doing upgrades to your systems not based 307b what we think is a security issue but what windows is telling you to do because thats the operating system . Both is true actually. We are regularly innovating new features that come from local jurisdictions and state officials based on evolving threats and evolving state of the art of the technology. In addition, we do use windows and microsoft products that do have this are own patches. Thats not core to the tabulation product as well. We do not have off the shelf when microsoft calls and tells you you need to do this upgrade, you do it . We implement it, we test it, we submit it for certification. We not do implement it for example in a county in ohio until im not suggesting that you dont test it. My point is that you dont do it based upon what we believe is a security issue. You do it upon what microsoft believes is one . Right. I okay. You dont have to defendant microsoft. Im not trying to do anything to microsoft. Im just making a point that we need to be more involved in the process. That is true. Will all of you commit today to allowing researchesu searchers to check your product without hand picking . Were not interested in hand picking them. Were interested in making sure we attract hackers test them. Wide like to see the eac to actually manage a coordinated vulnerability disclosure and have the eac choose the researchers, assemble the team and thats a yes . Yes, we would like to see the eac. Only reason im cutting you off, i have five minutes. Under stooud. I ask each of you, what do you do to make sure your subcontractor and manufacturers follow best practices on cybersecurity, mr. Butter field already asked you about background checks. If you could answer the first part of the question . Well, in our case, for example, our lead manufacturer manufactures products for the department of defense and has accreditations uppe accreditations under iso and we look for that for a prerequisite to doing business with that manufacturer. We look at iso standards, have deep quality reviews and ensure that were managing our splierds very closely. Good. I work for the frol government too. I dont trust everybody else that works for the frol government. I want to make sure youre looking at them not just hiring because they work for the federal government. Fair enough. I yield back. The gentleman from california, mr. Aquilar is recognized for five minutes. Thank you, chairwoman. I wanted to talk a little bit about products and defects, and we can go down the line, mr. Burt, if youll indulge me by starting, do you have builtin systems that look for did he fekts along the way . And can you describe that, how long it takes to find it, create and implement a solution . We do have builtin systems ranging to functional testing. In the event, if a system has been fielded and approved by the eac and delivered to a state and has been fielded, and theres a functionality piece of the functionality that we want to change, that process to make the change currently have it go through the federal Testing Program and redeployed to the state can be six months to a year depending on the scope and depth of the changes. Do you to the customer when that happens . Yes. If a defect are they under an obligation to pay for a fix . No, in those cases those are covered under licenses and we make the changes and roll them back out toft customer. Mr. Polis . Similar with dominion. We comprehensively do testing on all of our products and that is ongoing in the company on all current products. Any issue that we find is immediately disclosed. Thats actually regulated in some states, such as your home state, within a very specific time period depending on the severity. Per the license, you would it would not be an extra charge, no. Similar. We disclose any of those types of critical election day type malfunctions up to the eac. Thats all regulated right now. Great. I appreciate it. Shifting gears, you talked about the Idaho National lab and some of the dhs testing work that youve done. With respect specifically to Cyber Attacks that and we all under the stakes here and whats involved, as do you. Can you talk specifically about how you work with the federal government when cybera takz potentially occur . Do you report those potential intrusions to your customers or to the federal government . And do you believe you have a time and obligation to timely notification to customers when a Security Breach of that product or your company happens . Mr. Burt . We do. We have we share information with the ms ei sak and the ei i sak. So we dont special leagueeely share an eip has been identified as an attempt to penetrate a firewall. That happens thousands of times a day. That isnt useful. With our coordination, they help us to identify and understand sort of potential attacks that might be potential exceptionally dangerous. What would that look like . In the last 60 days how many times would you notify a customer . We dont notify customers of the msi. Many of them participate and receive the same information. Its not specific to our business. Its commontry about whats going on around the country. So theres no way for a customer to know that there was a potential breach . Im not talking about a ping in an ip address. Im talking about a breach and a potential intrusion into your system . Weve had no breaches to report. Whats that dialogue like with dhs . With any federal entity . Through your systems. How much is that there is a process. If a breach were to occur, dhs has issued guidelines in terms of the communications. Weve practiced those through National Table top exercise us. We have the National Department of Homeland Security travel to omaha to practice in the event a breach did occur to make sure that we would be in position to communicate it effectively. Mr. Polis . Similar, congressman. We have not had any potential breaches. We havent actually reported anything to a kiftmer but our policy is that we would communicate any potential breach to a customer. Miss mathis . Similar. We have hn any breaches but have created a robust Incident Response plan that has been updated to include disz closures and notifications all directions, dhs to customers to ensure weve got communication. What level would you flag for dhs . I understand that all of you are saying you havent been breached. But at what level theres a difference between being breached and pinged. Talk to me about that spectrum of intrusion . We actually are erring on the side of if anything too much disclosure, if there is such a thing. We actual lee had an example where a customer contacted us with a potential breach. And we actually contacted dhs and let them know of this whole situation. So it was not a breach. It turned out that that particular county was exercising a test. And so it actually the whole process worked. We did not know that, and we were happy to communicate that to dhs. Thank you. Gentlemans time has expired. We will have a second round of questions, and i will begin in answer to a question from mr. Butter field, mr. Burt testified under oath that they do not currently have Voting Systems in the United States with Remote Access software installed if i heard you correctly. That is our belief. None of the systems in use today would that true for the other two . Yes. Kwwe have never had Remote Access. Do you sell Voting Machines that have Network Capabilities installed . Can you be more specific . Yes. You dont have the software installed but you have the capability of installing it . For Remote Access software . Yes. We no longer install any Remote Access software. That was discontinued in 2006 and is not allowed by any of the eac testing. Mr. Polis . Chair perch weve never had any capabilities . Capabilities. But i will say that i do want to draw a caveat. Some of our tabulators are designed around the ability to have an external program modem to transmit after polls close. Okay. We do not have Remote Access capabilities as you mentioned. So similar to mr. Polis, we have as required by certain states a remote transmission2i we do not, actually. Our technology for our varity product actually does not put any voter choice in a bar code. We have optical character recognition technology. Okay. I have a question. For over a decade, my smartphone has had the capability to prevent unauthorized unsigned code from running on the device or interferg with the oppositing systems. Do all of your election systems currently in use prevent unauthorized code or altered operating systems from running on them in this way . They do, chair person. Ill give you one example. The memory stick that we purchased from a manufacturer, our system wont even operate unless they know that its a particular serialized number memory stick. If you bought one from a office depot it wouldnt recognize it. All of ours are the same. The exception that i will point out to the committee is we do support some legacy systems that are still in use that were designed in the remaining cases over 20 years ago that do not have this capability. Our varity product line actually incorporates a feature called white listing which only allows the programs that we permit with our varei tai design, so it actually blocks everything except four. Its more secure. Id like to follow up with you, mr. Burt, because from the previous testimony, your company is the only one that provides election infrastructure that is not just the Voting Machines itself. Youve indicated your interest or suggestion that the eac have greater jurs dirksz over Voter Registration, electronic poll books and the like. Id like to know that even without that jurisdiction, what are you doing right now to ensure that these products are safe, secure, up to date, and utilized Current Technology best practices . Thank you, chair person. With respect to the poll books, all of the data is encrypted on the poll books. With respect to the Voter Registration systems which i i think is more commonly a question for folks, weve recently worked with the center for Internet Security to install albert sensors, which is a National Monitoring system, and weve wrapped this around our Voter Registration systems that we that we house. So for example Ranking Member, the example that she brought up related to illinois going back to the 2016 election, thats the kind of activity that an al root sensor is meant to prevent and detect with respect. Thank you very much. I see my time has expired. I will turn to the Ranking Member for his addition al five minutes. Thanks. Thanks to the witnesses. All of our colleagues on both sides of the slield have the same interests. We want to protect elections, make sure all machines that are used are up to the tasks. So thank you each of you for being here today. I know some of the questions cant be comfortable. I know theres been a lot of talk about supply chain issues. Ys or no questions. Start with you this time, miss mathis. Is it currently possible to build an election machine entirely of u. S. Manufactured parts . I dont believe it is possible today. Mr. Polis . Not to my knowledge. Mr. Burt . I do not believe its possible. Do you see why that concerns all of us up here . Absolutely. Absolutely. Are the parts in your supply chain, miss mathis, that come from abroad also used in other industries . Yes, they are. Okay. Mr. Polis . Yes, they are. Mr. Burt . They are. Theyre used in a variety of industries, probably some of them present in the room today in the various equipment that you see around the room. Like . We see cameras, a variety of elect tronchz, switches, theres almost nothing that we interact with from an eloke tronkz point of view. Of course, your phone. That have parts made overseas and dist ribbited to a voorate of manufacturers. Its the components were concerned about. We have a Global Supply chain and youre not able to come prend a machine able to be built with completely u. S. Parts. Make us feel comfortable here in this country that your machines with the critical components are u. S. Manufactured or theyre going to be able to not be compromised. Miss mathis . I believe that is that is an been going challenge that we all have and were open to getting feedback from dhs to help us understand what our capabilities and opportunities might be to source alternatives. Mr. Polis . Thats been an ongoing discussion at the eac on thou they address and the guidelines we would follow to those practices. Mr. Burt . Again, i think this is an opportunity for the Voting System surrenders to partner better with the federal government. Surely there is deep expertise in the federal government that could be brought to bear on the supply chain management. We would welcome that dialogue and assistance. We look forward to working with you in that field. Earlier it was mentioned about Campaign Contributions and lobbying activities. Mr. Burt, you mejtsed that es and s does not make Campaign Contributions at the federal level . We have a policy that every one of our employees, Vice President and above, adds well as anyone engaichlkd in sales, are strictly prohibited from making Campaign Contributions. Mr. Polis are you able to make Campaign Contributions . We have a policy that all employees are not able to. Miss mathis, similar . You guys all cooperations . Yes. Yes. Yes. Well, its nice to see that we have a lot of agreement here amongst republicans and democrats in regards to Election Security. And i find it interesting during the first round of questions, mad ram chair, chair person lofgren, talked about some of the areas where you all agreed that the federal government needs to work with you, need to work with the federal government. You mentioned a robust bill sitting in the senate. Heres the problem with the topdown approach in washington when it comes to the process. That bill sitting in the senate may force you as corporations to actually give Campaign Contributions to members of congress. Because in that robust bill there is a provision that would take corporate funds from corporate malfeasance which i would argue you would be eligible if something went wrong and it could go to a freedom from influence fund concocted by the majority. That 2 would force the first ever corporate dollars into congressional campaigns. My point is, you dont allow contra boouss now by any of your employees because you dont want that to affect anyone whos in charge of running elections . Correct. Correct. Correct. Why in the world would this institution at the federal level in turn possibly require you and require any corporation to give the first ever corporate dollars to individual members of Congress Campaigns . Thats why when we talk about robust bills, we all have the same goals, but lets not kid ourselves in thinking that there are provisions in bills that are going to always benefit free and Fair Elections rather than benefiting individual members of congress. I yield back. Gentleman yields back. I before yielding to mr. Raskin, obviously everyone is entileded to their own opinion, but the matter referenced is a fine collected by the federal government which would then be put into a fine, not a contribution from congresses. I yield to the gentleman from maryland for five minutes. Thank you very much. Let me pursue the line of questioning by my friend from illinois, and i asked those questions originally about lobbying and Campaign Contributions and so on. And i just saw this report from pro publica which says in august 2018 louisiana allowanceu announced it would replace old Voting Machines and awarded a contract to ess. It accused the state of writing the request proposals so only the companys machines would satisfy the terms. Shortly after the governor canceled the deal enforcing the state to start the process over again. The Government Administration just sided with a company 40 million more extenspensive. In a statement the Governors Office said the cancellation was justified. The office laid the blame at the feet of the secretary of state offices which it said added additional requirements to the bid. Louisiana finance records show an esa lobbyist had donated to Edwards Campaign since 2014. Mr. Burt, you said you have a ban on Campaign Contribution by the top level officials in your companies . Correct. But it doesnt go all the way down and doesnt apply to lobbyists you would employ in the various states . It does not apply to lobbyists. Whats your specific practice . None of your employees correct, contributions at any level. Miss mathis . Correct. I wonder if one of you would be interested about opining why you have that practice and whether you think that should be in federal law for all of the reasons that were, you know, suggested by my dlacolleague ab the pornz of keeping Election Administration completely separate . Two dangers, one is paranoia where we have politicians running around saying its all fraud. The other is complacency where we dont pay sufficient other tension. Can you explain what the basis of that policy is that you have . We want our company and stakeholders to be independ of the Election Officials that are making selections in terms of whats best for their state and localities. In your example of louisiana, louisiana happens to be a state that currently has legacy Voting Systems of the type being discussed at this committee level. And they were seeking to update with more modern certified systems. And unfortunately thats been delayed. So you mean by virtue of the change in the vendor . There was no change. It was all delayed. As a result theyre using the legacy systems in the 2020 election. Miss mathis . What is the question . Whats the basis of your policy of not preventing all employees . I dont know if it extends to consultants . Its important for us to ensure that we are objective and independent. We dont run elections. Local elects officials run them. Were not edge gained in that. Its important for us to ensure were staying objective. I remember a big controversy about the company die bold. One of your companies took over that . Was that ess . A little complicated, congressman. We made a purchase, and then my colleague mr. Polis ended up buying the intellectual property. Both of you got a piece. But i remember that they actually were actively politically involved, and i think this was the president who had sent out a Campaign Solicitation saying that they would do anything to see that one candidate got elected president at a time when their machinery was being used in different states. That obviously creates a serious problem from the stand point of Public Confidence in the integrity of the elects. All of this makes me think that it might be a good idea for us to formalize and make comprehensive the practice that you seem to be moving towards, which is that your job is to sell the technology to make it as secure as possible, and not to be involved in the politicalespolitical process. Im wondering about why it seems that Technology Goes so wrong sometimes. In georgia, in 18 es, technology was used when many voters did not cast a vote for Lieutenant Governor and were not paper backups. Why does that happen . That is one of the problems we have, huge problems like this that takes place on one day or two days a year that the machinery has got to work, and then it really undermines Public Confidence . Congressman, the equipment is not ess equipment. Die bold that went out of business is actually the manufacturer of that equipment. In general, i think there were some other cases where thats happened as well. Can you explain why does that happen . It only has to work once a year, once every two years and then it breaks down. Maybe one person could answer. Thank you for the question, congressman. The equipment that you are referencing was a legacy Voting System originally sold to the state of georgia by die bold who is no longer in the elections business. But its the type of voting machine that does not feature a paper trail. In the event of something happening in an election, and its not the only instance, where something plausible db something possible but not plaz i plausible, its difficult to have an audit for that if theres not any paper record. Time expired. Turn to North Carolina, mr. Walker. Thank you. Mr. Davis talking about hr1. A quick question along those lines. Im assuming if you were find by the federal government, those would be corporate dollars that you would pthose fines. Makes me think of yogi berra which says they give you cash which is just as good as money. My question is were federal elected officials. You guys are the expert in this industry. I ablowed you for the indepth testimony youve given. You know the stuff. As i look into the future, and i want to all three of you to touch base, where do you see the technology of election systems headed five, 10, 15, 20 years down the road . Obviously as Ranking Member on another committee when it comes to intelligence and specifically even terroristic cybersecurity acts, so as technology advances, where do you see the adaptations going . Im going to start with miss mathis. Sure. Unlike other industries in technology, the direction seems to be more back to paper. That wasnt the case a few years ago. And now the election industry has moved that way to more paper. Which is interesting from a technology perspective. I feel like that that will continue to evolve as preferences of local Election Officials evolve and as security continues to evolve. I think that the answer is, it will evolve. Okay. All right. I look at it in three ways, technology, people and process. The first on technology, i eevolved standards on security and how the Technology Comes to be in terms of manufacturing and supply chain. In terms of people and process, i think that i would like to see i should say, further programs and continued work at the federal and state level in terms of better eliminating barriers that jurisdictions have in modernizing their election infrastructure and things like poll worker straining. Straining. It highlights the fact that the burden on Election Administrators across the country from a Technical Capability perspective grows greater. So i think the challenge for Election Administrators to be able to staff their respective offices with people who are competent in these fields will be an ever greater challenge going forward. I yield the balance of my time to the raging member. Thank you. And i want to get back to the supply chain issue quick because it concerns me. Have any of you had conversations with your u. S. Suppliers of eelectronic products that go into your machines, just like our tvs, phones and what have you, have you talked to those suppliers you work with that may outsource some of their manufacturing to Foreign Countries . Have you talked to them about trying to develop a u. S. Made chip or electronic lcd product even though they may be a u. S. Company . We have, Ranking Member, but the challenge is, and i believe this is true for all of us, we are not a Large Customer to any of these major manufacturers. Take Texas Instruments which makes one of our programmable devices, we are a very, very small part of their business. For themself to retool their International Operations for our benefit is not realistic. Mr. Polis . Thats 100 correct. The infrastructure needed is the the change of infrastructure to be able to create all of the fabs and necessary manufacturing for 100 components being manufactured in the United States is not a small effort. Miss mathis . Right. It will take a whole sea change in the way that the Global Supply chain works in the Technology Industry i think for us to be able to take advantage of that. Okay. Now, i asked if you were all corporations. W will you tell me yes or no, are any of you run by private holding companies, private Equity Companies . We are run by our executive Management Team, but we have 80 ownership by local private investment group. How about you . Similarly, we are run by our Management Team and we are owned i believe 76 by awe u. S. Private equity firm. Miss mathis . Similar. Do you see why we are concerned . These are going to be questions raised by both democrats and republicans in the future. I appreciate you being here, taking the time. We have the exact same interests on all sides here in washington. We want to protect our elections, make sure your machines are unhackable. Lets continue to Work Together to make that happen. I yield back. The gentlelady from california miss davis. Thank you, madam chair. Thank you for all being here. Im sorry i had to walk out during the panel for another meeting. But i think many of the questions have been asked. I wanted to focus for a moment on voter education, and the responsibility if any actually you all have, through the companies and if you want to comment, miss mathis, you know, what is that responsibility . Do you work with Election Officials . We were talking about some ballots that were misread, how do we deal with that . You mentioned die bold, that was what they did at that particular time. But we also know that sometimes, you know, ballots are just not con strurkted in a way that people actually see where they should go as they share their stories. So how, you know what are we doing to make sure that people are registered correctly . That they can check their voters . Make sure that they, you know, voted the way that they want to . Often people are pressured by long lines. How can you help . What are you doing to really address these issues . And i know the second panel is also speaking to voter education. We believe very strongly with a partnership with our local Election Officials. That extends to voter outreach, voter training, poll worker training, we work with local officials to make sure they have best practices, that we provide them materials, you know, handouts. We also we have webinars where well train the local Election Officials to provide additional media. Can you think of an instance when youve actually picked up a problem and theyve corrected it . What . That youve picked up a problem, pointed out something to them that would be issue and think changed . Yes. We have customers all over the nation. Well provide to them, heres what weve seen in other jurisdictions thats worked really well. So this is an ongoing partnership, and, you know, our customers, our local Election Officials rate us very highly in just an ongoing lifelong partnership with them, so we absolutely are part of that solution. Congressman, what we hear are the shared perspective of best practices from our experience around the country, and with experience that they at that local jurisdiction may not have seen, particularly as it pertains to the deployment of new equipment. Voter outreach and poll worker training is exceedingly important. Weve been asked questions about, can we build an unhackable Voting System . You can have a secure reliable system thats transparent. But again you have to understand that the people and process is layered on top of that and pose additional risks. This is something that voting officials have known for decades. Thats why we have poll watchers. Its why warehouses are bipartisan and boards of election are. The poll worker training and the training the trainer is something that is exceedingly important in the ongoing vigilance of the migrating threats that we see. Congresswoman, you mentioned the importance of voter education. We agree for some interacting with a piece of technology such as a touch screen can be intimidating. We dont ever want that to be a reason that someone would choose to not go and vote. Starting with making sure that our customers understand at a very deep level how these machines operate and then assisting them, going out in the public for example with the city of philadelphia weve made our machines available in many public squares and invited citizens prior months in advance of the first elects where this equipment would be used, so that people could remove the intimidation factor from interacting with a new piece of equipment, make sure they were comfortable, encouraged to come out and exhercize their right to vote. I hope we dont hear of those horror stories, it. Can you just quickly how much of your annual profits and what are your annual profits, how much of that money comes from new Voting Machines and how much comes from Service Contracts for existing machines . Congresswoman, that varies very substantially from year to year. There are years or there have been years even recent years where weve sold very minimal amounts of hardware, and of course last year in the recent runup in preparation for 2020, i believe all three of our Companies Sold a disproportionate amount of hardware because of the actions that just dis were taking. But unfortunately there is no normal in termtz of the mix between hardware and services in this industry. Annual profits . I think my time is up . Were a private company so we keep that information private. And madam chair, is that really represent kind of where youre at as well in terms correct. All right. Thank you. Thank you, madam chair. Gentleman from North Carolina is recognized. Thank you. Madam chair, the first round went quickly and i was unable to ask my final question. Let me pose it at this time. To all three of you, do your tab lairts have wireless mode emz capacity, mr. Burt . We do field some tabulators with wireless modem capability, yes. Do you have any concerns about whether or not that poses any security threats . I think theres always a concern. Thats something that weve discussed with our Technology Partners and our government partners. We recently assisted with the state of road island to test a service where verizon has a private network that does not travel on the normal highway, blocked on both sides. They involve the National Guard in these tests and determined these were very low risk and wanted to continue using them. Does dominion use wireless . Yes. In relation to the precinctlevel machines, we use them insofar as a state as regulation and requirements to report unofficial results remotely. And the way we do it, to answer your question in terms of concern, there are additional risks that are posed when you have remote transmission. We work to mitigate them with state and local officials. All of our modems work on a private network. Miss mathis, you have mode emtz as well . Yes we do. Dont want to run out of time. The Ranking Member raised bipartisan concerns about a private equity. Would you be willing to submit, to each one of you, to submit in writing after this hearing a list of all individuals and entities with at least a 50 or more 5 or more . They said 80 and 76 but i thought i would raise it to 50. Id say 5 or more ownership of your company clooug including private equity . We regularly make that exact disclosure to our customers. But it is 80 . Its actually over 5 . Didnt you say earlier that 80 of your ownership . In ours i think its 76. Someone said 80 . All right. So you are not in a position to provide a list of those investors . Oh, no, we are. All right. All right. So its part of Public Record currently . I dont know if jurisdictions publish it. But were certainly not adverse to it. But if you give it to the customers you can give it to this committee . Of course. Would you do that . Of course. I believe your question was to disclose anyone who owned 5 or more of the business . And my answer is yes, we will supply that, and we have actually supplied that information to your state of North Carolina. All right. And miss mathis . Same feedback. So as far as greater than 5 , we have provided that. All right. All right. Thank you. I yield back. Gentlelady from ohio. Again, thank you for being here. I dont have a question for them, just a comment, madam chair. Im glad that we agree on the fact that persons who work in your particular companies and in your field should not be making contributions to members of congress. But i am always amused by how we change positions from day to day. One day my colleagues say, corporations are people, my friend, and they should be able to make contributions. So i dont know why you shouldnt be able to. Then theyll say, its a First Amendment right for people to make contributions. They oppose Campaign Finance reform and then contort the language of hr1. Im always confused about where they stand. So i appreciate your position. I think that it is the correct position. But i dont want you to get crosswise because corporations are people, my friend. I yield back. Gentleman from california recognized. Thank you, madam chair. One last question to follow up on miss davis, who asked a little bit about your companys annual profits. And i think its fair to say that the revenue derived by the companies comes from would it be fair, let me start there, that the revenue that your companies derives comes from two main soerss, selling machines and providing contractors for Services Related to those machines and their use . Is that fair . Thats fair. Yes. So if the three of you control 80 of the market, my concern is, what portion of your revenue do you invest in research and development to produce better, more secure, more Cost Effective machines . Because what i dont want to get to is a position where you three control, we have the same hearing in two years, four years, and you control 95 and you collectively decide, well, were just going to, you know, sell a few machines, provide those contractors to those, and were going to kind of work with each other to make sure that we dont innovate, continue to grow. Im not saying that you folks do. Im saying that it wouldnt shock you to say wouldnt shock you to hear that folks have come to congress in the past when their proportionate share of business gets a little too large and members have concerns about where that could go. Mr. Burt, can you talk a little bit about research and development . Sure. I think you raise a very important concern. There are new entrants into our marketplace. However, and some have been quite successful as of late. Weve been presented this question before in terms of a percentage of revnie that we reinvest for research and dwimt. Historically somewhere around 19 of revenue that gets reinvests as research and development. Mr. Polis . Congressman, innovation is critical for us. Were only as good as our products. Depending on the year because of our revenue fluctuation, its anywhere from 20 as high as 35 . Miss mathis . Simglar on our side. And its innovation is critical to us and as far as, you know, the we are trusted election partners to our local election official customers. So its imperative to us that were continuing to innovate and make sure that were keeping up with the or staying ahead of the technology. I didnt hear the percentage or the range . Ours varies, varies, just depending on kind of the year. I heard 19 , 20 to 35 . What would were closer to the 25 . Thank you. I appreciate it. Gentleman yields back. And that is all of our questions for the moment. However as i mentioned in my Opening Statement, we may follow up with written questions from this hearing if we are do that, we do ask that you respond promptly. We thank you very much for your testimony today. You are excused. Thank you. Id like to call up the next panel. Its a big panel. So we need to put a few more chairs up. So id like to invite the next panel to take their seats. And i will begin introducing this panel. First, if we can ask the panelists to sit. Sorry, its a little crowded. But weve got some great witnesses. First, id like to introduce liz howard. She siefbz of serves as counsel for the brennon centers democracy program. Her work focuses on cybersecurity in elections. Prior to joining the Brandon Center she served as Deputy Commissioner for the Virginia Department of elections. During her 10 sure she coordinated many election modernization projects including the desertification of all paperless Voting Systems. Dr. Mat blaze is a researcher in the area of security systems, crip to goraphy and trust management. He is currently the mcdevon chair of Computer Science and law at georgetown university. He is a cofounder of the definite kon voting village. Dr. Juan e. Gilbert, scoot there, dr. Gilbert is the banks preeminence chair in humancentered computing and chair of the computer and Information Science and Engineering Department at Engineering Department at the university of florida, where he leads the Human Experience research lab. He was part of a committee of experts and academics who wrote securing the vote, protecting american democracy for the National Academy of sciences in medicine. Dr. Gilbert also created an open source Voting System that is used in federal, state and local elections. The referenced dr. T. Anthony spearman a member of the county board of elections in North Carolina. He was elected president of the North Carolina naacp in october of 2017. In 2016, dr. Spearman played and Important Role in the Voter Suppression litigation that challenged suppressive voter id retirements and other legislation that would suppress votes in communities of color and other representative communities. Commissioner Donald Palmer is confirmed was confirmed to the eac in 2019. He is a former Bipartisan Policy Center fellow, where he provided testimony to state legislatures on Election Administration and voting reforms concerning election modernization. Commissioner palmer was appointed secretary of the virginia board of elections by former Virginia Governor bob mcdonald in 2011, and he served as the commonwealth chief election officer until 2014 and currently serves as Florida State departments of elections and prior to his work in Election Administration he served as a Trial Attorney with the Voting Rights section of the department of justices civil rights division. He was a u. S. Navy Intelligence Officer and judge advocate general and awarded the Navy Meritorious Service medal and Navy Commendation medal and joint Service Commendation medal. Finally, im going to return to our Ranking Member to introduce m this gentleman. I would be remiss if i didnt mention cole behind us, will be leaving to join the jag corp. This next week. This will be his last hearing and, cole, thank you for your service here and to be for our country. Really proud to announce our last witness, my home election official, county clerk and recorder, in Christian County illinois, michael jenaisi. He was also in the private sector but was our supervisor of assessments, not necessarily the most fun job in the county courthouse to deal with property tax assessments, but you did a great job. I want to tell you, mike is here because i believe his testimony will provide an interesting perspective to a local county official who has actually administered elections. I have known life almost my entire life from playing youth sports in the same hometown to graduating high School Together and working together as he was a fixture at the courthouse wen i was working back in illinois. Mike and i are good friends. Mikes a democrat, im a republican. And i know that a guy like mike, the only thing he cares about, when it comes to administering elections in my home county where i vote is to get it fair, make sure everybody has access to vote and to insure there is no problems, especially on Election Night. Thats a concern of everyone. I think mike will give a unique perspective even coming from a small rural county about how something that may be a good idea here in washington, how it may impact their ability to actually run that election as efficiently and as effectively as possible. This is mikes first trip to d. C. , too. I got to take him on a trip to the capitol last night. Make sure you enjoy the rest of your trip. I want to thank you for your opening testimony and i literally want to thank you for your insight you will be able to give to this committee, to this city and this country about what it takes to run an election in places like central illinois. With that, thanks again for coming, buddy. I yield back. Thank you very much. As you heard with the prior panel, each of you will be asked to testify for five minutes your full written statement that will be made part of the record. I ask each of you to stand and raise your right hand and i will ask you whether you swear or affirm under penalty of perjury the testimony youre about to give is true and correct to the best of your information, knowledge and belief, so help you god. The record will note each witness responded in the affirmative. We will turn first to you, miss howard and then each of the witnesses. Thank you chairman member lofgren and members of the committee. Thank you for providing me the opportunity to testify about the ongoing efforts to secure voting estimation across the country and the challenges to this progress stemming from a lack of vendor oversight. Todays unprecedented hearing is a much appreciated continuation of our countrys infrastructure and important step towards comprehensive vendor oversight to address the significant security gaps that remain. Today, i hope to convey three main points. First, election vendors play a Critical Role in our democracy but have received little or no congressional oversight. Second, despite this oversight, significant progress has been made in Election Security since 2016. Third, there is still more to do to further strengthen our election systems in the 2020 election and beyond. Congress has an Important Role to play in that process including oversight off our vendors so important to our elections and security. The absence of oversight negatively impacts the elections ability to secure our infrastructure and felt most acutely in times of crisis i know from my own experience. In 2017, roughly three months before an election, paperless voting booths were publicly hacked at def con and it was publicly reported. Even though i was the Deputy Commissioner of elections i didnt know if the vendors knew about the vulnerabilities exploited by the hackers, if the vendors had taken any steps to address these vulnerabilities owned and controlled by the vendors or if they would fully respond to my questions as they were not then and not now subject to comprehensive oversight. In no other unsection designated as Critical Infrastructure are vendors aloud to provide critical structure without oversight. While the ongoing work of Election Officials in this committee has resulted in significant security across the country these are no replacement for comprehensive oversight of a wide variety in our elections yet subject to little or no oversight or regulation. The comprehensive vendor Oversight Framework we recommend applies not only to Voting System vendors but also vendors that maintain and program those systems and count and tally votes and build, manage and maintain Voter Registration databases and poll books that allow elections to see who is eligible to vote. I was pleased to see these be embraced for comprehensive reform earlier today. We Hope Congress can move quickly to adopt these reforms but understand it may take a while to fully implement them. In my written testimony i outline the steps we recommend Congress Take in the short term, oversight of the 2500 million recently allocated for Election Security, paying particular attention to if the money is being spent on building robust resiliency plans, to detect and recover from successful breaches to insure regardless whether there is a successful attack voters will still be able to vote and have their vote counted accurately. In addition i included steps congress should take after 2020, including expansion of the eocs oversight role to include more robust monitoring and security practice esand oversight of election system vendors. While lack of vendor oversight is significant concern and there is much work to do before and after the 2020 election, its important to acknowledge the progress made strengthening our voting structures since 2016. For example, almost half the states using paperless vote going systems have now transitioned to paperbased Voting Systems. Congress has akated 800 million to bolster Election Security in the states. Awareness has increased dramatically and Election Officials across the country are implementing a variety of measures to make our Voting Systems more secure. Thank you for your time. I look forward to your questions. Thank you very much. Dr. Blaze, wed love to hear from you. Thank you for convening this hearing on the urgently important topic of securing americas elections. I come here today as a Computer Scientist who spent the better part of the last quarter century studying election system security. As youre well aware, the integrity of the elections systems across the u. S. Depends on the integrity of Computer Software systems embedded in our infrastructure. Complex software lies at the Voting System at polling places but systems used by local authorities to manage everything from voting registration records to tallying and reporting Election Results to creating ballots and so forth. Unfortunately, much of this infrastructure has proven dangerously vulnerable to tampering and attack and in some ways that cannot easily be corrected after the fact. These vulnerabilities can create ability for adversaries to do everything from causing large scale disruption on election day to undetectably alter Election Outcomes in some cases. For the purpose of my testimony its helpful to understand Voting Machines and management separately. Let me begin with the voting equipment itself. To be blunt, its a widely recognized really indisputable fact every piece of computerized voting equipment in use at polling places today can be easily compromised in ways that have the potential to disrupt election operations, compromised firmware and software, potentially alter vote tallies in the absence of other safeguards. This is partly a consequence of historically poor design and implementation by equipment vendors, but its ultimately a reflection of the nature of complex software. Its simply beyond the stateoftheart to build Software Systems that can reliably withstand targeted attack by a determined adversary in this kind of environment. The vulnerabilities are real and serious and absent a surprising and fundamental breakthrough in my field i would welcome but i dont see coming soon, probably inevitable. Fortunately, this is not all bad news. There is now overwhelming consensus among experts how we can conduct reliable elections despite the inherent unreliability of the underlying software. This requires two things. The first is that the Voting Technology retain a reliable paper record that reflects the voters intended choices. Unfortunately equipment that has this property exists today fortunately and its the simplest available. I refer to paper ballots preferably marked by hand when possible and fed into an optical scan ballot reader and the original voter ballot is retained. This isnt sufficient by itself because the software in the ballot scanners is itself vulnerable to tampering or error and the second that it reliably audited to report the outcomes of each race defined by the ballots marked. Theres a tech sneak called risk limiting audits to affect this quickly. This has to be performed after every election in order to provide meaningful assurance. Unfortunately, only a handful of states currently conduct these audits. Its urgent these safeguards, paper ballots and audits essential for election integrity, be adopted quickly and widely throughout the nation. The Second Technology is the election management infrastructure in use by jurisdiction. We give most of the attention to vulnerabilities in Voting Machines. Thats not the whole story. Each of the 5,000 jurisdictions response for running elections across the nation must retain a number of critical Information System attractive targets for adversaries and most importantly voter database registrations, systems that report final results and so forth. Unfortunately, there are even fewer standards for how to secure these systems, the administration of these systems varies widely and the threats of these systems is often more acute than the threats against individual Voting Systems. Just as we dont expect the local sheriff to single handedly defend against military ground invasions. We shouldnt expect county i. T. Managers for the elections to defend against foreign intelligence. Thats what weve been asked to do. Thank you for this and this is an important topic and glad you invited me to testify. Thank you very much, dr. Blaze. Dr. Gilbert. Chairman lofgren and Ranking Member davis and the committee, i am happy to share with you my expertise in election usability. I have worked more than 15 years conducting studies with various election stakeholders. In 2003 i created prime three, and open source universally designed system top my knowledge prime three is the only open source Voting System to be used in state, federal and local elections in the United States. New hampshire adopted prime three and renamed it one for all. Butler county, ohio uses it as their accessible absentee system. Furm, voter machine vendors have created systems modeled after prime three. While i am here as an expert in voting estimation i would like to share key recommendations from 2018 National Academies science voting report, entitled protecting the vote. I was a member of the committee that authored the report. I would emphasize any opinions about this report are my own and do not necessarily represent positions of the National Academies. Securing the vote was the result of a two year National Academy study conducted by experts from Election Administration policy, cybersecurity, accessibility and law. Over the course of the study, the committee reviewed extensive Background Materials and held five meetings talking about a range of topics including Voter Registration, accessibility, Voting Technology and impetments to voter security and training of election workers. The committee did not have access to classified information, but instead relied on information of Public Domain including state and government reports, published economacadem literature, and testimony to committee. Issues related to voting such as voter identification laws, born in domestic disinformation and other topics were outside the charge of the committee and therefore are not included in the report. The academys report recommended elections be conducted by using human readable ballots marked by hand or machine using a ballot marking device and may be counted by hand or machine using an optical scanner. The report further recommend recounts and audits should be conducted by human reading of the portion and data machines that do not possess verifiable paper audit trails should be removed from service as soon as possible. Currently, theres no known way to secure a digital ballot. At this time any election that does not have paper ballots is not secure and internet voting and specifically electronic returns of marked ballots should not be used at this time. They recommended election vendors should prevent any probes to tamper with the systems including Voter Registration systems. Each state should have a comprehensive audit of outcomes and detailed best practices for elections should be developed and maintained. Congress should provide funding to the state and local governments and modern size the election systems and Cyber Capabilities and congress should provide funding for Major Research on voting. Recommendation 7. 3 of the academy report says congress should authorize and fund immediately basic supply and Traditional Research relative to the administration conduct and performance of elections. This initiative should include Academic Centers to Foster Collaboration with local Election Officials and industry. This recommendation is bold, calls for research and development and solutions and issues id mind report. I believe a minimum of 25 million in funding over a five year period would be needed to establish a National Center. As a nation, we have the capacity build an election system for the future. Doing so requires focus and attention from citizens, federal, state and local governments. Election innovators in the academy and industry. It also requires commitment of appropriate resources. Representative democracy only works if all eligible citizens can participate in elections and be confident their ballots have been accurately cast, balloted and tab bulated. Thank you for the opportunity to be here. Thank you very much. Reverend spearman, wed love to hear from you. Good afternoon, chair lofgren and Ranking Member davis and committee members. I am indeed honored to be here because like the previous participant on these panels, i am neither a Voting Systems vendor or expert. I am an activist, one raised in a household where the vote was sacred. I am president of the naacp and the only member of color from guilford, North Carolina. While not an expert in Election Security i rely on the findings of those scientists who are and urge my counties on county boards across the nation to do so as well. We must listen to scientists, not vendor marketing clails. Dr. Alex holdy man just published research and found electronic ballot marking devices do not create ballots reasonably audited consistent with the study from dr. Stark, dr. Demello and dr. Kapell, concluding they cannot be relied on that insure the will of the people. Dr. Duncan buhle, along with others studied Voting Machines and allocation can frustrate and disenfranchise voters. Let me hasten to say i am not o antitechnology but agree with scientists that ykykm security can be compromised bye placing an Electronic Device same day registration began allowing voters to cast ballots during the early Voting Period and led to an increase in Voter Participation during november 28 of the 2008 president ial election. Voters used handmarked paper ballots. In 2014, when i was afoint a church in greensboro in Guilford County presented itself i worked as a judge to become a chief judge and overseer of one of the largest precincts in the county. In Guilford County electronics were in use and among my growing concerns and my concerns were Electronic Devices. I had 3,800 voters. As one of my friends has convinced me the first line of defense is the local county bipartisan election board like the one i sid on in North Carolina. Across the station they are authorities for reviewing the Voting System and reviewing tabulations before certifying the Election Results. If voters, campaigns and Political Parties insist these boards select only handmarked paper ballots as Standard Equipment and two, maintain chain of custody and, three, maintain paperbackup, and, four, conduct rigorous reviews and tabulations before certifying, Cyber Attacks cannot be successful. They cant prevent it but jurisdiction can recover from them and verify the will of the people. Im talking first line of defense. As first line witness of the process for voting machine certification i was highly concerned of the demonstration conducted and what i viewed as an inconvenient place off the beaten path for most voters. I became aware how unuserfriendly this locations was for minorities and as i recall, i was the onliperson of color in attendance. With the amount of time allot to county Board Members and only a few minutes left for the public, i immediately called and expressed my displeasure with the setup. By the time i arrived, the necessary adjustments had been made and everyone moved through it together. Elections belong to the people. The more people are included in the process the more we may regain their trust and confidence. Thank you for allowing me to share. Thank you very much. Commissioner palm per. Good afternoon, chairman lofgren and Ranking Member davis and the committee. Im happy to testify before you today on the voting Assistance Commission on the 2020 federal elections. As prescribed by the elections enabling administration, hava, in 2002, across the United States, providing secure accessible and accurate elections. Under that act the eac works to implement election reforms, assist states insertfing Voting Systems in certifying Voting Systems, disperse hava funds and disperse best practices in the laboratory of states. We work closely with the federal Election Commission and others in the community. I am grateful those testifying before you today have shared their important topics on Election Security. I want to thank congress for your recent efforts to increase funding. The addition of 25 million with a state match will go a long way toward enhancing state technology and improving security in state and local elections. Simultaneously, the 40 increase in eac budget will allow us to bolster existing programs and enhance resources. I should note escs distribution of 380 million and 2018 hava funds to the midterm elections was important to help officials secure the elections infrastructure. I would like to highlight and important update to our testing and Certification Program. The testing and Certification Program manual allowed for mittimus Software Changes without the fullblown systems certification campaign. In november of 2019 the acs testing and cert program issued a notice of clarification of clear guidelines with these minor changes for certification. They expect this process will be used by vendors to update the security of their systems with the latest Software Patches and operating system updates. Tremendous progress was also made in 2019 towards the adoption of voting voluntary system guidelines, 2. 0. Bbs g2. 0 will represent a significant leap forward in defining new standards that will several as a template for the new generation of secure and accessible Voting Systems. The hard work in this staff and eac personnel culminated in the presentations of these guidelines to the development committee. The committee is now considering the recommendations to the eac on adoption. My fellow commissioners and i are committed to a transparent and thorough deliberate participation on the path to implementing 2. 0. The standards and board of advisors will meet in april of 2020 to consider these key retirements. After their input it is my hope it will be finalized and voted on in the upcoming months. As the nation focuses on the 2020 election this year, so does the eac. We are bringing together election experts and security and accessibility to kick off our focus campaign at the National Press club. The topics for discussion include security environment, need for enhanced poll worker training and insuring accessible elections for all americans. The increased fiscal year 2020 appropriations for eac will allow us to fill critical staffing vacancies within the agency and bolstering our staff to meet demands. We are in the process of identifying candidates for additional general counsel and personnel and statutory process for identifying candidates for stiff are directives is under way. Expansions will enhance the ability of system updates during the process while fulfilling other duties for conducting training for Election Administrators performing onsite audits for system manufacturing and test Lab Facilities and overseeing a systems audit program. Hava has put forward an Aggressive Campaign for democracy. Despite recent challenges in recent years, the eac has fulfilled its obligation and expanded support it provides to the election and voters. With strong supports from the congress and recent appropriation cycle and recent establishment of the quorum of commissioners we look forward to the next chapter to continue to help america vote. Im happy to answer any questions for todays testimony. Thank you very much. Last but not least, mr. Gianasy. Thank you. Chairman lofgren and Ranking Member davis and the other members today, thank you for the invitation to speak before you. As stated previously, member davis and i are friends, we grew up in central illinois, the town of christian, illinois and i was appointed as the county clerk and recorder in 2017, upon the retirement of that previous clerk and recorder. Subsequently, i was elected as the county clerk and recorder in 2018, of which i currently serve as today. The introduction of my tenure as the Election Authority was rather swift, and at that time, being in the 20172018 time frame, focused on an increase in cybersecurity related responsibilities. I had not been a participant in this arena prior to that time period, so although there were a lot of discussions and a lot of other situations that had occurred previously, i was not a party to that. However, as the new Election Authority has become my responsibility to take into account all of these situations and now all of the increasing responsibilities as the days go by. As the Election Authority, my primary concern on the topic of elections involves several categories. One being physical security, of course. The election equipment that i have custody of is stored away in my courthouse in a locked room. That election equipment, bat in, i might as well make this comment, is being delivered today, because as of recently i have been approved the ability to obtain new election equipment. My previous election equipment was the acuvote and tsx type model equipment from diebolt no longer used by Christian County. We have now upgraded our equipment to the new equipment provided by unison Voting Systems incorporated, who is not here today. But in regards to meeting with my election vendor, who i have trusted for many many years and previous clerks trusted for many years, the choice of this election equipment was the correct choice and a sound choice. The election equipment that i have chosen is their equipment that provides a pitcher trail, as required by the state of illinois a paper trail whether it be cast manually by the paper ballot or touchscreen device that produces a paper ballot in human readable form at the end of the process for which the person then has the opportunity to review that, and then they will themselves place that ballot into the ballot box for tabulation. Some of the other logistics i have to also worry about includes staffing of election judges. It is very difficult to always staff my election judge my election judges adequately but we do the best we can. Christian county not being a large jurisdiction has 30 precincts and of those 30 we have 23 physical polling locations. Five judges per precinct, and it sometimes is rather difficult, but we do our best to try to make sure we have as much staffing as we can at those cloeksz. The election equipment, as far as custody, it stays in that locked room. Its only accessed by myself or my staff whenever we need to do any upgrades as far as programming, which is involving our election vendor, because i do have that service as well, and then we release that equipment to the election judges prior to the election to take it out, get it to the precincts and they will bring it back the end of the election cycle. The cybersecurity related responsibilities, as i described before have become increasingly noticeable. I am a member of the ms isac and hsin. I receive notices on a daily basis, multiple time as day through emails of these different organizations notifying me of vulnerabilities primarily to Software Packages but occasionally to other situations that would allow for us to be on a heightened awareness of other attacks possibly directed to our firewall. The situation, as far as funding of course as a local Election Authority we do receive funding through the hava grants funneled from you recently purchased new machines for Christian County. Correct. What decisions led you to purchase those specific machines . The original machines that Christian County had been using were purchased in 2004. Those machines, like i said before, the active votes and tsx were purchased using hava Funds Available at that time. Those machines, although doing well, up through and including the most recent elections, have seen better days. They have outdated hardware that is no longer able to physically provide a dark print on the ballot table. They were outdated. You needed new ones. Did you use hava funds to get these machines . I did not have hava funds to get these new machines. I was able to work through the county board who had generation bond money for this project. How much did that cost you . I signed a six year lease on these machines and chose not to purchase and that is approximately 322,000. Knowing the size of our county, thats a pretty big impact. Tuesday i have 21,200 registered voters in my entire county. Great. When you made the decision to purchase those machines, you did not call anybody at the forget to ask permission, right . I did not. You mentioned in your testimony about the illinois Cyber Navigator Program, a program i talked about in this hearing room many times. I think its a Great Partnership between the u. S. Department of Home Security and state of illinois and in turn all local officials like yourself. How has this program been beneficial to your role as election administrator in Christian County . The Cyber Navigator Program is beneficial i believe to all election authorities and in particular those that do not have the resources to maintain any form of i. T. Staff, in particular, or those that just have an inability to continue to monitor all of the problems that are coming down the line, and then be able to provide solutions to those problems. You dont have a dedicated i. T. Staffer, youre that person, right . Correct. We dont have any i. T. Staff. The county does hire an outside i. T. Contractor to perform all i. T. Related functions including patch updates, firewall maintenance, email maintenance, et cetera. Just for your office or the whole county and all offices . For the whole county all offices. The treasurer, county sheriff, everybody, right . Correct. You find this cyber navigator by the department of h. S. Funded by your tax dollars is good assistance to small counties like your own . I do. With changes happening, the cyber navigator now partnering with the county has given us the ability to promote different aspects of cybersecurity related awareness and also currently directly assisting with the installation of new hardware that will provide secure access between our Voter Registration voter database server and illinois database server called the illinois central network. Thanks for your testimony today and, mike, great to see you. Mr. Palmer, while i have time left, one major element of the infrastructure i believe remains unaddressed are electronic poll books. Its my understanding theyre not currently regulated by hava in any way. Are there risks associated with electronic poll books . Yes, there is. Youre right. Its not regulated currently under hava. Although there are instances there may be some interaction with the Voting System. I think the eac is looking at electronic poll books, perhaps there is a way the eac could do a review and approval process for electronic poll books. Its a growing theres a growing use of electronic poll books across the country. Its not universal but more and more counties are using it because of the ease and accuracy of electronic poll books. There are down sides to that. We feel we have an opportunity here. While i have a few seconds left, can you give us one suggestion or two suggestions what you think we could do to update hava, and also if i could ask the eac to give us an opportunity to address some of the concerns you may have with hava, in case this committee and this institution wants to readdress what was passed years ago . I thinks an opportunity for the eac at the forgederal government level to do a review beyond Voting Systems. The eac and commissioners, wed love to talk with the committee as a whole. Talk about ways we believe at the eac, things could be improved from a fundamental level. Thank you. The gentlemans time is expired. I turn to miss davis, gentlelady from california. Thank you to all of you being here with your experience dealing with all these issues. Dr. Spearman, i wanted to ask you, weve talked about the access issue, and you brought to the election personnel, the concerns you were having, and sounds like they responded to you. Im wondering, with all of these issues, what you feel sometimes gets lost on the radar screen, in terms of what the needs of people of voters really are in their communities that doesnt get addressed very well . As i stated, and thank you for your question, congresswoman davis, as i stated, i have i guess i would respond to that by saying, on the county board of Guilford County, i am a rarity, the only africanamerican and the only activist, and i come with the concerns of the people, the concerns of the voter. Oftentimes it seems as if the voter has been last on the to temporary. Thats something i have been advocating for since ive been on the board, to put the people on the radar because the elections, as far as im concerned, are the peoples. The more the people, the more humans are involved in the process i think the better off we are going to be. As far as i am concerned right now, our democracy is aberrant democracy. In order to make that democracy and save our democracy, i think the people need to rise up and be is there a specific change that you think could or should be made, in terms of the easier access or, again, more voting days . I dont know, vote by mail, if thats an issue in your area . Well, weve been fighting for that in North Carolina since 2013, since after shelby versus holder. Were going to continue to fight. We just recently won another lawsuit with regard to winning a preliminary injunction for photo voter id which has already been a lawsuit that we won previously, but it seems that the General Assembly continues to come back and disguise it in different ways and tries to get it through again. As it relates to access, one of the things that i believe will be helpful, especially to persons like myself, county Board Members, is more education, more training for the county Board Members and just let the county Board Members know what it is they are being elected to do. Thank you. Dr. Blaze, i think maybe, i think, it was also mentioned what should be done at this time to try and help with these processes. Yet, we know that in many cases thats not going to happen before this next election in 2020. So what is it that you think we really need to be focused on, very particularly, in terms of hacking of any elections, intervention, what is it youre most worried about . I think, you know, the things im most worried about are a repeat of some of the types of attacks we saw in 2016, against larger election infrastructure, not just Voting Machines themselves, but the back end systems that manage Voter Registration records and so on. Weve been very fortunate that even in 2016, the attacks against our system had a relatively light touch. The determined adversary that wanted to disrupt our elections would have a frighteningly easy task if they wanted to do so. I worry that the over 5,000 election jurisdictions who maintain these systems throughout the country are not uniformly ready to respond to a sophisticated adversary like that. To the extent we can support them, that is an urgent priority. You mentioned many counties dont audit. Is that because they feel they dont have the resources to do that . They dont have additional funding or is it just an attitude as well . No. Everybody is trying to do their best. Risklimiting audits have not yet penetrated throughout most of the country. There are only a handful of states that do them and more states are starting to explore them. To the extent we can encourage wider adoption of these, that will improve things significantly. Thank you. My time is up. Thank you. I just have a few followup questions. First, i want to thank all of the witnesses, but oofls dr. Gilbert. The National Academy report was enormously helpful to us and it was what we ended up putting in our safe act pending in the senate. Tremendous appreciation for you and the other scientists who worked on it. I want to talk about the ballot marking devices. I dont love these systems. On the other hand, we need to have a capacity to allow the Disability Community to exercise their franchise freely, and thats an important element of providing for that. I am concerned about the qr codes and bar coatedes that can be read by the voter and really if youre checking the paper it doesnt prove anything in terms of whether or not the bar code reflects whats on the piece of paper. Its not possible that all of that will be changed between now and election day in november. What are your suggestions as Computer Scientist, dr. Blaze, what could be done in the interim about that problem . The ballot marking devices were originally conceived as purely an Assistive Technology for voters who couldnt mark their own ballots for various reasons and were never originally viewed as the primary method. Right. For people voting. It took us a bit by surprise that systems that use ballot marking devices as the primary method of voting were being deployed and purchased by correct. Across the country. Theres been an explosion of research over the last year in whether voters can reliably verify them. What we found, most recently studied by alex haldemans group in michigan, voters dont appear to reliably confirm their marks match what their intent was. That raises significant concerns. I understand. Its like 7 of the people whether given a personal reminder to check their ballot selections. Those appear to make a significant, not sufficient, but significant difference in how well theyre verified. Dr. Gilbert, do you have anything to add . Yes, i have a lot to add. So, to start, these studies i want to make the record clear. The studies are saying people did not verify their ballot. I didnt say they could not verify their ballot. I would recommend going to the michigan study. Notice in the michigan study, said, remind the voter to review their ballot. It goes up to like 70 to remind them. Try this. Would you please verify your ballot selections were not changed . Rather than review your ballot. Lets try that. The ballot marking device, there were 16 million voters who voted with a disability in 2016. What was the margin of victory . Less than 3 million votes . So if we were to design these machines so theyre only used by people with disabilities, an adversary finds that as happy day because an all they have to do is target a specific group. Universal design, meaning more people using those machines gives you greater security. The likelihood of catching errors increases as a result of that. I will be honest, the universal design with hava was created was designed so each precinct would have at least one accessible voting machine. I said that was impossible because you will have separate but equal connotation. They said you cant have one machine everyone uses so we built it. Later this year we will have an announcement about a transparent voting machine, new innovation that address these issues. We recommended we have a National Center to do research around these things. That is a necessity. This is an arms race. Its not just going to happen in the end. To suggest we should go back to handmarked paper ballot is the same to say we had an accident on the highway and people unfortunately died so we should return to horses and carriages. My time is expired but i do want to just mention, miss howard, you have decertified machines that didnt meet standards. We know were not going to get where we need to be between now and november. Do you have any suggestions what interim steps we could make to make the system safer . Yes. Thank you for the question. Two basic things, right. Voter education about how to use the machines is very important, and additionally, there must be post election audits, which rely on the human readable portion of the ballots, even if the ballots do include bar codes. Thank you. My time is expired. All time is expired. I would like to thank each of you for your testimony. Note that because we didnt get a chance to ask all our questions, we may follow up with written questions for you. In that case wed ask you answer promptly, and we do thank you once again for your service here as witnesses haerchelping us do better job securing this election system for this all important 2020 election. This hearing is now adjourned. President trump hold as Keep America Great Campaign rally in toledo, ohio. Watch live at 7 00 eastern, cspan2 or online or listen live with the cspan radio app. Earlier today during her weekly briefing, House Speaker nancy pelosi talked about items on the democrats agenda including a debate on the war powers resolution and impeachment which she has yet to send to the senate. Today, we celebrate a wedding in washington, d. C. I convey that to you because it is a source of joy to us as she is a source of joy to the country and her personal happiness is lovely. In any event, here

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.