comparemela.com

Well, welcome, everyone. And good morning. We expect a few other members to arrive momentarily, but while were waiting, i think well begin with our Opening Statements. And id like to note that our committee is charged with overseeing the administration of federal elections. And todays hearing will help us fufill the responsibility by providing an opportunity to hear from the vendors of most of our countrys Voting Systems. This is the first time the ceos of the three major vendors have appeared together in a congressional hearing. The companies they represent provide at least 80 of the estimated 350,000 Voting Machines in use today reaching over 100 million registered voters. However, despite their outsized role and the mechanics of our democracy, some have accused these companies of obfuscating and others suggest theres an insufficient regulatory structure for the sector. In the committees may 2019 hearing on Election Security, Lawrence Norden wrote in his testimony, i quote, there are more federal regulations for ballpoint pens and magic markers than there are for Voting Systems and other parts of our election infrastructure. So there may be more work to do and much for congress to learn about this industry. Many have concerns about Voting Systems with Remote Access software. And i want to make sure that companies no longer sell Voting Machines that have Network Capabilities. In 2019, according to a report in motherboard, a group of Election Security experts, they uncovered that back end election systems in at least ten states despite one companys claims that its systems were not. We need also to understand supply chains. In december 2019, a Study Released by a supply chain Monitoring Company showed that onefifth or 20 of components in a popular voting machine came from chinabased companies. Furthermore furthermore, close to 59 of suppliers within that machines supply chain had locations in either china or russia. Interos didnt name the vendor but said it was widely used. Ive also heard concerns about the ownership and control of voting machine vendors. Public reporting indicates that all three of the major Voting System vendors represented here today are privately held or are partially controlled by private equity firms. I believe its in the Public Interest for congress to better understand who could financially benefit from the administration of our elections. There are also, of course, threats to our voting infrastructure. We learned in special counsel muellers report that russian Intelligence Officers targeted employees of Voting Technology companies that developed software to manage voter roles and installed malware on the company network. We also know that our own voluntary Voting System guidelines have not been substantially upgraded before the iphone was even available. It then took the eac another decade to make small changes which were adopted in 2015 almost five years ago. So theres more we have to do together to bolster Public Confidence and trust in our election systems. That is why this congress has acted. Last june the house passed hr2722, the safe act that would require individual durable voter verified paper ball t los, would require risk limiting audits, prohibit wireless and internet connectivity, and create accountability mechanisms for Election Technology vendors. The bill awaits consideration in the senate. Just last month, congress appropriated 425 million to the states to improve Election Security. This builds on the 380 Million Congress appropriated in 2018. Securing our elections should not be a partisan issue. Election security is about upholding a democracy of, by, and for the people. The American People be they republican, democratic, third party, or no party at all. Our democracy is resilient, but it relies on everyone having their vote counted as cast. I now recognize our Ranking Member mr. Davis for any Opening Statement he may wish to make. Thank you, madam chair. Especially also thank you for holding this necessary and longoverdue hearing that ive been looking forward to since the beginning of this congress. And i want to thank our witnesses for being here today to discuss the important issues regarding elections and Election Security and elections administration. My agenda since becoming the Ranking Member of this committee has been and continues to be focused on nonpartisan and effective oversight of our nations elections. Which are maintained by the states, not the federal government. But that does not mean that this committee and the house itself does not have an important oversight role to play in securing elections. Our witnesses here today have state, county, and local jurisdictions as clients. Who know their electorate best. We also have witnesses who have experience with running those elections. But we know that threats from foreign actors to our nations elections are not going away. It should be noted from the Senate Intelligence committees report on the 2016 election, there were, quote, no indications that votes were changed, vote tallying systems were manipulated, or that any data were altered or deleted, end quote. By russia or any foreign actor. Dhs assistant secretary manfred said in the senate intels opening hearing in 2017 that, quote, we do have confidence in the overall integrity of our electoral system because our voting infrastructure is fundamentally resilient. End quote. While we have faith in the electoral system, we still have a responsibility to strengthen the relationship between states and the federal government to ensure that americansvotes are and will continue to be protected. There has been some disagreement with my colleagues across the aisle on how best to accomplish this mission. But i believe our goal is the same. Instead of getting into a winded debate today between paper versus electronic, state versus federal, lets focus on things in the federal reach that need improvement. Areas where we may come to a bipartisan agreement as weve seen in this Committee Many times in the past. This committee created in past the help america act of 2002 which provided muchneeded funds to states so they could update their Election Security and voting infrastructure. And created the Election Assistance Commission or eac. One notable requirement of hava was for the eac to create a set of specific a set of specifications and requirements against which Voting Systems could be tested called the voluntary Voting Systems guideline. Or vvsg. The eac adopted the virs vfirst vvsg in december 2005 and provided an updated version in january of 2016. Now we are currently waiting for the eac to produce the newest guidelines vvsg 2. 0. This year our committee should also hold a hearing with the eac to discuss this voting Guideline Development process and several other processes within our jurisdiction. Perhaps we should not only focus on the eac but instead hava itself. The help america vote act was originally created in 2002 following the 2000 president ial election. Its many issues with ballot marking devices much like well be discussing today. There have been many developments in Voting System technology that are not addressed in the original hava language like epollbooks and registering data bases. Its been almost 20 years since this law has been updated and with the recent developments in Election Security and technology, its time to modernize these laws again and incentivize new more secure Infrastructure Development from vendors like each of you. Also lets recognize the steps weve taken this congress alone to secure our elections. As chairperson said, the fy 2020 National Defense authorization last month contains several provisions related to elections security. Most involved providing congress, federal, or state agencies with information about election interference. Something that was in the Election Security bill i introduced hr3412. It also requires the director of National Intelligence in coordination with several other agencies to develop a strategy for countering russian cyberattacks against u. S. Elections. Another provision i had in my bill. In addition to the ndaa, the recent appropriations as chairperson lofgren said including 425 million for territories to make general improvements to the administration of federal elections including upgrades to Election Technology and security. Much has been done but we still have much to do. Which is why youre all here with us today. A fundamental right of our nations ability is to choose our leaders. The American People deserve that right to be protected. We should secure and protect our nations elections without partisan politics and i hope we can remember that not only during this hearing, but also for the duration of this congress. Thank you, madam chair. I yield back. Thank you. Gentleman yields back. All other members are invited to admit an Opening Statement for the record. At this point, id like to welcome our witnesses. Thank you for being here today. Joining us are the president and ceo of election systems and software mr. Tom bert. President and ceo of dominion Voting Systems mr. John paolos. And president and ceo of inner heart civic julie mathis. Id like to introduce each witness. Tom bert became president and ceo of election systems and software in 2015. He joined ens in 2008 leading sales, customer services, operations, and the product departments departments. Before joining ens, he developed his general management and leadership at mcmaster carr, a supply company. And Anderson Consulting where he served in a variety of executive management roles. John paolos is the founding president and ceo of dominion. He leads the business operations. Since its inception in 2003, dominion has grown to support over 1200 jurisdictions across north america. He holds a bachelor of arts in Electrical Engineering from the university of toronto as well as a masters of Business Administration from ncad france. Julie mathis joined hart in 2014 but became its ceo just nine days ago, so congratulations. She has previously served as president and cfo of the company and prior to joining hart, she served as Vice President of finance at dell. Miss mathis holds a bachelor of Business Administration degree in accounting from the university of texas at austin and is a certified public accountant. I would at this point ask unanimous consent that all members have five legislative days to revise and extend their remarks and their written statements be made part of the record. And without objection, that is so ordered. Id also like to remind witnesses their entire statements will be made part of the record and the record will remain open at least five days for additional materials to be submitted. At this point, i would ask each of the witnesses to rise and hold up their right hand. So that you may answer this question. Do you swear or affirm under penalty of perjury that the testimony you are about to give is true and correct to the best of your knowledge, information, and belief so help you god . The record will reflect that all three witnesses answered in the affirmative and we will first recognize you, mr. Bert, for your testimony. Thank you. Chairperson lofgren, Ranking Member davis, and members of the House Administration committee, thank you for the opportunity to testify on the vitally important subject of elections security. My name is tom bert and im ceo of elections systems and software. Im encouraged to see the growing tension to Stronger Security in elections and thankful for the recent funding provided by grgs under your leadership. Founded 40 years ago, ess was roughly half of our employees live and work. Others live or work locally near where we provide products and Services Including employees who reside in california, georgia, illinois, maryland, North Carolina, and ohio. Let me be clear and unequivocal with you. Ess is committed to doing everything we can to safeguard our Election Security. It is why each of our employees goes to bed and wakes up thinking about. Additionally i want to make sure that ess supports federal mandates for the following three policies. First a paper record for every vote cast. Second, postelection audits of these paper records. And third, more rigorous standards for the security testing of voting equipment by a federally controlled regulatory body. Id like to elaborate on a few of the many examples ess has raised the bar on itself for Election Security and called on congress to raise the bar on the entire industry. First as mentioned, it is important than a paper trail be required for each vote cast. Ess has stopped selling machines that do not produce a paper record as the primary voting device. Second, we support and applaud the increase in dedicated resources coming from congress. State and local officials, the Election Assistance Commission, and the department of Homeland Security. We embrace our partnerships with these bodies because we believe that collectively we can provide necessary and Continuous Improvement in Election Security. While the recent appropriations bill including additional elections related funding from congress, we believe the federal government needs to devote these resources to state and local jurisdictions on an annual basis. Third, id like to highlight just a few of the many important steps ess takes to bolster Election Security. Every ess system we field undergoes rigorous testing. Since 2009 ess has certified 22 unique Voting System releases through this federal Testing Program. Our standard procedure is to conduct thorough and pervasive Penetration Testing through our hardware and software using the same modern security tools that hackers use to make sure our equipment is secure before it ever enters the federal program. We recommend increased eac funding for security testing. Managed at the federal level with standards and testing methods that are applied evenly and comprehensively to all providers. All ess tabulation firmware and software are not only housed domestically but are written exclusively inside the United States. Ess engages an independent third party to regularly test samples inside the Voting Agreement that our programmable devices. We do this to validate the supply chain and ensure no back door tampering has occurred. Ess voting machine components are produced in certified manufacturing facilities and the entire Voting System is managed by a change order control process. All of our Voting Machines are performed in nebraska. We are working with our providers seated here with me today to create the nations first coordinated vulnerability disclosure for elections equipment. Designed to provide for even greater testing of Voting Systems through the use of ethical hackers. Because we strive for Continuous Improvement in all facets of our business, they are continuous, ongoing, and dynamic. Finally i want to be clear that we do not believe we are perfect. On rare occasions, machines falter and humans make mistakes. When these circumstances arise, we always do Everything Possible to remedy the issue and ensure that final Election Results are reported accurately. As i noted previously, we strongly urge congress to require an auditable record of every vote cast. While we are proud of the actions weve taken to date, we recognize this is a race that has no finish line. Ess is committed to continually enhancing the security of our products for the long run. We take nothing more seriously than our role in supporting our nations democracy. Thank you for your time and i look forward to your questions. Thank you very much. Wed be pleased to hear from you, mr. Paolos. Thank you very much. Chairperson lofgren, Ranking Member davis, and distinguished members of the committee, thank you for the opportunity to testify today. My name is john paolos of dominion Voting Systems. We are a u. S. Owned company that provides services to jurisdictions across 30 states and puerto rico. I agree with the importance of the issues being raised by the chair and Ranking Member regarding Election Security at todays hearing. American elections safeguard and preserve the freedoms guaranteed by the u. S. Constitution. At dominion, we take pride in our small role in ensuring voters they can have confidence in secure Election Results. We go to work every day understanding this important responsibility. By way of background, i formed the company with my partners in 2003 as an engineer and entrepreneur in Silicon Valley. We are one of the only independently operating of those 76 in the industry today. Dominion with us founded on three key pillars. Security, transparency, and accessibility. The company abides by these principles today. Driving advancements for auditability and directed by state and local Election Officials. Supporting elections is a fulltime proposition for our company. This past year alone, dominion assisted state and local Election Officials in conducting nearly 300 elections. Complete with a rigorous public scrutiny that comes with it. Dominion is constantly innovating and certified enhancements and new features per state and local requirements. For 2020 we have been working closely with jurisdictions seeking to upgrade their Voting Systems. Older end of Life Technology is being replaced with Certified Solutions that produce paper records for auditing and resilience resilience. This comports with recommendations by dhs. Consistent with our founding tenantten tenets tenets, this starts with our people. Including annual mandatory background checks and Awareness Training for every employee in the company. It includes companywide adoption of advance digital protections and a defense and depth approach to cybersecurity. Moreover, we actively engage with the eac, dhs, and other trusted third parties to maintain and enhance our security. Including potential supply chain risks. Finally, we all we meet all independent testing requirements and requirements set forth by individual states. This includes source code reviews, Penetration Testing, and postelection audits. In terms of transparency, dominion systems fully support independent Third Party Audits and reviews of all election data. For example, in 2018, the state of colorado used dominion systems in conducting the first statewide risklimiting audit in the United States. This effort was so successful, it has become a benchmark for other states in verifying with high confidence that equipment tallies are accurate and reliable. To round out our company mission, we are committed to voter accessibility. Our systems ensure federal protections for privacy and equal Voting Rights. And ballot casting options for all including American Service members abroad. The existence of nation state threats means we must actively defend against attempts to undermine faith in our democratic institutions. In this regard, we hope to see congress continuing its work with state and local Election Officials to keep election systems secure. We commend congress on its bipartisan investment of an additional 425 million to help Election Officials modernize their infrastructure. In closing, we remain fully committed to providing technology that supports free and Fair Elections. This includes support for an industrywide Vulnerability Disclosure Program for Voting Systems. We urge you to continue supporting and incentivizing realtime threat information sharing from the Intelligence Community. Streamline certification options for patching and updating, and reliable standards for Voting Systems. All of these efforts will help make the voting process for secure. Thank you again for the opportunity to share our companys perspective. Thank you so much for your testimony. And now our final witness in this panel, miss matthews, wed be pleased to hear from you for five minutes. Chairperson lofgren, Ranking Member davis, and members of the committee, thank you for opportunity to speak with you today. I am the ceo of hart intercivic. Hart began as a paper ballot printer and has grown organically one new customer at a time to become one of the top three Voting System providers in the country. Our customers are local Election Officials and our business is built on partnering with them to enhance their processes and ensure they deliver secure, accessible, and transparent elections. Our products include the software and devices that these Election Officials use to create ballots, capture votes, tabulate votes, and audit the results. Our systems are regulated as each is certificated through the processes before any local jurisdiction purchases them. Its also important to note whiches a tect pekts hart does not serve. Hart does not build the products of voter check in at the polling place or any other aspect of election or data administration. These aspects of the election system and their vendors are not currently regulated. Im in washington, d. C. This morning because hart strongly believes voter System Companies are one of the many critical players. I can tell you much has improved over the last few years. But we know that challenges remain. So what has improved . First, what is improved as a company is our products. We are proud our Voting System is one of the newest on the market. Rather than patch updates, a new product designed from the core to meet standards. Further describes. Second, what has improved in industry . More agile when it comes to cybersecurity threats as a result of the department of Homeland Securitys designation of the American Election system as Critical Infrastructure. Because of that designation, a Founding Member of council a group of diverse elections related to address resiliencies and practices. Similarly, a Founding Member of as well as an active member of the eia. Free assessments and educational materials. But the biggest improvements have been to our ability to coordinate around cyber threat information and disclosures. So where else can we all continue to evolve and adapt . Number one, continual evolution of the Voting System guidelines. We strongly support the process to roll out standards. We have submitted our comments during the Public Comment draft and are in regular communication to provide further insights to inform the new standard. We share your frustration over the slow adoption of the new standards yet hart has enhanced the security of our products while awaiting the standards. We urge to continue other Election Technology especially areas of high vulnerability such as Voter Registration, electronic poll books and Election Night reporting. Number two, speed up the federal certification project at the eac. Allow Additional Resources to be dedicated to the overhaul of the vvsg and enhance resources at the eac. The more resources and funding that congress can dedicate to the eac, the sooner we will be to bring the next generation of products to market. Number three, ongoing vigilance over cybersecurity practices within our industry. The most important shift in institutional attitudes is that security is not a static process. At hart, we recognize that methods will evolve and so we must continually adjust to new risks and adapt with new technology, new processes, and new policies. In conclusion, much has improved over the last few years. Not only are there new products on the market with enhanced security protocols, but the election industry is much better informed, more coordinated, and more aware. But this enhance awareness also highlights the clarity that securing is a race with no finish line. It will take constant vigilance, funding with partnership, and koordcoordination to ensure that elections are secure each and every year. At hart, our goal is and always has been to provide Election Officials with accessible and secure technology. We dedicate significant time and resources ensuring our products meet and exceed the latest security standards. Because of this, we are trusted partner of local officials who run elections in our country. Thank you and i look forward to answering any questions you have. Thank you and thanks to all of our witnesses for your verbal testimony as well as your written testimony. We will now go to the time in our hearing when members have an opportunity to ask questions for as long as five minutes. And ill start. As we all know and weve recognized the concern about Election Security has been heightened since the 2016 election, weve had reports from our Intelligence Community that we should be on the alert for threats, especially foreign threats to the security of our systems. Right now there are no federal reporting requirements that mandate disclosure of crucial information about some of your key Business Practices or experiences. And id like to know from each of you and this could be a yes or no question. Would you support requirements concerning the following five items items . First, your cybersecurity practices, two, any cyberattacks youve experienced. Three, personnel policies, including whether background checks and other procedures are in place to safeguard against inside attacks. Four, details of corporate ownership and foreign investment. And finally supply chains for Software Patches and installations come from, how theyre transported, and how theyre kept secure. If you could answer whether you would agree to all or if there is some you would object to, why. I would say yes we support a requirement for all five of those requirements that you listed. Thank you. Chairperson, we would agree with that as well. Thank you. As would we. Very helpful. As you know, we have passed a pretty robust bill in the house. Its pending in the senate. And perhaps your testimony will encourage them to move forward. Id like to talk about supply chains. As i mentioned in my Opening Statement, concern has been raised about components. The interos report showed that a majority of suppliers within a widely used voting Machine Supply chain had locations in either russia or china. They didnt indicate which company. So id like to ask each of you. Do you have components in your supply chain that come from either russia or china . Chairperson, we do not have components that come from russia. We do have a limited number of components that come from china. What percentage would that be . I cant give you a percentage, but with respect to this issue, the potential for a back door threat doesnt relate to inert items like a piece of plastic or metal. What should be concerned is the programmable devices. What type of components come from china . Can you tell me the nature of them . Our ds200 which is a i dont want examples. I want do any of krour chips, softwares, or just a piece of plastic . In our ds200 we have one of the nine Programmable Logic devices that we actually source from a u. S. Company based in california in the heart of Silicon Valley that produces that programmable device in a factory in china. Okay. Thank you. It wasnt our company in the we would welcome product from china. Before you go forward, where are the products from china . For incentives, lcd component, to the actual glass screen on the interface down to the ship complement a level of capacitors and resistance. Several of those to our knowledge are not even theres no option for manufacturing up those in the United States. We would welcome guidelines and best practices from the committee and the federal government in terms of, this is not a problem unique to the elections. Miss methods . Yes, similar feedback here. We take the security of our supply chain very seriously, and we actively monitor and assess all aspects of that supply chain, including country of origin. You have component from china or russia . We dont have component from china or russia, but we do have what would be the nature of those components . Similar sister capacitors, the Global Supply chain or Technology Components of that. What percentage do you know . Well follow up on. That ill turn to mr. Davies for his five minutes. Thank you, madam chair. And thank you to the witnesses that are here, each of you. Just a simple yes or no. Is there any method of voting that is 100 percent secure . No, no, no. To your knowledge, has a foreign state ever successfully breached or hacked any of your vote telling election machines . No. No. No. No what was the primary target of our foreign adversaries in the 2016 election . Mr. Burton . Well, Ranking Member, i think there are potentially differing public views on that. But what i can say is that as you asked a minute ago, weve seen, no evidence that any of our Voting Systems have been tampered with in any way. Mr. Poulos . I agree with that statement. We feel the same way. Cant speak to what the primary purpose was of the attacks. But theres to our knowledge, no evidence on our systems as well. Well, you guys already answered that. Miss mathis, do you know what was attacked . Do not have personal awareness of that. I think there were such wide systems in illinois. Where do these state Voter Registration databases come from . Ranking member, its various depending on do they come from any of your companies . We do host Voter Registration systems. We do not. We do. Not theyre actually required by the help america vote act. And also to your knowledge, are there any that require excuse me are there any parameters in hava that require the state Voter Registration databases . I believe the language in hava as it relates to Voter Registration is limited at best and im not aware offhand of any specific language it pertains to . Do you believe its something that we should address . I do. I think its a gap in the oversight of the Election Administration or Election Assistance Commission. And i believe you can put pollbooks into the same bucket with Voter Registration. Are you all members of the coordinating council . Yes. As well as the isac . Yes. Okay. How do these entities increase vulnerability disclosure . You know, prior to 2016, there was no communication between vendors and those entities. And there is regular sharing of information, of threat information as well as routine meetings. Many facetoface to make sure the lines of communication are open at all times. How many different Disclosure Programs are there currently . To my knowledge, were part of one and currently working on several more with my colleagues here. To create further Disclosure Programs. How do we ensure these new programs are adequate to. Disseminate known vulnerabilities . I think its important to Work Together with the cybersecurity experts that have already been involved through the designation as Critical Infrastructure. Ensuring we understand the appropriate disclosures. Would you say it is riding on the topic of Election Security since 2016 . Would you all agree . Yes. Im actually happy for this increased attention. I believe its put an important issue to the forefront. Im concerned about the incentive for outside groups to mischaracterize the threats facing our elections. Is this is a concern that each of you share . Yes. I got one yes. Yes. Yes. Thank you. I didnt think cspan could see you guys nodding your heads. Over the past several years, theres a lot of pub police si. Have you reached out to participate . Ranking member, we have had discussions with them but not provided our equipment to them for testing. We reached out to dfcon this year in 2019 interested in a more collaborative Penetration Testing with stakeholders. Weve reached out with one organizer and had a plan. We actually did send our modern certified equipment to dfcon. But in the days leading up to that event, i think there was an internal disagreement within the conference. So we ended up not working at that conference. But if its not dfcon, were committed to that. How about you . We have actually submitted our systems through the dhs Penetration Testing process through national labs. So weve gone that route. But not dfcon . Not dfcon. I recognize now the gentleman from maryland. Madam chairman, thank you very much. The Consumer Product Safety Commission advises manufacturers of products to identify all reasonably foreseeable hazards associated with use of their products to include safety warnings and steps to reduce risk of accidents in the user guides. And requirements like this for Motor Vehicles and warnings put in lots of different owner manuals. Would you support a requirement for Voting System vendors to identify security risks associated with use of your voting equipment and recommendations for users to mitigate those risks such as manual audits of paper ballots and go down the line. Mr. Burt, start with you. Thank you. We would support any requirement that applies to all vendors in our industry that would help educate both the users of our systems and anyone who interacts with them. I would agree with that statement as well. I would support any initiative that Congress Puts forward. We would agree with that also. Very good. There has been some reporting recently about the lobbying elections. Of the field. The procurement process. Of our contract. The reports indicate that ess spent 425,000 lobbying city officials dating back to 2014 before being awarded. Is this just Standard Practice in the industry and. We hired our first ever consultant to help us in washington educating federal officials indicating who we are as a company. He is a consultants at the state level for the same purpose. In this case, it was helped to broker a contract, right . It was used to educate the values we hold and how we conduct our business. Okay, do you also get involved in making Campaign Finance contributions . Do you guys know, we dont make Campaign Finance contributions. You did spend money on block right . Miss mattis . Our involvement has been minimal and has been helped to locate us on local procurement process is within local jurisdictions. Im curious about whether each of your Companies Engaged in adversarial testing on your Voting Systems. We have in the past, it is something we are looking to expand in the future. Okay, mr. Burke . We do routinely, weve hired third parties to provide Penetration Testing, we also participate throughout a dhs program with the Idaho National lab to provide testing on our equipment. And miss matt us . We have been involved in that same Penetration Testing approach by the dhs recommended national labs. Do you routinely allow academic researchers to test the quality and security and integrity of your products without prescreening them. In other words, do you generally permit outside investigators to check it out . We have not involve academics who have not been prescreened with the coordinated vulnerability and Disclosure Program that we are working on with our colleagues. The idea is to have a farm, be able to manage a network of ethical hackers to broaden the access to our. Systems without making this information open to the public. Okay. Congressman, we have done that in the past, as far back in 2009. We found the exercise was useful, and we are looking forward to doing more of that, within the confines of a reality based scenario of testing. Okay. Matt . Us and we would support the appropriate disclosure of that information, its important that we not undermine voter confidence and understanding that we actually evaluate and assess the type of disclosure necessary. Okay. And finally, i remember from my days in annapolis that there is this conflict between the Disability Community and the champions of security within the process, and i wonder what can you just eliminate that . Most recently with a lot of the Public Commentary about ballot marking, there is a concern regarding the format of how valid are printed for voters, and that sometimes is in a national conflict. The gentlemans time has expired. The gentleman is recognized for five minutes. I believe each of you mentioned in your testimony frustration with the free this has been shared by others in the industry, as this issue has a lot to deal with the antiquated america vote act. Where can we as a committee focus to help update they have a . Think you for your question. I think that the epa see, given the resources and funding that they have to do a very good job, and somehow it amazes me how much theyre able to accomplish, given the resources they have. I think we should ask them to broaden the scope of their inside and to do that, they need more funding and more support. I would agree with mr. Burkes comments and i would add to that, particularly an example as it pertains to patching specific software such as windows were a path is readily available, and some very cumbersome and timely to get that to customers. Anything to add to that . How has your relationship with the dhs evolved . How have state and local authorities responded to dhs, ill put a couple of these. What type of services do they wish to offer you . What type of services do they currently offer you . No they offer several different programs. Weve taken part of a physical security review, they offer a product testing and in terms of the evolution of that relationship, i table zero four years ago, and it has been very helpful for not only us but the customers we serve. They are not, and its a real opportunity, whether it is through dhs or department of defense, or somewhere else in the federal government, as he mentioned. The vendors are eager to work in partnership to make sure that we are following the best practices and we safeguard the best of our abilities on our nations voting equipment. Working with the dhs, as well as your own companies, any evidence that russia has hacked any portion or part of this, as the dhs discovered that or assumed or even suggested that, or anything of that nature . Weve never received any evidence or commentary that suggests that these systems have been hacked. No. Without a question, and if we can expand on that, have each of you hired an executive level chief Information Security officer . We have. We have. We have an extended internal Security Team and an expert on our staff. What other qualification for such a position . What are you looking for . We have that bifurcated in terms of corporate ideas, and product security. They are two different sets of requirements. I cant lift them to you off the top of my head. We were fortunate enough to find a gentleman who was a chief Information Security officer for health and Human Services at the human level, and he has been with us for a couple of years. So he has that experience working with various Government Agencies in that capacity as a chief Information Security officer. I want to unpack this a little more. Why is this relevant and developing equipment for modern elections . As we look forward, it is necessary for someone with a deep Technical Expertise to advise the company in its actions to do everything that it can to make sure that we are making the right decisions to protect the security. I agree with those comments in terms of thats practices and where the stateoftheart is evolving to. It really benefits the security of the process. If you were to give yourself the largest mark, as far attentiveness to making sure there is no corruption or anything nefarious going on, how would you score your company as far as the time, attention and resources you put into this. We spend a great deal of time on a regular basis, we are as strong as we are capable of, we are always looking to partner with other agencies to improve our ability to mitigate. Well the security of our process is a key priority for us, and is reflected in the amount of time and resources that we spend. Same thing. We absolutely dedicate, its in our dna. Its pervasive across our process. If this does not work out, you may have a answer to the question. The other gentleman from North Carolina is recognized. Thank you for convening this important hearing today, i cannot think of a hearing except for the debate on the war powers act that we could be having right now, this is critically important to our democracy, i certainly thank you for the testimony today. Let me start with you, and i want to talk specifically about North Carolina. You know i represent the district in North Carolina. Theres been a lot of controversy surrounding your companys recent dealings with Election Officials in my state. Some have referred to what had transpired as a bait and switch. I dont know if that is warranted or unwarranted. I hope it is unwarranted. Can you please explain to me why you waited so long to tell North Carolina Election Officials that you did not have enough Voting Systems to cover the 2020 primaries . Thanks for your question congressman. I have read that bait and switch comment, we applied for certification five years ago. We went through all of our testing, the report went to the state board for approval, and at that point the state board dissolved. There was no quorum for over four years. That is a system that we got tested five years ago finally got approved because it was five years old. We went in after that and got our latest animals secure system. And it is that system that most recently certified that we delivered to the citizens of North Carolina. So if a bait and switch it means that we decided to send the most recent and most secure system to the citizens, that is what we did. Im informed that your company admitted installing Remote Access software on some of the election systems, and that it sold over a sixyear period. Within it, where they sold to Elections Officials in my state . Congressman, that practice happened between the years 2000 and 2006, no system that we have brought through the easy Program Throughout the year 2007 has been equipped with any kind of Remote Access software. We have confirmed that there is no system out there in the country in use today that has a Remote Access system attached to it. Do you support federal legislation to expand the use of postelection audits like risky limiting audits and federal elections. We absolutely . Do absolutely. Yes. Do you believe all manual audits can be conducted on all the systems you currently sell . We have a portion of our product actually does not, there are other audits that fulfill a fully ability to confirm those results. All right. Let me ask you, what do you do to ensure that they follow industry best practices . In other, words if you conduct background chance. For our manufacturing practices, we confirm background checks and this is not a cursory background check, we do and in criminal, detail the background check. That is part of the certification process. Do you as well . Yes. Are you aware of any cyberattacks in which the attacker gained unauthorized access to your internal systems, corporate data, or consumer data . We are not. You have any evidence that this has happened . We do not. No, we did not. No, we did not. You see how im doing on time. Okay. Back to you. We know you are committed to no longer selling paperless machines, but you are selling the express vote with an auto cast feature that has to voters skip, that has devoted to skip the verification of the paper record, given that the primary criticism of paperless machines was that they did not have a voter verified paper audit trail. Do you think it is correct to say that you would no longer sell paperless machines, but you are selling a machine that can require devote without a paper trail . Congressman, i dont believe im not aware of any customers that are using that particular product in an auto cast faction. I believe all the Customers Using in that product present the ballot back to voter for verification. In one way or another. Either through a screen or by kicking out the newspaper. Finally, for miss mattis, currently listed under represented in the products that use now is a paperless machine, meanwhile there is a clear consensus among experts that the paper ballots are needed to ensure that voters votes are counted properly. Why do you continue to sell a machine . We all know it put the integrity of the voters at risk. We do believe they are secure, and we have those products, certain states have qualified and include including, multi layers defensive indepth protocols. I yield. Back your time has expired, we all have a second round of questions, so that we can further explore this. The gentlelady from ohio is recognized for five minutes. The chair of our election subcommittee. Thank you all for your testimony. Just a couple of questions, really, but let me first say i understand this is a business with you all, but i think my colleague said it best, its critical to our democracy. Youre equipment is purchased with taxpayer dollars. There is some explanation, im from ohio, we have different machines. When you talk about, they probably need examiners, but increasing the examiners. Its my understanding that the testing standards that we use data back as 2005. Where in 2000, 20 but were using standards. What we have done is say to the people, you determine what the upgrade should be. Because youre dancing to their tune. Is that how you see it . Congresswoman, i say there is an opportunity to update the Voting System standards and actually to broaden the program to include more security specific testimony. That is what we would like to see. Im sorry congresswoman, i dont understand the question. Oh, youre doing upgrades youre systems on a regular basis, not based upon what we think is a security issue, but what windows is telling you you need to do. Because thats the operating system. Both this to, actually. We are regularly innovating new features that come from local jurisdiction and state officials based on evolving threats and evolvings state of technology. In addition, we do use windows and microsoft products that do have their own patches. That is not going to the population progress as. Well we did not have off the shelf im not suggesting that. Im suggesting that when microsoft tells you that you need to do this of great, you do it. We implement it, we tested, we submitted for certification. We do not implement it, for example, in a county in ohio until im not suggesting that you dont test it. My point is that you dont do it based upon what we believe is a issue, you do it on what microsoft believes is. One you dont need to defend microsoft. Im not doing anything to microsoft, im just making a point that we need to be more involved in the process. Thats true. Okay. Will all of you commit today to allowing researchers to test your product without hand picking or selecting those researchers to do it . Were not interested in hand picking, what we are interested in is making sure that we attract hackers who can make our system better without requiring that the information that they discovered to be put into the Public Domain, so what we would like to see is for the ac to actually manage according to Vulnerability Disclosure Program and have the ac choose the researchers, assembled a team, and minutes the program. So thats a yes . Yes, we would like to see the eac manage the program. Only reason im cutting you off, i have five minutes. Understood. I ask each of you, what do you do to make sure your subcontractor and manufacturers follow best practices on cybersecurity, mr. Butterfield already asked you about background checks. If you could answer the first part of the question . Well, in our case, for example, our lead manufacturer manufactures products for the department of defense and has, accreditations under iso and so we look for that as a prerequisite to doing business with that manufacturer. Very similar. We look at iso standards, have deep quality reviews and ensure that were managing our suppliers very closely. Good. I work for the federal government too. I dont trust everybody else that works for the frol government. I want to make sure youre looking at them not just hiring because they work for the federal government. Fair enough. I yield back. The gentleman from california, mr. Aguilar is recognized for five minutes. Thank you, chairwoman. I wanted to talk a little bit about products and defects, and we can go down the line, mr. Burt, if youll indulge me by starting, do you have builtin systems and practices that look for defects along the way . And can you describe that, how long it takes to find it, create and implement a solution . We do have builtin systems ranging from source code reviews to Penetration Testing to functional testing. In the event, if a system has been fielded and approved by the eac and delivered to a state and has been fielded, and theres a functionality piece of the functionality that we want to change, that process to make the change currently, have it go through the federal Testing Program and redeployed to the state can be six months to a year depending on the scope and depth of the changes. Do you inform the customer when that happens . Yes. If a defect or something are they under an obligation to pay for a fix . No, in those cases those are covered under licenses and we make the changes and roll them back out toft customer. Mr. Polis . Similar with dominion. We comprehensively do testing on all of our products and that is ongoing in the company on all current products. Any issue that we find is immediately disclosed. Thats actually regulated in some states, such as your home state, within a very specific time period depending on the severity. Per the license, you would it would not be an extra charge, no. Very similar. We disclose any of those types of critical election day type malfunctions up to the eac. So thats all regulated right now. Great. I appreciate it. Shifting gears to you talked about the Idaho National lab and some of the dhs testing work that youve done. With respect specifically to cyberattacks that and we all understand the stakes here and whats involved, as do you. Can you talk specifically about how you work with the federal government when cyberattacks potentially occur . Do you report those potential intrusions to your customers or to the federal government . And do you believe you have a time and obligation to timely notification to customers when a Security Breach of that product or your company happens . Mr. Burt . We do. We have we share information with the msisac and teh eaisac and we dont sepcifically share when an ip address has been identified as an attempt to penetrate a firewall. That happens thousands of times a day. That isnt useful. With our coordination, they help us to identify and understand sort of potential attacks that might be potential exceptionally dangerous. What would that look like . In the last 60 days, how many times would you notify a customer . We dont notify customers of the msisac but many of the customers participate and receive the same information. Its not specific to our business. Its commontry about whats going on around the country. So theres no way for a customer to know that there was a potential breach . Im not talking about a ping in an ip address. Im talking about a breach and a potential intrusion into your system . Weve had no breaches to report. Whats that dialogue like with dhs . With any federal entity . Through your systems. How much is that how often . There is a process. If a breach were to occur, dhs has issued guidelines in terms of the communications. Weve practiced those through National Tabletop exercises us. We had the National Department of Homeland Security travel to omaha to conduct a tapletop exercise on premise to practice in the event a breach did occur to make sure that we would be in position to communicate it effectively. Mr. Polis . Very similar. We have not had any potential breaches. We havent actually reported anything to a kiftmer but our policy is that we would communicate any potential breach to a customer, dhs to ensure we have appropriate communication. Miss mathis . Similar. We have hn any breaches but have created a robust Incident Response plan that has been updated to include disclosures and notifications all directions, dhs to customers to ensure weve got communication. What level would you flag for dhs . I understand that all of you are saying you havent been breached. But at what level theres a difference between being breached and pinged. Talk to me about that spectrum of intrusion . We actually are erring on the side of if anything too much disclosure, if there is such a thing. We actual lee had an example where a customer contacted us with a potential breach. And we actually contacted dhs and let them know of this whole situation. So it was not a breach. It turned out that that particular county was exercising a test. And so it actually the whole process worked. We did not know that, and we were happy to communicate that to dhs. Thank you. Gentlemans time has expired. We will have a second round of questions, and i will begin in answer to a question from mr. Butter field, mr. Burt testified under oath that they do not currently have Voting Systems in the United States with Remote Access software installed if i heard you correctly. That is our belief. None of the systems in use today would that true for the other two . Yes. We have never had Remote Access. Do you sell Voting Machines that have Network Capabilities installed . Can you be more specific . Yes. You dont have the software installed but you have the capability of installing it . For Remote Access software . Yes. We no longer install any Remote Access software. That was discontinued in 2006 and is not allowed by any of the eac testing. Mr. Polis . Chair perch weve never had any capabilities . Capabilities. But i will say that i do want to draw a caveat. Some of our tabulators are designed around the ability to have an external program modem to transmit after polls close. Okay. We do not have Remote Access capabilities as you mentioned. So similar to mr. Polis, we have as required by certain states a remote transmission2 i we do not, actually. Our technology for our varity product actually does not put any voter choice in a bar code. We have optical character recognition technology. Okay. I have a question. For over a decade, my smartphone has had the capability to prevent unauthorized unsigned code from running on the device or interferg with the oppositing systems. Do all of your election systems currently in use prevent unauthorized code or altered operating systems from running on them in this way . They do, chair person. Ill give you one example. The memory stick that we purchased from a manufacturer, our system wont even operate unless they know that its a particular serialized number memory stick. If you bought one from a office depot it wouldnt recognize it. All of ours are the same. The exception that i will point out to the committee is we do support some legacy systems that are still in use that were designed in the remaining cases over 20 years ago that do not have this capability. Our varity product line actually incorporates a feature called whitelisting which actually only allows the programs that we permit with our verity design, so it actually blocks everything except thos four. Its actually more secure. Id like to follow up with you, mr. Burt, because from the previous testimony, your company is the only one that provides election infrastructure that is not just the Voting Machines itself. Youve indicated your interest or suggestion that the eac have greater jurisdiction over Voter Registration, election management systems, electronic poll books and the like. Id like to know that even without that jurisdiction, what are you doing right now to ensure that these products are safe, secure, up to date, and utilize Current Technology best practices . Thank you, chair person. With respect to the poll books, all of the data is encrypted on the poll books. With respect to the Voter Registration systems, which i i think is more commonly a question for folks, weve recently worked with the center for Internet Security to install Albert Sensors, which is a National Monitoring system, and weve wrapped this around our Voter Registration systems that we that we house and so for example Ranking Member, the example that you brought up relating to illinois going back to the 2016 election, thats the kind of activity that an Albert Sensor is meant to prevent and detect with respect to a Voter Registration system. Thank you very much. I see my time has expired. I will turn to the Ranking Member for his additional five minutes. Thanks. Thanks to the witnesses. All of our colleagues on both sides of the slield have the same interests. We want to protect elections. We want to make sure all machines that are used are up to the tasks. So thank you each of you for being here today. I know some of the questions cant be comfortable. I know theres been a lot of talk about supply chain issues. Yes or no questions. Well start with you this time and go that way. Miss mathis. Is it currently possible to build an election machine entirely of u. S. Manufactured parts . I dont believe it is possible today. Mr. Polis . Not to my knowledge. Mr. Burt . I do not believe its possible. Do you see why that concerns all of us up here . Absolutely. Absolutely. Are the parts in your supply chain, miss mathis, that come from abroad also used in other industries . Yes, they are. Okay. Mr. Polis . Yes, they are. Mr. Burt . They are. Theyre used in a variety of industries, probably some of them present in the room today in the various equipment that you see around the room. Like . We see cameras, we see a variety of elect ronics, we see switches. Theres almost nothing that we interact with from an eloke tronkz point of view. Of course, your phone. That have parts made overseas and distributed to a variety of manufacturers. Its the components were concerned about. We have a Global Supply chain and youre not able to come prend a machine able to be built with completely u. S. Parts. So make us feel comfortable here in this country that your machines with the critical components are u. S. Manufactured or theyre going to be able to not be compromised. Miss mathis . I believe that is that is an been going challenge that we all have and were open to getting feedback from dhs to, help us understand what our capabilities and opportunities might be to source alternatives. Mr. Polis . Thats been an ongoing discussion at the eac in terms of the next iterations of standards in terms of how they address guidelines. We would follow to those practices. Mr. Burt . Again, i think this is an opportunity for the Voting System surrenders to partner better with the federal government. Surely there is deep expertise in the federal government that could be brought to bear on the supply chain management. We would welcome that dialogue and assistance. We look forward to working with you in that field. Earlier, it was mentioned about Campaign Contributions and lobbying activities. Mr. Burt, you mejtsed that es s does not make Campaign Contributions at the federal level . Right . We have a policy that every one of our employees, Vice President and above, as well as anyone engaged in sales or marketing, are strictly prohibited from making Campaign Contributions. Mr. Polis are you able to make Campaign Contributions in your company . We have a policy that all employees are not able to make Campaign Contributions. Miss mathis, similar . You guys all cooperations . Registered corporations in the United States . Yes. Yes. Yes. Well, its nice to see that we have a lot of agreement here amongst republicans and democrats in regards to Election Security. And i find it interesting during the first round of questions, maram chair, chairperson lofgren, talked about some of the areas where you all agreed that the federal government needs to work with you, need to work with the federal government. She mentioned a robust bill sitting in the senate. Heres the problem with the topdown approach in washington when it comes to our election infrastructure and process. The bill sitting in the senate may force you as corporations to actually give Campaign Contributions to members of congress. Because in that robust bill there is a provision that would take corporate funds from corporate malfeasance which i would argue you would be eligible for with election infrastructure if something went wrong and it could go to a freedom from influence fund concocted by the majority. That 2 would force the first ever corporate dollars into congressional campaigns. My point of bringing this up is, you dont allow contributions now by any of your employees because you dont want that to affect anyone whos in charge of running free and Fair Elections . Correct. Correct. Correct. Why in the world would this institution at the federal level in turn possibly require you and require any corporation to give the first ever corporate dollars to individual members of congresscampaigns . Thats why when we talk about robust bills, we all have the same goals, but lets not kid ourselves in thinking that there are provisions in bills that are going to always benefit free and Fair Elections rather than benefiting individual members of congress. I yield back. Gentleman yields back. I just before yielding to mr. Raskin, obviously everyone is entileded to their own opinion, but the matter referenced is a fine collected by the federal government which would then be put into a fund, not a contribution, from corporations. I yield to the gentleman from maryland for five minutes. Thank you very much. Let me pursue the line of questioning by my friend from illinois, and i asked those questions originally about lobbying and Campaign Contributions and so on. And i just saw this report from pro publica which says in august 2018 louisiana announced it would replace old Voting Machines and awarded a 95 Million Contract to es s. It accused the state of writing the request proposals so only the companys machines would satisfy the terms. Shortly after governor John Bel Edward canceled the deal enforcing the state to start the process over again. The Government Administration just sided with a company 40 million more expensive. In a statement the governorsoffice said the cancellation was justified. The office laid the blame at the feet of the secretary of States Office which it said added additional requirements to the bid just days before responses were due. Louisiana finance records show an esa lobbyist had donated to edwardscampaign since 2014. Mr. Burt, you said you have a ban on Campaign Contribution by the top level officials in your companies . Correct. But it doesnt go all the way down and doesnt apply to lobbyists that you would employ in the various states . It does not apply to lobbyists. Whats your specific practice . None of your employees correct. Contributions at any level. Miss mathis . Correct. I wonder if one of you would be interested about opining why you have that practice and whether you think that should be in federal law for all of the reasons that were, you know, suggested by my colleague about the importance of keeping election and administration completely separate . Two dangers, one is paranoia where we have politicians running around saying its all fraud. The other is complacency where we dont pay sufficient attention. Can you explain what the basis of that policy is that you have . The basis is clear. We want our company and stakeholders to be independ of the Election Officials that are making selections in terms of whats best for their state and localities. In your example of louisiana, louisiana happens to be a state that currently has legacy Voting Systems of the type being discussed at this committee level. And they were seeking to update with more modern certified systems. And unfortunately thats been delayed. So you mean by virtue of the change in the vendor . There was no change. It was all delayed. As a result theyre using the legacy systems in the 2020 election. Miss mathis . Im sorry, what is the question . Whats the basis of your policy of not preventing all employees . And i dont know if it extends to consultants . Its important for us to ensure that we are objective and independent. We dont run elections. Local Elections Officials run them. Were not engaged in that. Its important for us to ensure were staying objective and independent. I remember a big controversy about the company diebold one of your companies took over that . Was that ess . A little complicated, congressman. We made a purchase, and then my colleague mr. Polis ended up buying the intellectual property. Both of you got a piece. But i remember that they actually were actively politically involved, and i think this was the president who had sent out a Campaign Solicitation saying that they would do anything to see that one candidate got elected president at a time when their machinery was being used in different states. That obviously creates a serious problem from the standpoint of Public Confidence in the integrity of the election, so all of this makes me think that it might be a good idea for us to formalize and make comprehensive the practice that you seem to be moving towards, which is that your job is to sell the technology to make it as secure as possible, and not to be involved in the political process. Im wondering about why it seems that Technology Goes so wrong sometimes. In georgia, in 2018 es s, technology was used when many voters did not cast a vote for Lieutenant Governor and there were not paper backups. Why does that happen . That is one of the problems we have, that there are huge problems like this that takes place on one day or two days a year that the machinery has got to work, and then it really undermines Public Confidence in the whole system . Congressman, the equipment is not ess equipment. Diebold that went out of business is actually the manufacturer of that equipment. In general, i think there were some other cases where thatss happened as well. Can you explain why does that happen . It only has to work once a year, or once every two years and then it breaks down. Maybe one person could answer. Thank you for the question, congressman. The equipment that you are referencing was a legacy Voting System originally sold to the state of georgia by diebold who is no longer in the elections business. But its the type of voting machine that does not feature a paper trail. In the event of something happening in an election, and its not the only instance, where something plausible db something possible but not plausible happens, its difficult to have an audit for that if theres not any paper record. Time expired. I turn to North Carolina, mr. Walker. Thank you. A preface to my colleague mr. Davis talking about hr1. A quick question along those lines. Im assuming if you were fined by the federal government, those would be corporate dollars that you would pay those fines. Makes me think of yogi berra who says they give you cash which is just as good as money. My question is were federal elected officials. You guys are the expert in this industry. I applaud you for the indepth testimony youve given. You know the stuff. As i look into the future, and i want to all three of you to touch base, where do you see the technology of election systems headed five, 10, 15, 20 years down the road . Obviously as Ranking Member on another committee when it comes to intelligence and specifically even terroristic cybersecurity acts, so as technology advances, where do you see the adaptations that need to be made . Im going to start with miss mathis. Sure. Unlike other industries in technology, the direction seems to be more back to paper. That wasnt the case a few years ago. And now the election industry has moved that way to more paper. Which is interesting from a technology perspective. I feel like that that will continue to evolve as preferences of local Election Officials evolve and as security continues to evolve. I think that the answer is, it will evolve. Okay. All right. I look at it in three ways, technology, people and process. The first on technology, i see evolved standards on security and how the Technology Comes to be in terms of manufacturing and supply chain. In terms of people and process, i think that i would like to see i should say, further programs and continued work at the federal and state level in terms of better eliminating barriers that jurisdictions have in modernizing their election infrastructure and things like poll worker training. I agree with thos comments and it highlights the fact that the burden on Election Administrators across the country from a Technical Capability perspective grows greater. So i think the challenge for Election Administrators to be able to staff their respective offices with people who are competent in these fields will be an ever greater challenge going forward. I yield the balance of my time to the Ranking Member. Thank you. And i want to get back to the supply chain issue real quick because it concerns me. Have any of you had conversations with your u. S. Suppliers of electronic products that go into your machines, just like our tvs, phones and what have you, have you talked to those suppliers you work with that may outsource some of their manufacturing to Foreign Countries . Have you talked to them about trying to develop a u. S. Made chip or electronic lcd product even though they may be a u. S. Company . We have, Ranking Member, but the challenge is, and i believe this is true for all of us, we are not a Large Customer to any of these major manufacturers. Take Texas Instruments which makes one of our Programmable Logic devices, we are a very, very small part of their business. Them to retool their International Operations for our benefit is not realistic. Mr. Polis . Thats 100 correct. The infrastructure needed is the the change of infrastructure to be able to create all of the fabs and necessary manufacturing for 100 components being manufactured in the United States is not a small effort. Miss mathis . Right. It will take a whole sea change in the way that the Global Supply chain works in the Technology Industry i think for us to be able to take advantage of that. Okay. Now, i asked if you were all corporations. Will you tell me yes or no, or are any of you run by private holding companies, private Equity Companies . We are run by our executive Management Team, but we have 80 ownership by a local private investment group. How about you . Similarly, we are run by our Management Team and we are owned i believe 76 by a u. S. Private equity firm. Miss mathis . Similar structure. Do you see thats concerning to us . These are going to be questions raised by both democrats and republicans in the future. I appreciate you all being here, taking the time. We have the exact same interests on all sides here in washington. We want to protect our elections. We wann asure your machines are unhackable. Lets continue to Work Together to make that happen. I yield back. The gentlelady from california miss davis. Thank you, madam chair. Thank you all for all being here. Im sorry i had to walk out during the panel for another hearing, but i think many of the questions have been asked. I wanted to focus for a moment just on voter education, and the responsibility, if any actually yall have, through the companies and if you want to comment, miss mathis, you know, what is that responsibility . Do you work with Election Officials . We were talking about some ballots that were misread, how do we deal with that . You mentioned die bold, that was what they did at that particular time. But we also know that sometimes, you know, ballots are just not constructed in a way that people actually see where they should go as they share their stories. So how, you know what are we doing to make sure that people are registered correctly . That they can check their votes . Make sure that they, you know, voted the way that they want to . Often people are pressured by long lines. How can you help . What are you doing to really address these issues . And i know the second panel is also speaking to voter education. We believe very strongly with a partnership with our local Election Officials. That extends to voter outreach, voter training, poll worker training, we work with local officials to make sure they have best practices, that we provide them materials, you know, handouts. We also we have webinars where well train the local Election Officials to provide additional media. Can you think of an instance when youve actually picked up a problem and theyve corrected it . If theyve what . That youve picked up a problem, pointed out something to them that would be issue and think changed . Yes. We have the benefit of best practices. We have customers all over the nation. Well provide to them, heres what weve seen in other jurisdictions thats worked really well. So this is an ongoing partnership, and, you know, our customers, our local Election Officials rate us very highly in just an ongoing lifelong partnership with them, so we absolutely are part of that solution. Congressman, what we hear from customers and what they value is the shared perspective of best practices from our experience around the country, and with experience that they at that local jurisdiction may not have seen, particularly as it pertains to the deployment of new equipment. Voter outreach and poll worker training is exceedingly important. Weve been asked questions about, can we build an unhackable Voting System . You can have a secure reliable system thats transparent. But again you have to understand that the people and process is layered on top of that and pose additional risks. This is something that voting officials have known for decades. Thats why we have poll watchers. Its why warehouses are bipartisan and boards of election are. The poll worker training and the training the trainer is something that is exceedingly important in the ongoing vigilance of the migrating threats that we see. Congresswoman, you mentioned the importance of voter education. We we agree for some interacting with a piece of technology such as a touch screen can be intimidating. We dont ever want that to be a reason that someone would choose to not go and vote. Starting with making sure that our customers understand at a very deep level how these machines operate and then assisting them, going out in the public for example with the city of philadelphia weve made our machines available in many public squares and invited citizens prior months in advance of the first elects where this equipment would be used, so that people could remove the intimidation factor from interacting with a new piece of equipment, make sure they were comfortable, encouraged to come out and exrcize their right to vote. I hope we dont hear of those horror stories, its. Can you just quickly how much of your annual profits and what are your annual profits, how much of that money comes from new Voting Machines and how much comes from Service Contracts for existing machines . Congresswoman, that varies very substantially from year to year. There are years or there have been years even recent years where weve sold very minimal amounts of hardware, and of course last year in the recent runup in preparation for 2020, i believe all three of our Companies Sold a disproportionate amount of hardware because of the actions that jurisdictions were taking. But unfortunately there is no normal in terms of the mix between hardware and services in this industry. Annual profits . I think my time is up . Were a private company so we keep that information private. And madam chair, does that really represent kind of where youre at as well in terms correct. All right. Thank you. Thank you, madam chair. Gentleman from North Carolina is recognized. Thank you. Madam chair, the first round went quickly and i was unable to ask my final question. Let me pose it at this time. To all three of you, do your tabulators have wireless mode capacity, mr. Burt . We do field some tabulators with wireless modem capability, yes. Do you have any concerns about whether or not that poses any security threats . I think theres always a concern. Thats something that weve discussed with our Technology Partners and our government partners. We recently assisted with the state of rhode island to test a service where verizon has a private network that does not travel on the normal highway, blocked on both sides. They involve the National Guard in these tests and determined these were very low risk and wanted to continue using them. Does dominion use wireless modems . Yes. In relation to the precinctlevel machines, we use them insofar as a state has regulation and requirements to report unofficial results remotely. And the way we do it, so to answer your question in terms of concern, there are additional risks that are posed when you have remote transmission. We work to mitigate them with state and local officials. All of our modems work on a private network. Miss mathis, you have modems as well . Yes we do. Dont want to run out of time. The Ranking Member raised bipartisan concerns about a private equity. Would you be willing to submit, to each one of you, to submit in writing after this hearing a list of all individuals and entities with at least a 50 or more 5 or more . They said 80 and 76 but i thought i would raise it to 50. Id say 5 or more ownership of your Company Including private equity . We regularly make that exact disclosure to our customers. But it is 80 . Its 5 . Anything over 5 . Didnt you say earlier that 80 of your ownership . In ours i think its 76. Someone said 80 . All right. So you are not in a position to provide a list of those investors . Oh, no, we are. All right. All right. So its part of Public Record currently . I dont know if jurisdictions publish it. But were certainly not adverse to it. But if you give it to the customers you can give it to this committee . Of course. Would you do that . Of course. Just to clarify, i believe your question was to disclose anyone who owned 5 or more of the business . And my answer is yes, we will supply that, and we have actually supplied that information to your state of North Carolina. All right. And miss mathis . Same feedback. So as far as greater than 5 , we have provided that. All right. All right. Thank you. I yield back. Gentlelady from ohio. Again, thank you for being here. I dont have a question for them, just a comment, madam chair. Im glad that we agree on the fact that persons who work in your particular companies and in your field should not be making contributions to members of congress. But i am always amused by how we change positions from day to day. One day my colleagues say, corporations are people, my friend, and they should be able to make contributions. So i dont know why you shouldnt be able to. Then theyll say, its a First Amendment right for people to make contributions. They oppose Campaign Finance reform and then contort the language of hr1. Im always confused about where they stand. So i appreciate your position. I think that it is the correct position. But i dont want you to get crosswise because corporations are people, my friend. I yield back. Gentleman from california recognized. Thank you, madam chair. One last question to follow up on miss davis, who asked a little bit about your companys annual profits. And i think its fair to say that the revenue derived by the companies comes from would it be fair, let me start there, that the revenue that your companies derives comes from two main soerss, selling machines and providing contractors for Services Related to those machines and their use . Is that fair . Thats fair. Yes. So if the three of you control 80 of the market, my concern is, what portion of your revenue do you invest in research and development to produce better, more secure, more costeffective machines . Because what i dont want to get to is a position where you three control, we have the same hearing in two years, four years, and you control 95 and you collectively decide, well, were just going to, you know, sell a few machines, provide those contractors to those, and were going to kind of work with each other to make sure that we dont innovate, continue to grow. Im not saying that you folks do. Im saying that it wouldnt shock you to say wouldnt shock you to hear that folks have come to congress in the past when their proportionate share of business gets a little too large and members have concerns about where that could go. Mr. Burt, can you talk a little bit about research and development . Sure. I think you raise a very important concern. There are new entrants into our marketplace. However, and some have been quite successful as of late. Weve been presented this question before in terms of a percentage of revenue that we reinvest for research and dwimt. Historically somewhere around 19 of revenue that gets reinvested as research and development. Mr. Poulos . Congressman, innovation is critical for us. Were only as good as our products. Depending on the year because of our revenue fluctuation, its anywhere from 20 as high as 35 . Miss mathis . Similar on our side. And its innovation is critical to us and as far as, you know, we are trusted election partners to our local election official customers. So its imperative to us that were continuing to innovate and make sure that were keeping up with the or staying ahead of the technology. I didnt hear the percentage or the range . Ours varies, varies, just depending on kind of the year. I heard 19 , i heard 20 to 35 . What would. Were closer to the 25 . Thank you. I appreciate it. Gentleman yields back. And that is all of our questions for the moment. However as i mentioned in my Opening Statement, we may follow up with written questions from this hearing if we are do that, we do ask that you respond promptly. We thank you very much for your testimony today. You are excused. Thank you. Id like to call up the next panel. Its a big panel. So we need to put a few more chairs up. So id like to invite the next panel to take their seats. And i will begin introducing this panel. First, if we can ask the panelists to sit. Sorry, its a little crowded. But weve got some great witnesses. First, id like to introduce liz howard. She serves as counsel for the brennon centers democracy program. Her work focuses on cybersecurity in elections. Prior to joining the Brennan Center she served as Deputy Commissioner for the Virginia Department of elections. During her tenure, she coordinated many Election Administration modernization projects including the desertification of all paperless Voting Systems. Dr. Mat blaze is a researcher in the area of security systems, cryptography and trust management. He is currently the mcdevitt chair of Computer Science and law at georgetown university. He is a cofounder of the defcon voting village. Dr. Juan e. Gilbert, scoot there, dr. Gilbert is the banks preeminence chair in humancentered computing and chair of the computer and Information Science and Engineering Department at the university of florida, where he leads the Human Experience research lab. He was part of a committee of experts and academics who wrote securing the vote, protecting american democracy for the National Academy of sciences, engineering and medicine. Dr. Gilbert also created an open source Voting System that is used in federal, state and local elections. The reverend dr. T. Anthony spearman a member of the county board of elections in North Carolina. He was elected president of the North Carolina naacp in october of 2017. In 2016, dr. Spearman played and Important Role in the Voter Suppression litigation that challenged suppressive voter id retirements and other legislation that would suppress votes in communities of color and other represented communities. Commissioner Donald Palmer is confirmed was confirmed to the eac in 2019. He is a former Bipartisan Policy Center fellow, where he provided testimony to state legislatures on Election Administration and voting reforms concerning election modernization. Commissioner palmer was appointed secretary of the virginia board of elections by former Virginia Governor bob mcdonald in 2011, and he served as the commonwealth chief election officer until 2014 and currently serves as Florida State departments of elections and prior to his work in Election Administration he served as a Trial Attorney with the Voting Rights section of the department of justices civil rights division. He was a u. S. Navy Intelligence Officer and judge advocate general and awarded the Navy Meritorious Service medal and Navy Commendation medal and the joint Service Commendation medal. Finally, im going to return to our Ranking Member mr. Davic to introduce mr. Gianasi. I would be remiss if i didnt mention cole behind us, will be leaving to join the jag corp. This next week. This will be his last hearing and, cole, thank you for what youve done here and for your service to be for our country. Really proud to announce our last witness, my home election official, county clerk and recorder, in christians county illinois, michael gianasi. He was also in the private sector but was our supervisor of assessments, so not necessarily the most fun job in the county courthouse to deal with property tax assessments, but you did a great job. I want to tell you, mike is here because i believe his testimony will provide an interesting perspective from a local county official who has actually administered elections. I have known mike almost my entire life from playing youth sports in the same hometown to graduating high School Together and working together as he was a fixture at the courthouse when i was working back in illinois. Mike and i are good friends. But mikes a democrat, im a republican. And i know that a guy like mike gianasi, the only thing he cares about, when it comes to administering elections in my home county where i vote is to get it fair, make sure everybody has access to vote and to insure there is no problems, especially on Election Night. Thats a concern of everyone. I think mike will give a unique perspective even coming from a small rural county about how something that may be a good idea here in washington, how it may impact their ability to actually run that election as efficiently and as effectively as possible. This is mikes first trip to d. C. , too. I got to take him on a nice tour of the capitol last night. Mike, make sure you enjoy the rest of your trip. I want to thank you for your opening testimony and i literally want to thank you for your insist you will be able to give to this committee, to this city and this country about what it takes to run an election in places like central illinois. With that, thanks again for coming, buddy. I yield back. Thank you very much. As you heard with their prior panel, each of you will be asked to testify for five minutes but your full written statement that will be made part of the record. At this point, id ask each of you to stand and raise your right hand and i will ask you whether you swear or affirm under penalty of perjury the testimony youre about to give is true and correct to the best of your information, knowledge and belief, so help you god. The record will note each witness responded in the affirmative. We will turn first to you, ms. Howard and then each of the witnesses. Thank you chairperson lofgren and members of the committee. Thank you for providing me the opportunity to testify about the ongoing efforts to secure Voting Systems across the country and the challenges to this progress stemming from a lack of vendor oversight. Todays unprecedented hearing is a muchappreciated continuation this committes work to secure our countrys election infrastructure and important step towards comprehensive vendor oversight to address the significant security gaps that remain. Today, i hope to convey three main points. First, election vendors play a Critical Role in our democracy but have received little or no congressional oversight. Second, despite this oversight, significant progress has been made in Election Security since 2016. Third, there is still more to do to further strengthen our election systems in the 2020 election and beyond. Congress has an Important Role to play in that process including oversight off our vendors so important to our elections and security. The absence of oversight negatively impacts the elections ability to secure our infrastructure and felt most acutely in times of crisis i know from my own experience. In 2017, roughly three months before an election, paperless voting booths were publicly hacked at def con and it was publicly reported. Even though i was the Deputy Commissioner of elections i didnt know if the vendors knew about the vulnerabilities exploited by the hackers, if the vendors had taken any steps to address these vulnerabilities owned and controlled by the vendors or if they would fully respond to my questions as they were not then and not now subject to comprehensive oversight. In no other unsection designated as Critical Infrastructure are vendors aloud to provide critical structure without oversight. While the ongoing work of Election Officials in this committee has resulted in significant security across the country these are no replacement for comprehensive oversight of a wide variety in our elections yet subject to little or no oversight or regulation. The comprehensive vendor Oversight Framework we recommend applies not only to Voting System vendors but also vendors that maintain and program those systems and count and tally votes and build, manage and maintain Voter Registration databases and poll books that allow elections to see who is eligible to vote. I was pleased to see these be embraced for comprehensive reform earlier today. We Hope Congress can move quickly to adopt these reforms but understand it may take a while to fully implement them. In my written testimony i outline the steps we recommend Congress Take in the short term, oversight of the 2500 million recently allocated for Election Security, paying particular attention to if the money is being spent on building robust resiliency plans, to detect and recover from successful breaches to insure regardless whether there is a successful attack voters will still be able to vote and have their vote counted accurately. In addition i included steps congress should take after 2020, including expansion of the eocs oversight role to include more robust monitoring and security practice esand oversight of election system vendors. While lack of vendor oversight is significant concern and there is much work to do before and after the 2020 election, its important to acknowledge the progress made strengthening our voting structures since 2016. For example, almost half the states using paperless vote going systems have now transitioned to paperbased Voting Systems. Congress has akated 800 million to bolster Election Security in the states. Awareness has increased dramatically and Election Officials across the country are implementing a variety of measures to make our Voting Systems more secure. Thank you for your time. I look forward to your questions. Thank you very much. Dr. Blaze, wed love to hear from you. Thank you for convening this hearing on the urgently important topic of securing americas elections. I come here today as a Computer Scientist who spent the better part of the last quarter century studying election system security. As youre well aware, the integrity of the elections systems across the u. S. Depends on the integrity of Computer Software systems embedded in our infrastructure. Complex software lies at the Voting System at polling places but systems used by local authorities to manage everything from voting registration records to tallying and reporting Election Results to creating ballots and so forth. Unfortunately, much of this infrastructure has proven dangerously vulnerable to tampering and attack and in some cases, in ways that cannot be easily detected or corrected after the fact. These vulnerabilities can create ability for adversaries to do everything from causing large scale disruption on election day to undetectably alter Election Outcomes in some cases. For the purpose of my testimony, its helpful to consider Voting Machines and election management infrastructure separately. Let me begin with the voting equipment itself. To be blunt, its a widely recognized really indisputable fact every piece of computerized voting equipment in use at polling places today can be easily compromised in ways that have the potential to disrupt election operations, compromised firmware and software, potentially alter vote tallies in the absence of other safeguards. This is partly a consequence of historically poor design and implementation by equipment vendors, but its ultimately a reflection of the nature of complex software. Its simply beyond the stateoftheart to build Software Systems that can reliably withstand targeted attack by a determined adversary in this kind of environment. The vulnerabilities are real and serious and absent a surprising and very fundamental breakthrough in my field i would welcome but i dont see coming soon, probably inevitable. Fortunately, this is not all bad news. There is now overwhelming consensus among experts how we can conduct reliable elections despite the inherent unreliability of the underlying software. This requires two things. The first is that the Voting Technology retain a reliable paper record that reflects the voters intended choices. Unfortunately equipment that has this property exists today fortunately and its the simplest available. I refer to paper ballots preferably marked by hand when possible and fed into an optical scan ballot reader and the original voter ballot is retained. This isnt sufficient by itself because the software in the ballot scanners is itself vulnerable to tampering or error and the second that it reliably audited to report the outcomes of each race defined by the ballots marked. Theres a tech sneak called risk limiting audits to affect this quickly. This has to be performed after every election in order to provide meaningful assurance. Unfortunately, only a handful of states currently conduct these audits. Its urgent these safeguards, paper ballots and audits essential for election integrity, be adopted quickly and widely throughout the nation. The Second Technology is the election management infrastructure in use by jurisdiction. We give most of the attention to vulnerabilities in Voting Machines. Thats not the whole story. Each of the 5,000 jurisdictions response for running elections across the nation must retain a number of critical Information System attractive targets for adversaries and most importantly voter database registrations, systems that report final results and so forth. Unfortunately, there are even fewer standards for how to secure these systems, the administration of these systems varies widely and the threats of these systems is often more acute than the threats against individual Voting Systems. Just as we dont expect the local sheriff to single handedly defend against military ground invasions. We shouldnt expect county i. T. Managers for the elections to defend against foreign intelligence. Thats what weve been asked to do. Thank you for this and this is a vitally important topic and glad you invited me to testify. Thank you very much, dr. Blaze. Dr. Gilbert. Chairman lofgren and Ranking Member davis and the committee, i am happy to share with you my expertise in election usability and accessibility. I have worked more than 15 years conducting studies with various election stakeholders. In 2003 i created prime three, and open source universally designed system. To my knowledge, prime three is the only open source Voting System to be used in state, federal and local elections in the United States. New hampshire adopted prime three and renamed it one for all. Butler county, ohio uses it as their accessible absentee system. Furthermore, voter machine vendors have created systems modeled after prime three. While i am appearing today as an expert in voting estimation i would like to share key recommendations from 2018 National Academies science and engineering consensus report entitled protecting the vote. I was a member of the committee that authored the report. I would emphasize any opinions about this report are my own and do not necessarily represent positions of the National Academies. Securing the vote was the result of a two year National Academy study conducted by experts from Election Administration policy, cybersecurity, accessibility and law. Over the course of the study, the committee reviewed extensive Background Materials and held five meetings talking about a range of topics including Voter Registration, accessibility, Voting Technology and impetments to voter security and training of election workers. The committee did not have access to classified information, but instead relied on information of Public Domain including state and government reports, published economicacademic literature, and testimony to committee. Issues related to voting such as voter identification laws, born in domestic disinformation and other topics were outside the charge of the committee and therefore are not included in the report. The academys report recommended elections be conducted by using human readable ballots marked by hand or machine using a ballot marking device and may be counted by hand or machine using an optical scanner. The report further recommend recounts and audits should be conducted by human reading of the portion and data machines that do not possess verifiable paper audit trails should be removed from service as soon as possible. Currently, theres no known way to secure a digital ballot. At this time any election that does not have paper ballots is not secure and internet voting and specifically electronic returns of marked ballots should not be used at this time. They recommended election vendors should prevent any probes to tamper with the systems including Voter Registration systems. Each state should have a comprehensive audit of outcomes and detailed best practices for elections should be developed and maintained. Congress should provide funding to the state and local governments and modern size the election systems and Cyber Capabilities and congress should provide funding for Major Research on voting. Recommendation 7. 3 of the academy report says congress should authorize and fund immediately basic supply and Traditional Research relative to the administration conduct and performance of elections. This initiative should include Academic Centers to Foster Collaboration with local Election Officials and industry. This recommendation is bold, calls for research and development and solutions and issues id mind report. I believe a minimum of 25 million in funding over a five year period would be needed to establish a National Center. As a nation, we have the capacity build an election system for the future. Doing so requires focus and attention from citizens, federal, state and local governments. Election innovators in the academy and industry. It also requires commitment of appropriate resources. Representative democracy only works if all eligible citizens can participate in elections and be confident their ballots have been accurately cast, balloted and tab bulated. Thank you for the opportunity to be here. Thank you very much. Reverend spearman, wed love to hear from you. Good afternoon, chair lofgren and Ranking Member davis and committee members. I am indeed honored to be here, for unlike the previous participant on these panels, i am neither a Voting Systems vendor or expert. I am an activist, one who was raised in a household where the vote was sacred. Im president of the North Carolina branch of the naacp and the only member of color from guilford, North Carolina. While not an expert in Election Security i rely on the findings of those scientists who are and urge my counties on county boards across the nation to do so as well. We must listen to scientists, not vendor marketing claims. Dr. Alex halderman just published research and finds that electronic ballot marking devices do not create ballots reasonably audited, consistent with the study from dr. Stark, dr. Demello and dr. Apell, concluding such devices cannot be relied on that insure the will of the people. Dr. Duncan buhle, along with others, has studied how Voting Machines and allocation can create lines which frustrate and disenfranchise voters. Let me hasten to say i am not antitechnology but agree with scientists that security can be compromised by placing an Electronic Device between the same day registration began allowing voters to cast ballots during the early Voting Period and led to an increase in Voter Participation during november 28 of the 2008 president ial election. Voters used prior to my election as a seat on the go for county board, i began as an election day specialist around 2017, after a growing number of members began venting their frustrations with the voting process. Coincidentally, this was the same year but tremendous advances for voters occurred in the state of North Carolina. Same day registration began allowing voters to cast ballots in during the early Voting Period, which led to an increase in Voter Participation during the november 2008 president ial election. In kabul county, voters use hand mark paper ballots. In 2014, when i was appointed to a church in greensboro an opportunity to work at precinct and kill for county to presented itself and there i worked as a judge and order becoming the chief judge or overseer of finland, one of the largest precincts in the county. And go for county, electronics were in use, and among my growing concerns were serving the precinct where problems had arose with touchscreen or Electronic Device. I was the chief overseer of the six highest voter precinct in guilford county, with 3800 voters. As one of my friends has convinced me that the first line of defense is the local county bipartisan election board like the one i sit on in guilford county, across the nation there are authorities for selecting Voting Systems and reviewing the ballot tabulations before certifying Election Results. I, campaigns, Political Parties insist that these boards one, select only hyperbolic the standard equipment, and to, maintain ballot chain of custody and three, distribute an accurate people back up to the polls and, for conduct rigorous reviews of the tabulations before certifying, cyberattacks cannot be successful. They cant be prevented, but the jurisdiction can recover from them and verify the will of the people. Im talking first line of defense. As first time witness of the process, for Voting Machines certification, i must admit that i was highly disturbed by the demonstration was conducted in what i viewed as an inconvenient place off the beaten path for most voters. As i drove to the site, i became overwhelmed with how an user friendly for minorities and as i recall, i was the only person of color in attendance but not only that, when i review the agenda and saw the demonstration was to be conducted, with the majority of time allotted to county Board Members in only a few minutes left for the public to view systems, i immediately called the director of elections expressed by displeasure with the setup. But when i arrived, the necessary adjustments have been made and everyone moved through the demonstrations together. Elections belong to the people, and the more people are included in the process, the more we may gain the trust and confidence. Thank you for allowing me to share. Thank you very much. Commissioner palmer. Good afternoon, chairperson lofgren, Ranking Member davis and members of the committee. Im thankful for the opportunity to testify on the important work being done by the United States Election Assistance Commission in preparation for the 2020 federal elections. As prescribed by the commissions enabling legislation to help america vote act of 2002, the aca is focused on state and local Election Officials across the United States providing secure, accessible and accurate elections. Under that act, the ac works to implement election reforms, assist states in a certifying Voting Systems, advanced voting accessibility, dispersed have a funds, and disperse breast practices in the laboratory of states. In pursuit of this motion, we collaborate closely with state and local Election Officials, federal partners and others in the elections community. I am grateful that the export vendor witnesses testifying before you today have shared their inside on the important topics of Election Security. I would like to begin by saying congress for their recent efforts to increase funding in this area. The addition for under 25 million with the state tax will go a long way toward enhancing Election Technology, and improving security in state and local elections. Simultaneously, the 40 increase in the ac budget will allow us to bolster existing programs and enhanced resources. I should note that yes hes distribution of 380 million in 2018 have a funds in the states to the lead up to maternal actions continues to be critically important and helping officials secure the elections infrastructure. I would like to highlight an important update to our Testing Certification program. The testing and Certification Program manual allowed for Minor Software changes without the fullblown systems certification campaign. In november of 2019 the eacs testing and cert program issued a notice of clarification providing clear guidelines submitting these minor changes for certification. Eac expect this process will be used by vendors to update the security of their systems with the latest Software Patches and operating system updates. Tremendous progress was also made in 2019 toward the adoption of voting voluntary system guidelines, vvsg2. 0. Vvsg2. 0 will represent a significant leap forward in defining new standards that will several as a template for the new generation of secure and accessible Voting Systems. The hard work in this staff and eac personnel culminated in the presentations of these requirements to the guidelines to the development committee. The committee is now considering the recommendations to the eac on adoption. My fellow commissioners and i are committed to a transparent and thorough deliberation on the path to implementing vvsg 2. 0. The standards and board of advisors will meet in april of 2020 to consider these new requirements. After their key input it is my hope it will be finalized and voted on in the upcoming months. As the nation focuses on the 2020 election this year, so does the eac. On january 14, we are bringing together election experts and security and accessibility to kick off our 2020 focus campaign at the National Press club. The topics for discussion include security environment, need for enhanced poll worker training and insuring accessible elections for all americans. The increased fiscal year 2020 appropriations for the eac will allow us to fill critical staffing vacancies within the agency as well as bolstering our staff to meet demands. We are in the process of identifying candidates for a new general counsel and Additional Communications personnel and statutory process for identifying candidates for staff are directives is under way. Expansions will enhance the ability of system updates during the process while fulfilling other duties for conducting training for Election Administrators, performing onsite audits for system manufacturing and test Lab Facilities and overseeing a risklimited audit assistance program. Hava has put forward an Aggressive Campaign for democracy. Despite recent challenges in recent years, the eac has fulfilled its obligation and expanded support it provides to the election and voters. With strong supports from the congress and the recent appropriation cycle and reestablishment of the quorum of commissioners we look forward to the next chapter to continue to help america vote. Im happy to answer any questions following todays testimony. Thank you very much. Last but not least, mr. Gianasi. Thank you. Chairperson lofgren, Ranking Member davis and the other members today, thank you for the invitation to speak before you. As stated previously, member davis and i are friends. We grew up in the same town in central illinois, the town of christian, illinois and i was appointed as the county clerk and recorder in 2017, upon the retirement of that previous clerk and recorder. Subsequently, i was elected as the county clerk and recorder in 2018, of which i currently serve as today. The introduction of my tenure as the Election Authority was rather swift, and at that time, being in the 20172018 time frame, focused on an increase in cybersecurity related responsibilities. I had not been a participant in this arena prior to that time period, so although there were a lot of discussions and a lot of other situations that had occurred previously, i was not a party to that. However, as the new Election Authority has become my responsibility to take into account all of these situations and now all of the increasing responsibilities as the days go by. As the Election Authority, my primary concern on the topic of elections involves several categories. One being physical security, of course. The election equipment that i have custody of is stored away in my courthouse in a locked room. That election equipment, bat in, i might as well make this comment, is being delivered today, because as of recently i have been approved the ability to obtain new election equipment. My previous election equipment was the acuvote and tsx type model equipment from diebolt no longer used by Christian County. We have now upgraded our equipment to the new equipment provided by unison Voting Systems incorporated, who is not here today. But in regards to meeting with my election vendor, who i have trusted for many many years and previous clerks trusted for many years, the choice of this election equipment was the correct choice and a sound choice. The election equipment that i have chosen is their equipment that provides a pitcher trail, as required by the state of illinois a paper trail whether it be cast manually by the paper ballot or touchscreen device that produces a paper ballot in human readable form at the end of the process for which the person then has the opportunity to review that, and then they will themselves place that ballot into the ballot box for tabulation. Some of the other logistics i have to also worry about includes staffing of election judges. It is very difficult to always staff my election judge my election judges adequately but we do the best we can. Christian county not being a large jurisdiction has 30 precincts and of those 30 we have 23 physical polling locations. Five judges per precinct, and it sometimes is rather difficult, but we do our best to try to make sure we have as much staffing as we can at those cloeksz. The election equipment, as far as custody, it stays in that locked room. Its only accessed by myself or my staff whenever we need to do any upgrades as far as programming, which is involving our election vendor, because i do have that service as well, and then we release that equipment to the election judges prior to the election to take it out, get it to the precincts and they will bring it back the end of the election cycle. The cybersecurity related responsibilities, as i described before have become increasingly noticeable. I am a member of the ms isac and hsin. I receive notices on a daily basis, multiple time as day through emails of these different organizations notifying me of vulnerabilities primarily to Software Packages but occasionally to other situations that would allow for us to be on a heightened awareness of other attacks possibly directed to our firewall. The situation, as far as funding of course as a local Election Authority we do receive funding through the hava grants funneled from you recently purchased new machines for Christian County. Correct. What decisions led you to purchase those specific machines . The original machines that Christian County had been using were purchased in 2004. Those machines, like i said before, the active votes and tsx were purchased using hava Funds Available at that time. Those machines, although doing well, up through and including the most recent elections, have seen better days. They have outdated hardware that is no longer able to physically provide a dark print on the ballot table. They were outdated. You needed new ones. Did you use hava funds to get these machines . I did not have hava funds to get these new machines. I was able to work through the county board who had generation bond money for this project. How much did that cost you . I signed a six year lease on these machines and chose not to purchase and that is approximately 322,000. Knowing the size of our county, thats a pretty big impact. Tuesday i have 21,200 registered voters in my entire county. Great. When you made the decision to purchase those machines, you did not call anybody at the federal government to ask permission, right . I did not. You mentioned in your testimony about the illinois cybernavigator program, a program i talked about in this hearing room many times. I think its a Great Partnership between the u. S. Department of Homeland Security and state of illinois and in turn all local officials like yourself. How has this program been beneficial to your role as election administrator in Christian County . The Cyber Navigator Program is beneficial i believe to all election authorities and in particular those that do not have the resources to maintain any form of i. T. Staff, in particular, or those that just have an inability to continue to monitor all of the problems that are coming down the line, and then be able to provide solutions to those problems. You dont have a dedicated i. T. Staffer, youre that person, right . Correct. We dont have any i. T. Staff. The county does hire an outside i. T. Contractor to perform all i. T. Related functions including patch updates, firewall maintenance, email maintenance, et cetera. Just for your office or the whole county and all offices . For the whole county all offices. The treasurer, county sheriff, everybody, right . Correct. You find this cyber navigator by the department of h. S. Funded by your tax dollars is good assistance to small counties like your own . I do. With changes happening, the cyber navigator now partnering with the county has given us the ability to promote different aspects of cybersecurity related awareness and also currently directly assisting with the installation of new hardware that will provide secure access between our Voter Registration voter database server and illinois database server called the illinois central network. Thanks for your testimony today and, mike, great to see you. Mr. Palmer, while i have time left, one major element of the infrastructure i believe remains unaddressed are electronic poll books. Its my understanding theyre not currently regulated by hava in any way. Are there risks associated with electronic poll books . Yes, there is. Youre right. Its not regulated currently under hava. Although there are instances there may be some interaction with the Voting System. I think the eac is looking at electronic poll books, perhaps there is a way the eac could do a review and approval process for electronic poll books. Theres a growing use of electronic poll books across the country. Its not universal but more and more counties are using it because of the ease and accuracy of electronic poll books. There are down sides to that. We feel we have an opportunity here. While i have a few seconds left, can you give us one suggestion or two suggestions what you think we could do to update hava, and also if i could ask the eac to give us an opportunity to address some of the concerns you may have with hava, in case this committee and this institution wants to readdress what was passed years ago . I thinks an opportunity for the eac at the federal government level to do a review beyond Voting Systems. The eac and commissioners, wed love to talk with the committee as a whole. Talk about ways we believe at the eac, things could be improved from a fundamental level. Thank you. The gentlemans time is expired. I turn to miss davis, gentlelady from california. Thank you to all of you being here with your experience dealing with all these issues. Dr. Spearman, i wanted to ask you, weve talked about the access issue, and you brought to the election personnel, the concerns you were having, and sounds like they responded to you. Im wondering, with all of these issues, what you feel sometimes gets lost on the radar screen, in terms of what the needs of people of voters really are in their communities that doesnt get addressed very well . As i stated, and thank you for your question, congresswoman davis, as i stated, i have i guess i would respond to that by saying, on the county board of guilford county, i am a rarity, the only africanamerican and the only activist, and i come with the concerns of the people, the concerns of the voter. Oftentimes it seems as if the voter has been last on the to temporary. Thats something i have been advocating for since ive been on the board, to put the people on the radar because the elections, as far as im concerned, are the peoples. The more the people, the more humans are involved in the process i think the better off we are going to be. As far as i am concerned right now, our democracy is aberrant democracy. In order to make that democracy and save our democracy, i think the people need to rise up and be is there a specific change that you think could or should be made, in terms of the easier access or, again, more voting days . I dont know, vote by mail, if thats an issue in your area . Well, weve been fighting for that in North Carolina since 2013, since after shelby versus holder. Were going to continue to fight. We just recently won another lawsuit with regard to winning a preliminary injunction for photo voter id which has already been a lawsuit that we won previously, but it seems that the General Assembly continues to come back and disguise it in different ways and tries to get it through again. As it relates to access, one of the things that i believe will be helpful, especially to persons like myself, county Board Members, is more education, more training for the county Board Members and just let the county Board Members know what it is they are being elected to do. Thank you. Dr. Blaze, i think maybe, i think, it was also mentioned what should be done at this time to try and help with these processes. Yet, we know that in many cases thats not going to happen before this next election in 2020. So what is it that you think we really need to be focused on, very particularly, in terms of hacking of any elections, intervention, what is it youre most worried about . I think, you know, the things im most worried about are a repeat of some of the types of attacks we saw in 2016, against larger election infrastructure, not just Voting Machines themselves, but the back end systems that manage Voter Registration records and so on. Weve been very fortunate that even in 2016, the attacks against our system had a relatively light touch. The determined adversary that wanted to disrupt our elections would have a frighteningly easy task if they wanted to do so. I worry that the over 5,000 election jurisdictions who maintain these systems throughout the country are not uniformly ready to respond to a sophisticated adversary like that. To the extent we can support them, that is an urgent priority. You mentioned many counties dont audit. Is that because they feel they dont have the resources to do that . They dont have additional funding or is it just an attitude as well . No. Everybody is trying to do their best. Risklimiting audits have not yet penetrated throughout most of the country. There are only a handful of states that do them and more states are starting to explore them. To the extent we can encourage wider adoption of these, that will improve things significantly. Thank you. My time is up. Thank you. I just have a few followup questions. First, i want to thank all of the witnesses, but oofls dr. Gilbert. The National Academy report was enormously helpful to us and it was what we ended up putting in our safe act pending in the senate. Tremendous appreciation for you and the other scientists who worked on it. I want to talk about the ballot marking devices. I dont love these systems. On the other hand, we need to have a capacity to allow the Disability Community to exercise their franchise freely, and thats an important element of providing for that. I am concerned about the qr codes and bar coatedsdes that cannot be read by the voter and really if youre checking the paper it doesnt prove anything in terms of whether or not the bar code reflects whats on the piece of paper. Its not possible that all of that will be changed between now and election day in november. What are your suggestions as Computer Scientist, dr. Blaze, what could be done in the interim about that problem . The ballot marking devices were originally conceived as purely an Assistive Technology for voters who couldnt mark their own ballots for various reasons and were never originally viewed as the primary method. Right. For people voting. It took us a bit by surprise that systems that use ballot marking devices and were never devised as the primary method voting were being deployed and purchased by correct. Across the country. Theres been an explosion of research over the last year in whether voters can reliably verify them. What we found, most recently studied by alex haldemans group in michigan, voters dont appear to reliably confirm their marks match what their intent was. That raises significant concerns. I understand. Its like 7 of the people whether given a personal reminder to check hes blocking devices ought to be available to those who need them for disability purposes, between now and when that is achieved, what do we do . The best thing we can do is voter education. The michigan paper has some concrete suggestions on interventions that are not perfect, but they can at least increase the ability for voters to check and you know, its simply a matter of instructions given the, voters whether they will get a personal reminder to check their balls elections but they appear to make a significant difference another verified. Anything to add . Yes, i have a lot ahead. So, to start, these studies i want to make the record clear. The studies are saying people did not verify their ballot. It didnt say they could not verify their ballot. I would recommend going to the michigan study. Notice in the michigan study, said, remind the voter to review their ballot. It goes up to like 70 if you remind them. Try this. Would you please verify your ballot selections were not changed . Rather than review your ballot. Lets try that. The ballot marking device there were 16 million voters who voted with a disability in 2016. What was the margin of victory . Less than 3 million votes . So if we were to design these machines so theyre only used by people with disabilities, an adversary finds that as happy day because an all they have to do is target a specific group. Universal design, meaning more people using those machines gives you greater security. The likelihood of catching errors increases as a result of that. I will be honest, the universal design when hava was created was designed so each precinct would have at least one accessible voting machine. I said that was impossible because you will have separate but equal connotation. They said you cant have one machine everyone uses so we built it. Later this year we will have an announcement about a transparent voting machine, new innovation that address these issues. We recommended we have a National Center to do research around these things. That is a necessity. This is an arms race. Its not just going to happen in the end. To suggest we should go back to handmarked paper ballot is the same to say we had an accident on the highway and people unfortunately died so we should return to horses and carriages. My time is expired but i do want to just mention, miss howard, you have decertified machines that didnt meet standards. We know were not going to get where we need to be between now and november. Do you have any suggestions what interim steps we could make to make the system safer . Yes. Thank you for the question. Two basic things, right. Voter education about how to use the machines is very important, and additionally, there must be post election audits, which rely on the human readable portion of the ballots, even if the ballots do include bar codes. Thank you. My time is expired. All time is expired. I would like to thank each of you for your testimony. Note that because we didnt get a chance to ask all our questions, we may follow up with written questions for you. In that case wed ask you answer promptly, and we do thank you once again for your service here as witnesses helping us do a better job securing our elections systems for this all important 2020 election. This hearing is now adjourned. [inaudible conversations] good morning. We thank

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.