comparemela.com

Convenes the committee to examine the russian interference in the u. S. Elections. This is an opportunity for the American People to drill down on this important topic. In 2016, and hostile foreign power reached down into the state and local levels to touch voter data. It employed relatively sophisticated cyber tools and capabilities and helped moscow potentially build detailed knowledge of how our collections work. It was another example of russian efforts to interfere in a democracy with the goal of undermining our system. Were woefully unprepared to defend and respond, and i am hopeful we will not be caught flatfooted again. Our witnesses are here to tell us more about what happened in 2016, what that tells us about russian intentions, and what we should expect in 28 team and 20 in 2018. If we do not work with the states to secure our elections, we could be here in two or four years, talking about a worse crisis. The hearing will feature two panels. The first will include expert fbi, tos from the discuss russian intervention in the 2016 elections, and u. S. Government efforts to mitigate the threat. The second panel will include witnesses from Illinois State board of elections, the national , and anion of directors expert on Election Security to give us there on the ground perspective on how federal resources might be brought to important issue. For our first panel, i would like to welcome our witnesses today. The acting director of Cyber Division within the office of intelligence and analysis at the department of Homeland Security. The acting deputy undersecretary National Protection and programs directorate, also at dhs. And jeanette, i think i told you you came, i did not want that in front of your name. Acting. Bill is the assistant director at thenterintelligence federal bureau of investigation, bill, i want to thank you for the help you provided to the staff of this committee, as we have worked through so far over fiveandahalf months of our investigation into the 2016 elections. This committee is in the midst of a comprehensive investigation on this issue. ,he extent to which russia under the direction of president putin, conducted russian active measures targeting the 2016 elections. Community safee ss is that while they maintained access to elements of multiple u. S. State and local election boards, those states were not involved in vote tallying. I would like to address the depth and breadth of russian cyber activities during the 2016 election cycle and the efforts of the u. S. Government to defend against these intrusions, and the steps dhs and fbi are taking to assure the foundation of our democracy. Fair and free elections in 2018 and belonged. Beyond. I turned to the vicechairman. Witnesses andthe bill, for the work you have done for us. We know in january, the Intelligence Community reached the unanimous conclusion that russia took extraordinary steps to intervene in our 2016 president ial elections. Russias interference in our elections in 2016 was likely a watershed moment in our political history. This is one of the most significant events any of us on this dais will be asked to address in our time as senators. And only with a robust and response will we be able to protect our democratic processes from more incursions in the future. Did at thissians point, in this room, was wellknown. Spreading fake news, flooding social media, hacking personal emails and leaking them for maximum political benefit. Without firing a shot, at a minimal cost, russia so to chaos chaos in oured process. At times, that was aided by certain canon candidates in their comments about the legitimacy of our processes. Also, the conclusion they secured access to elements of multiple u. S. State and local electoral boards. There is no reason to doubt the validity of the vote totals in the election. However, dhs and the fbi have two intrusions into the Voter Registration databases. Both arizona and illinois. Even though no data was modified or deleted in those two states. At the same time, we have seen published reports that literally states one said 39 were potentially intact attacked. Good news that the attempts in 2016 did not change the results of that election. The bad news is, this will not be their last attempt. I am deeply concerned about the danger posed by future interference in our election and attempts by russia to undermine confidence in our whole electoral system. We saw recently, and this was not just here obviously, we saw recently russian attempts to interfere in the elections in france. Next week there will be a hearing on some of these russian efforts in europe. We can be sure that Russian Hackers and trolls will refine their tactics in the future. Especially if there is no penalty for these malicious attacks. Senateone reason the voted so overwhelmingly to strengthen our sanctions on russia. I hope that action sends a message to mr. Putin that there will be a heavy price to pay for attacks against the fundamental core of our democratic system. Make no mistake, it is likely we will see more of these attacks in america and against our partners. I heard this morning that the russians are already active engaged in that the russians already active engaged in the german election cycle which takes place this fall. In virginia we have statewide elections this year. This needs a sense of urgency. The election process, the manpower, primarily is a local and state responsibility. In many states, including my own, we have a very decentralized approach which can be the strength and weakness. In virginia, decentralization helps enter largescale hacking or manipulation. Localities is more than a dozen different types of issues, none of which are connected to the internet. While in use, we have a number machines so that the tabulations could be broken into. Large cybermakes attacks of our electoral system more difficult. It makes maintaining consistent, corrugated cyber defenses more challenging. Furthermore, states may be vulnerable when it comes to defense of Voter Registration and history databases. That is why i strongly believe the threat requires us to harden our cyber defenses, and to thoroughly educate the American Public about the danger. Yesterday, i wrote to the secretary of Homeland Security and urged dhs to work closely with the state and local Election Officials to disclose publicly which states were targeted, not too embarrassing states, but how can we put the whencan public on notice we have only revealed to states, yet we have public reports . That makes no sense. I know it is the position of ghs that the states were victims, it is their responsibility. I cannot believe this was an attack on physical infrastructure, it wouldnt be a more coordinated response. We are not making our country safe if we dont make sure that all americans realize that. Xtent of what the russians did if we dont get our act together, what they will do in a more traumatic form in 2018. Candidly, the idea that this it is notur credit, my responsibility, it is not my job, i dont believe it is an acceptable decision. We hear a plan on how we are to get more information into the bloodstream at how we can make sure we have better practices, so that all states are doing what is needed. Im not urging that the federal government intervene in one of the local or state responsibility but to not put all americans on notice is crazy. My hope is that well get some answers. I want to thank in january dhs did designate the nations electoral and perception is critical. That is important electoral infrastructure as critical. That is important. We are going to see more of this. This is the new normal. I appreciate the chairman for holding this hearing. Im looking forward to getting my questions answered. With that, i understand you are going to go first. The floor is yours. And distinguish members, thank you for the invitation to be here. Analysisnt the Cyber Division of Homeland Security. Produceion is to intelligence information and analysis to represent our partners. Courtney and collaborate on products. We share intelligence with our customers at the lowest classification possible. We are team of dedicated analysts who take threats seriously. I like to begin by clarifying the threat we observed 2016 elections. Prior to the election we had no indication what the criminals were planning. Throughout spring and early summer 2016, we and others begin to find indications that the russian government were responsible for widely reported compromises and leaks of emails of political figures and institutions. We received reports of cyber enabled scanning, including election related infrastructure. From that point, i began working together and share Additional Information about the threat. Ina participated in this in events, collaborated with other can tell to community members. The National Intelligence council provided direct support to the cyber center, the toal Cyber Security share threat information related. By late september we determined relatedrnet connected were targeted by russian government cyber hackers. None of these systems were involved in book telling. Our understanding in vote tallying. It is consistent with the scale. This activity is best characterized as hackers attempted to use commonly available tools to exploit known system one ability. The majority of activity we observed was indicative of simple scanning for vulnerability. Systems werer of unsuccessfully exploited. Though somebody had battle the doorknob and was not able to get an thats had rattled the doorknob and was not able to get in. Based on activity we observed, dhs made it series of assessments. We started out with, we had no indication that adversaries were to change the outcome of the 2016 election. We assessed that multiple checks and redundancies including diversity of systems, not internet connected on a machines, preelection testing and processes for media, campaign and Election Officials were checked come audited and validated the results. We finally assessed the types of systems russian actors targeted are compromised or not involved in vote tallying. We continue to evaluate available information. Dhs has not altered any of this information. Manfraallow jeanette talk about how dhs is working with systems. I look forward to answering your questions. Burr ms. Manfra. Themanfra thank you for opportunity to represent the men and women who serve in the department of Homeland Security. Im here discuss to reduce and limited threats to the nations critical Cyber Infrastructure, specifically as it relates to elections at our nations Cyber Infrastructure is under constant attack. In 2016, we saw operations directed against u. S. Election infrastructure and political entities. Providedess group, dhs actionable information and capabilities to help Election Officials identify and mitigate vulnerabilities on the network. Information led to detection of malicious activity affecting internet connected will connected election related networks. Thiswe became aware of activity, we worked with the entity to understand the intrusion had occurred. Many of these detections represented potentially a malicious vulnerability scanning activity. Not successful intrusions. This activity and partnership would be victims and targets enhanced our Situational Awareness of the threat and further informed our engagement with state and local Election Officials. Given the vital roles that elections have in a free society, in joint in january of this year, the former Homeland Security secretary established at the structure established infrastructure. Dhs is leading efforts to partner with Election Officials, as well as private sector vendors to formalize the privatization of loan terry securityrelated assistance and to ensure we have medications channels and protocols to ensure that Election Officials receive information in a timely manner. We understand how to join the respond to incidents. Election infrastructure now receives Cyber Security and protection assistance similar to what is provided to other Critical Infrastructure, such as financial institutions. Our election system is running by state and local governments in thousands of jurisdictions. Importantly, state and local officials have been working to reduce risks and ensure the integrity of the election. As threat actors become sophisticated, dhs stands and partnership to support their efforts. Safeguarding cyberspace is a core mission of dhs. Through our National Security Committee Case and center, dhs assists local customers as a part of our daily operation, such assistance is voluntary. It does not entail regulations of federal oversight. Our role is limited to support. In this role, we offer three types of assistance, assessment, information and Incident Response. For the most part, dhs has offered two types of assistance, first the cyber Hygiene Service or internet facing systems divides every current report identifying vulnerabilities and recommendations. Second, our Cyber Security expert can go onsite to assess assessments. Dhs continues to share taxable information on Cyber Threats and incidents to multiple means. We saw that we have published best practices and addressing potential threats to election systems. We share cyber threat indicators, another analysis that Network Defenders can use to defend their system. Provide threat and vulnerability information to state and local officials. This organization is partly grant funded by dhs and has representatives that had but executives that sit on our floor. They can receive information through our person throughout the country and in partnership with the fbi. We provide Incident Response assistance as requested to help state and local officials to identify any cyber incidents. India case of a potential compromise as in the case of a potential demise, we share the information with other states. Moving forward, we must recognize that the nature that is facing our election infrastructure will continue to evolve. Dhs is working with stakeholders to establish these appropriate for needing mechanisms to engage with them. These will formalize our mechanism for collaboration and ensure longterm sustainability and partnership. We will lead the federal efforts to support Election Officials with security and resilient efforts. I want to reiterate that we do have confidence in the integrity of our system because our infrastructure is resilient. It has many checks and balances built in. As the risk environment evolves, the department will continue to support partners by providing information and offering assistance. Thank you for the opportunity to testify. I look forward to any questions. Thank you very much. Good morning. Chairman burr, vice chairman warner and members of the committee, thank you for the opportunity to appear before you today. My statement for the record has been submitted. Rather than restating it, i would like to step back and provide you a description of a broader threat as i see it. My understanding begins by asking one question what does you well know, during the cold war, the soviet union was one of the worlds two great powers. However in the early 1990s, it collapsed and lost power, stature and much territory. In the 2005 speech, Vladimir Putin refer to this as a major catastrophe. The soviet unions collapse left the u. S. As the full superpower. Since then, russia has substantially rebuilt, but it has not been able to fully regained its former status or its former territory. The u. S. Is too strong and has too many alliances for russia to want military conflict with us. Therefore hoping to regain its prior stature, russia has decided to try and weaken us and our allies. One of the ways russia has taught to do this is by influence, rather than brute force. Some people refer to russias activities as information warfare. It is information that russia uses as a weapon. In regards to our most recent president ial election, russia used information to try to undermine the legitimacy of our election process. Russia saw to do this in a simple manner. They collected information, be it computer intrusions or intelligence officers, and they selectively disseminated emails they hoped would disparage certain political figures and said unflattering light on political processes. They pushed take news and propaganda. They used online amplifiers to spread information to as many people as possible. One of their primary goals was and undermine a key democratic principle, free and Fair Elections. In summary, i greatly appreciate the opportunity to be your today to discuss russias election influence efforts. I hope the American People keep in mind that russias overall aim is to restore its relative power and prestige by eroding democratic values. In other words, its russian desperate election activity was not a onetime event. I look forward to your questions. Thank you. Thank you very much to all of our witnesses. Members, we will proceed by seniority for recognition for up to five minutes. The chairman will tell you when you have used all your time. The chair will recognize himself for five minutes. Yes or no to all three of you. Most important question do you have any evidence that the folks themselves were just devotes themselves were changed in the 2016 devotes themselves were changed in the 2016 election . Was no detected change in the vote. No sir. No sir. Bill, to you. Determined they are aggressive in getting more sophisticated by the day. The diversity of our election system is a strength of the intrusions in the state systems also show that moscow is willing to put resources toward an unclear result. In 2016, we saw voter data stolen. How could moscow potentially use that data . They could use the data in a variety of ways. Unfortunately in this setting, i cannot go into all of them. Data of all, they took the to understand what it consisted of pete what is there, so they can infect affect better understanding and plan accordingly. When i say plan accordingly in regards to possibly impacting future elections and or targeting particular individuals , but also by knowing what is there and studying it, they can determine is it something they can manipulate or not. There is a couple of other things that would not be appropriate as well. Next to any of you, to any of you, you have heard the vice chairman talk about the frustration about publicly talking about how many states. Can you tell the image and people why you cant disclose tell the American People why you cant disclose the states of the numbers . Ms. Manfra thank you for the question. Through the long history that the department has in working with private sector in state and local on Critical Infrastructure and Cyber Security issues, we believe it is important to protect the confidentiality that we have and the trust we have with that community. An entity is a victim of a separate incident, we believe strongly in protecting the information around that victim. That being said, what we can do is take the Technical Information that we learn from the engagement with that victim and anonymize it so it is not buttified with that entity, we can take all the Technical Information and turn it around and share that broadly whether with it is an affected sector and we have multiple mechanisms for sharing that. We believe this has been a very important key to our success in developing trusted relationships across all of the 16 Critical Infrastructure sectors. Are we prepared today to say publicly how many states were targeted . As of right now, we have evidence of 21 states that were targeted. But in no case were actual vote tallies altered . That is correct. The french respond to the russian involvement in the french elections month ago . Is that something we followed . Standpoint,bureaus it was something we followed from afar. We did have engagement with a french official but not at liberty to go into what those consisted of ok. T consisted of peer consisted of. Ok. We talked about russia. Lets talk about next year. Lets talk about the want to 17 elections in virginia and the 27. The 2018 elections what are we doing to prepare ourselves . Sir good as we noted we are taking this threat very seriously. Identifying this communitys Critical Infrastructure subfactor that has allowed us to prioritize with them. Similar to the 2016 elections, we are identifying additional resources, prioritizing our engagement with them through information sharing products. Identifying in partnership with the state and local communities, those communication protocols. How do we ensure we can declassify information quickly and get it to the individuals that needed. We have committed to working with state and local officials on Incident Response playbooks. How do they understand where to engage with us. Where do we engage with them and are we able to find the entire resources of the government to bear to help officials secure the election systems. Atthank you for the answer 21. 21 states is almost half the country. We have seen reports that were even higher. Chairman, votehe totals were not changed, but can you explain how we are made safer by keeping the identity of 19 of those states secret . Since arizona and illinois acknowledged they were attacked . Sir, i bring it back to the earlier point you made about the future elections. Part of the key pieces for us within ina is our ability to work with our partners, because of our collection mechanisms work. I high level of trust. If this was Water Systems or power systems, with the public be safer would the public be safer by not knowing the Water Systems were attacked . For other sectors we apply the same principles. When we do have a victim of an incident in the electorate sector or water sector, we do keep the name of that entity confidential. Some of these sectors do have breach reporting requirements that requires the victim and excited 21 of the states, are they aware they were attacked . The system owners are aware of the targeting. Yes or. Yes sir. At the state level, you could have other officials, there may have been an attempt to penetrate and you may have local registrars may not know they have been the subject of russian activities at we have been working to ensure the Committee Case in there may be a number of officials who dont know their state was targeted in 2016. Ms. Manfra the owners of the system do know. We have a decentralized system i disagree. I understand the notion of victimization. I do not believe our country is made safer by holding this information back from the American Public. I have no interest in trying to embarrass any state. Test we have seen this for too long and cyber pete we have seen it in financial industry where people try to sweep this under the rug. About i go back to initial comments pete we had no idea comments. We had no idea. We had 21 states. We have two that came forward while no Election Results were changed. We do know there were a number of states how many states did the russians exfiltration data such as Voter Registration lists . I preferred not to go into those details in this form. We were tracking 21 states that were targeted. The states that had their data actual traded axel traded by the russians, are they aware . How do we make sure the states are not willing to acknowledge that they had vulnerabilities . We are in a brave new world. I understand your position. But i thinkstrated we need a reexamination of this policy. The designation by former secretary johnson as Critical Infrastructure, what does that change in terms of how our operations are Going Forward . By that designate Going Forward . What does that really mean in practical terms, in terms of assistance or information sharing . What it means, it means three things. A statement that we do recognize these systems are critical to the functioning of american life. That is an important statement. The second is that it formalizes and sustains the Department Privatization of engagement with the community. The last is it provides a particular protections for sharing of information with vendors within the Election Community that allows us to have conversation to discuss a vulnerabilities with attentional systems that we would not have. I talked to secretary kelly last week. I would like us to get more information. What i have heard today, there were 21 states, i appreciate that but within those 21 states i have no guarantee that local Election Officials are aware that the state system may have been attacked. We dont know how many states actually had exultation. Exfiltration. Ms. Manfra we look for to getting back to you letter. On the third question we defer to the fbi. Cooks vicechairman i cannot comment on our pending investigations related to the cyber sen. Warner should the public take away a sense of confidence that the russians currently stopped . Trying to interfere or tap into our Electoral Systems . That is not what i am saying. The russians will continue to try to conduct influence operations in the u. S. Which will include cyber intrusions. Thank you mr. Chairman. To dhs into the bureau, a quick question. If you cannot answer it, please go back. Told your agency be opposed the chair and vice chair sending a letter to the 19 states that have not been ugly disclosed not been publicly disclosed . Sir, i would be happy to take that question back to my organization. I would just add that the role you are committing is playing in regards to highlighting the russians ames and activities i think its critically important for this country. The bureau is trying to balance the messaging and that with doing things that do not impact what we can learn through our investigations. I know it is a fine balance, but the bottom line is you play a key role in raising awareness of that. I thank you. Fair concern and if both of you would go back and get back with us, we will proceed. So the American People can have solid confidence in what you have done, could you give the American People an idea if you feel the numbers are classified, you do not have to go into it, but the number of people involved on dhs and fbi in this investigation. Us a general idea of that. Which ever one of you want to take this question. From a dhs perspective, we few resourcese a from our intelligence and analysis and our operations analysis to put a number on it is somewhat challenging would you say it was substantial . It was a substantial level of effort. Youre confident you got where you wanted to go when you set out to make this investigation . Yes, sir. Our key priorities was developing relationships with that community and getting information out whether it was to victims or broader indicators we could share. We accomplished that. We held multiple sessions, 800 indicators to the community. We do believe we accomplished that. We dont want to let that down at all. We want to continue that level of effort. Im focusing on not what you did after you got the information but how you got the information. Youre confident you got what you got we needed to advise everyone of what was going on . Yes, sir. We did. Both agencies again, everyone knows the specificity and identity of the russian agencies involved . Are you comfortable in identifying them here today or do you still feel that is classified . Yeah, other than what was mentioned in the unclassified version of the Intelligence Community assessment, id rather not go into any details. Were there any of those agencies identified, russian intelligence agencies identified . Figiu was identified. Homeland security . Yes, sir. Thank you much. Let me ask this question. I come at this from a little different perspective and i think the American People have a right to know this. Either ofhe work that year agencies did, all the people involved, all the digging you did through what russians had done and any evidence, direct or circumstantial, to any degree, down to a scintilla of information, that any u. S. Information colluded with assisted or communicate with the russians in their efforts . Commentonjust cant that today. That falls under the special counsels perfume. H purview. Are you aware of any such evidence . Im sorry. I cant comment on that. I cant offer comment on that. Thank you, mr. Chairman. Senator feinstein . Thanks very much. Candidly, im very disappointed by the testimony. We have learned a great deal and the public has learned a great deal, and it seems to me we have to deal with what we have learned. Said, and i think quite pointedly, that russia has decided to weaken us through covert influence rather than brute force. And i think that is a correct assessment. And i thank you for having the courage to make it. Heres a question. To the best of the fbis knowledge, have they conducted covert influence in prior Election Campaign in the United States . If so, when, what, and how . Yes. Absolutely, they have conducted influence operations in the past. What made this one different in many regards was, of course, of what you can do through Electronic Systems today. When they did it to the past, it was doing things like trying to put in biased or half true stories, getting stories like that into the press or pamphlets that people would read. So on and so forth. Allowedrnet has pressure to do so much more today than theyve ever been able to do in the past. Youre saying prior campaigns were essentially developed to influence one campaign above another . To denigrate a candidate, if she was elected, and to support another candidate subtly . That russia for years has conducted influence operations targeting our elections, yes. Equal to this one . Not equal to this one, no. What made this one different . Scalein, i think the and the aggressiveness of the effort made this one different. Again, its because of the electronic infrastructure, the internet, what have you today, that allowed russia to do things thatin the past they were not able to do. Would you say this effort was tailored to achieve certain goals . Absolutely. And what with those goals have been . The primary goal in my mind was to sew discord and try to delegitimize our free and Fair Election process. I also think the number of their goals another of their goals, which the entire new United States intelligence kindred he stands behind, was to denigrate secretary clinton and to try to help then current President Trump. Have they done this in prior elections in which they have been involved . Denigrated a specific candidate and or try to help another candidate . Yes, maam, they have. Which elections were those . Cant think of it example off the top my head. All the way through the cold our recent election, they have tried to influence all of our elections. This is a common practice. Have they ever targeted what was admitted to be 21 states . Am not awareve, i of that. That scale is different than what im aware of what they have tried to do in the past. Again, the scale and aggressiveness here separates this from their previous activities. Has the fbi look at how those states were targeted . Absolutely. What is your finding . We have a number of investigations open in regards to that. Guess becauseg, i they are all still pending investigations, i would rather not go into those details. The other thing i would ask you to keep in mind is that we continue to learn things. So, there was some activity. Theere looking at prior to election. It is not like when the election was finished, our investigation stopped. As we learn more, we share more. Do you know if it was the intent of the fbi to make this information public at some point . This gets back to an issue the vicechairman raced. Raised. I want to be clear on my position. I think it is critically important to raise awareness about russias aims to undermine our democracy, and their tradecraft and how they do it. My organization, though, part of understanding that tradecraft is conducting our investigations where we learn more and more about tradecraft. We try to balance what do we need to provide the partners so they can best protect themselves versus not interrupting our investigations if the information were to be made public . Thank you. My time is up. The vicechairman and i have already decided we are going to invite the bureau in for a classified briefing to update all members on the open investigations and any that we see that might warrant on their minds an opening of a new investigation. In addition, let me remind members that one of the mandates of our investigation is that we will at the end of this work with the bureau and other appropriate agencies to make a public report in as great a public detail as we can our findings are russias involvement in our election. So, it is the intent of the chair, at least, to make sure that as much as we can declassify its done and the public its a true understand and a report. Senator rubio . Most important thing we are going to do is tell the American People how this happened so we are prepared for the next time. What begins by outlining what they tried to do in this regard . They have done in other countries around the world. The first is undermine the credibility of the elector process. To be able to say that is not a real democracy. It is filled with all kinds of problems. The second is to undermine the credibility of our leaders, the person who wins. They want that person to go into office hobbled by scandal and all sorts of questions about them. The third, ideally in their minds, i imagine, is to control the outcome. They think they could do public messaging or in the worst case nearby being able to manipulate not happenhich did here. By the way, these are not exclusive you can do all threes. They work in conjunction. You could argue they have achieved quite a bit if you think about the amount of time that we have been consumed in this country on this important topic. And the political fissures that has developed. The way i point to it and if anyone disagrees, i want you to tell me this, we have something in american politics both sides do it, it is called Opposition Research pretty find out about your opponent to hopefully it is disqualifying information. Theyackage it, leak it, reported, they run ads on it. Imagine being able to do that with the power of the nationstate, illegally acquiring things like emails and being able to weaponize things by leaking it to someone who will post that and create all sorts of noise. That is certainly one of the capabilities. The other is straight out misinformation, right . The ability to find a site that looks like a real news place, have them run a story that is not true. Have your trolls begin to click on that story. It arises as a trending topic. By the time the figure it out it is not true, a lot of people think it is. I remember seeing one in early fall that president obama had outlawed the pledge of allegiance. I had people texting me about it. I knew that wasnt true. We had people texting about asking if it was. That was somebody with too much time on their hands. The access to our Voting System. The people talk about affecting the tally. Think about this, even the news could haveer potentially gotten into the Computer System is enough to create the specter of a losing candidate arguing the election was rigged. The election was rigged. Americans,e most including myself, do not fully understand all the technology that surrounds the Voting Systems per se, you give that election is rigged kind of narrative to a trial and a fake new site and that stuff starts to spread. Then you have a political leader being sworn in on to the cloud of whether the election was stolen because vote tallies were change. I do not know why they were probing this different system because a lot of the information they were looking at was public the available. Voter rolls. Campaigns do it all the time. I would speculate one of the reasons is potentially because they want one of these stories there. Ut creating the specter of being able to argue at some point the election was invalid because hackers had touched election systems in key states. Ulyt is why i really trru believe that it is so important to the extent possible, the systems part, as much of it be available to the public as possible, because the only way to combat misinformation is with truth and facts and explain to people i know some of it is proprietary and some of it we were trying to protect methods but it is really critical that people have confidence that when they go vote, that vote is going to count and someone is not going to electronically change it. I just really hope we err on the side of disclosure about our systems so that people have full confidence that when they vote i can tell you i was on the ballot in november, and i remember people asking me repeatedly, is my vote going to count . Afraid people would not vote. I hope is we move forward, i know that is not your decision to make in terms of declassifications, but it is really, really, really important that americans understand how are our Voting Systems work, what happened, what did not and we be able to communicate that in real time in the midst of an election so that in 2018, these reports start to emerge about our Voting Systems being pinged enoughwe can put out information in october and november some people do not have doubts. I know that is not your decision. But i hope it is part of what we push on here because i think it is google for our future. It is critical for our future. Let me say to the three of you and i sat respectfully that on the big issue, which is which states were affected by russian hacking in 2016, the American People dont seem to be getting more information than what they already have before they showed up. We want to be sensitive to security concerned but that question has to be answered sooner rather than later. I want to send that message in the strongest possible way. We obviously need to know about the vulnerabilities so that we can find solutions. And we need better Cyber Security to protect elections from being hacked in the first place. And that means solutions, like mail system, my that has a strong paper trail, error gapped computers and enough time to fix the problems if they pop up. Now to my. Question you call mentioned the january intelligence assessment saying the types of systems we observed russian actors compromising are not involved in votboth countie. Your prepared testimony today makes another point that i think is important. You say, it is likely that cyber manipulation of u. S. Election systems i intended to change the outcome of a National Election would be detected. We hhat is different than ave heard thus far. I have two questions. What level of confidence does the department have in its assessment that 2016 vote tallying was not targeted or compromised, and second, does that assessment apply to state and local elections . Sir, for the question. So, the level and effort and skill required to change the outcome of a National Election would make it merely nearly impossible to avoid detection. This assessment is based on the diversity system and the need for physical access to compromise Voting Machines themselves, security of preelection testing of employees by state officials, a lumber of standards and a n umber of standards and protocols put in place. In addition to the vast majority of locales engaged in accuracy testing. Before, during and after the election. An immense amount of Media Attention apply to this, which also brings the idea people watching and making sure the Election Results represent what they see. Plus, there are just statistical anomalies that would be detected. What about state and local elections . You have the same level of confidence . From the standpoint of the nationstate after operating against a state and local election system, we would have the same in an internet connected system, we would have the same level of confidence. Yes, sir. I think this also gets to senator rubios point about the difficulty in the general public understanding the variety of systems that are used in our election process. And so, we broke our level of engagement and concern down a couple of different areas. The Voter Registration system, often usually connected to the internet. We also were looking at the Voting Machines themselves, which by best practice and by the voluntary voting standards and guidelines that the department of commerce works with the Election Assistance Commission on is my best practice, those are not connected to the internet. So can Homeland Security assure the public that the department would be able to detect an attempted attack on vote tallying . What i would suggest, sir, is that, ability, as has been demonstrated by security researchers, to access remotely a voting machine to manipulate that vote and then to be able to scale that across multiple different Voting Machines made by different vendors would be virtually impossible to occur in an undetected way in our current election system. Has the department conducted any kind of postelection forensics on the Voting Machines that were used in 2016 . We are currently engaged with many vendors of those systems to look into conducting some joint forensics with them. The community is very interested there has been no analysis yet . Our department has not conducted forensics on specific Voting Machines. You believe it is important to do that in terms of being able to reassure americans that there was no attack on vote tallying . That we doould say currently have voluntary standards in place that vendors approximatelyd in 35 states, they actually require some level of certification of those Voting Machines, that they are complying with those standards. We would absolutely be interested with working with vendors to conduct one last question. Obviously, the integrity of elections depends on a lot of people state and local election officers, vendors, third party contractors. Homeland security and the fbi confident that the federal government has now identified all of the potential government and private sector targets . Im confident we have identified the potential targets. Thank you, mr. Chairman. Senator collins. Let me start by saying it is a great pleasure to see you herea gain. In 2003 you are detailed to the Homeland Security committee when i was the chairman and how helpful you were in our drafting the intelligence reform and Terrorism Convention act. So, thank you for your continued public service. Andtestified this morning answer the question of what does russia want . You said the russians want to undermine the legitimacy of our election and seow the seeds of the American Public. Despite the exposure and the publicity given to the russians efforts in this regard, do you have any doubt at all that the russians will continue their activities in subsequent elections . I have no doubt. I just dont know the scale and aggressiveness, whether they will repeat that. It will be less or if it will be more. I have no doubt they will continue. Is there any evidence that the russians have implanted malware or backdoors or other computer techniques to allow them easier access next time to our election system . Im sorry, senator, i cannot comment because of our pending investigations. Secretary the secretaries of state who are responsible for the election system have a pretty blistering attack on the department of Homeland Security in the testimony that will be given later this morning. And i want to read you part of it and have you respond. Yet, nearly six months after the designation and ofy mean designation election system as critical and researcher, and in spite of comments by dhs they are rushing to establish election protections, no secretary of state is currently authorized to receive classified information that would help them to protect their election system. Why not . You for that question. I would note that this community, the secretaries of state, and for those states where they have a state election director, is not one the department has historically engaged with. What we have done in the process of building the trust and learning about how they do their work and how we can assist, we have identified the need to provide clearances to that community. We have committed to them to work through that process between our department and the fbi. Let me ask you about your own agency, which is the agency that focuses on Critical Infrastructure, including our elections systems. Now, mppd is not an official element of the Intelligence Community that would have routine access to especially sensitive classified information. So, how do you know with any certainty whether you and others into allency are read the relevant classified information that may exists regarding foreign threats to our Critical Infrastructure, including ou election systemr . Yes, maam. Despite the fact we are not a part of the Intelligence Community and our focus is on Network Defense and operations and partnership with the kriegel infrastructure and the federal government, we feel very confident that with the partnership with our own intelligence analysis, division that serves as an advocate for us within the Intelligence Community, as well as our direct relationships with many of those individuals and organizations such as the fbi and nsa, that we receive information quickly, and when we ask to declassify that, are responsive and we work through our partners, the intelligence analysis office, to ensure that happens quickly. Is there room for improvement . Absolutely, of course. But we have the full commitment of the Intelligence Community to get us the information that we need. And finally, how many states have implemented all the best practices recommended in the document developed by dhs regarding the protection of election systems . I would have to get back to you on a specific number of state. Do you think most states have in our informal engagement many noted they had already adopted some of these and some were incorporating them. I would ask for a response for the record. That is a really important point. Want to thank you for just how seriously you have taken this and how you have answered the questions this morning in your testimony. I think you hit the nail on the head when you said we need to step back and ask the fundamental question, what do the russians want . And by outlining that they want to undermine legitimacy in our system, that they want to sow discord and undermine our free and Fair Elections, we really have a better lens with which to understand the specifics of what happened in 2016. View, were the russians successful at reaching their goals in their activities in our 2016 elections . Know for certain whether the russians would consider themselves successful. Might argue, they that because of the time and energy we are spending on this distracting it is us from other things, but on the other hand, exactly what this committee is doing as far as raising awareness of their activities, there aims for their American People, to me, they have done us, in my opinion, they have done the American Public a service in that regard. I guess i dont know. Could argue either right. Is certainlye jury out for the future, but when you look at the amount of discord that was sown and the impact on 2016, i hope that the outcome of what we are doing here is to make sure in 2018 and 2020 and 2022, that by no metric will they have been successful. Stated very correctly that one of their primary goals was to delegitimize our democracy. Are you familiar with the term unwitting agent . Yes, i am. Can you summarize what that is for us . In an intelligence context, it would be where an Intelligence Service is trying to advance surnames and certain aims and they reach out to a variety of people, some of which they might try to convince to do certain things and the person or persons they contact, might actually carry those out for Different Reasons than the Intelligence Service had actually wanted them to carry them out. In other words, they do it unwittingly. By effectively reinforcing the russian narrative and publicly saying that our system is rigged, did then candidate trump, now President Trump, become what intelligence officials unwitting agent . An unwitting agent . Cant really comment. I dont blame you for not answering that question. We have got about 1 46 left. Can you talk about the relationship between the election penetration that we saw and the coincident russian use of what w the coincident russian use of what senator rubio aptly of socialof trolls media designed to manipulate the American Media cycle and how those things fit together . Fit together the intrusions what is the relationship between what they were doing from a technical point of view and what they were seeking to do in the media cycle by using trolls, bots, and manipulation of the media cycle . The best way i can describe it is this is, in my opinion, wellplanned, well coordinated attack on our election processes, our democracy. That might sound complicated, but it was straightforward. Information from a variety of sources, they want to evaluate that intelligence, and then they might selectively disseminate some of it, they might use others for a more strategic discussions. At the end of the day it is about electing intelligence to give them some kind of advantage over the United States, and then well coordinated, wellfunded diverse ways to disseminate things and hopefully influence american opinion. Lets start with a comment that dhs made that the systems, s targeted were not compromised in vote tallying. Is that because the vote tallying systems are harder to get into than the Registration Systems . I cant make a statement as to why different systems were targeted, but we can assess the vote tallying systems, whether votershines, the kiosk use at the stations, or the system used to tally votes were very difficult to access, and particularly to access them remotely. Observation el of tallying at every level of the process, that we would have identified issues. There were no identified issues. If youuld think that could get into the vote tallying system, and you did want to impact the outcome of the election, vote tallying system is the way to do it. Suggest that all of your , a lot of your efforts, should be to continue to do what ever dhs thinks they need to advise. I do not think that we should centralize this system and take give advice to local and state Election Officials. To make sure that that vote atlying system is protected a level above other systems. Voter Registration Systems are public information. It is generally accessible in lots of ways. It is not nearly as protected for that reason. It has lots of input from lots of sources into that system. I think that you made the point a best practice would not be to have the vote tallying system connected in any unnecessary way to the internet, is that right . The kiosks themselves and vote tallying systems, not to connect them to the internet, but also to have, ideally, paper auditing trails as well. I agree. A paper trail is significant. And prevalent as people are looking at new systems. Also, i think any kind of thirdparty monitoring, the first two parties being the voter and counting system, just creates another way into the system. My advice would be dhs doesnt want to be in a system where you are connected to all of the Voting Systems in the country. I think that you said the diversity of our Voting System is a great strength of the system. Do you want to comment . At the diversity of the Voting System as a strength. Effect that they were not connected in any centralized way. Reevaluated that as looking at the Risk Assessment at the office of separate intelligence analysis. We looked at that as one of the great strengths. Our experts in i. T. Also said the same thing. Hope you think about that as one of the great strength as you look at this Critical Infrastructure. Every avenue for federal monitoring, there is also one more avenue for someone to figure out how to get into that system. Again, the Voter Registration system dramatically differs in what it does. All public information, accessible and printed out, en to people to use careful of what information you give and what you dont, but all have that system in a way to share that with the public in a system. There is no reason to share the security of the counting system to the public or have it available or accessible. I would think that dhs, or no one else, decides they will save the system by having more avenues into the system. Absolutely not. We are supportive of the voluntary standards process. We are engaging with that process with our experts. We continue with the voluntary partnership with state and local. Thank you, mr. Chairman. Starting with a couple of short questions, you stated this was a grave threat, the russian attempts to probe and upset our local election systems. Any doubt it was the russians . No, sir. Any doubt they will be back . No, sir. To our dhs witnesses, have the 21 states you mentioned where we know this has happened been notified officially . The owners of the systems within those 21 states have been notified. How about the Election Officials in those states . Theyre working to make sure Election Officials as well understand. I will have to get back to you if all 21 states. Have you had a conference of all Election Officials secretaries of state on this issue . I have had at least two teleconferences. We will be engaging with them in july. I would urge you to put urgency on the spirit we have another election in 18 months. If were talking about systems, time is going by. This characterize we already heard this characterized as a grave threat. Shame on us if we are not prepared. Every other week we have a teleconference with Election Officials and National Associations that represent those bipartisan individuals who engage with us on a regular basis. This is of the of most emergency for the government to ensure that we have better protections Going Forward of the Election Community. They are similarly committed and have been so. No one is talking about the federal takeover of local election systems. What we are talking about is Technical Assistance to information, and perhaps funding at some point. This is similar to our to other sectors, completely voluntary. It is the department providing information to potential victims in the network to ensure they have access to what we have access to and can better defend themselves. Ill take issue with something you said. Election national that is too large or too diverse to crack. We dont have a National Election between a 50 state elections. Each election in the state can depend upon a certain number of counties. There are probably 500 people within the sound of my voice who can tell you which 10 counties in the United States can tell president ial election. A sophisticated actor could hack the election by focusing on particular counties. Im sure that sen. Rubio members date county in 2000. That senator rubio remembers county iny dade 2000. They could easily determine where to direct their attacks. I do not want to rely on diversity. A second point is what do we recommend . We talked about paper backups. The dutch had an election where they decided to make it all paper income the ballots by hand. For this very reason. What would you tell my Election Committee in brunswick, maine, what would be the top three things to think about to protect yourself . I would say to first, as previous senators mentioned, prioritize the security of the Voting Machines and vote tallying system. That they are not connected to the internet even if enabled on those particular devices. You have an auditing process to identify anomalies throughout the process. Educate pulling workers to look for suspicious activity, for example. Doesnt auditing mean a paper backup . Yes, sir. I would recommend a paper backup. Arent we seeing a consolidation in terms of vendors producing these machines . Understanding we are seeing some consolidation in the vendor communities. I, many of them are committed and have engaged again, many committede and have engaged on security guidelines. We will be updating the security guidelines a 2018. There is some concern about consolidation, but we look forward to engaging with them, and as of now, they are a very engaged community. It is one of the most important and daunting because we have pretty well determined they were not successful in changing tallies and votes, but they were not doing what they did in at least 21 states for fun. , andare going to be back they are going to be back with knowledge and information they did not have before. I commend you for your attention to this, and i hope this is treated with the absolute, utmost urgency. Thank you for being here. Just a heads up, there are states like that. For 25 years the oklahoman election system has had a paper ballot and scan. It has been a very good backup for us. Quickly count because of the scan, but we are able to verify because of paper. It is an ongoing conversation. I am in 2 simultaneous hearings. In the department of Homeland Security what we are dealing with the state elections and including my own oklahoma cio that they are testifying on the same issue. How we protect the state systems, state elections, and what is happening. I brought this with me. This is the famous female that Billy Reinhardt got from the dnc wealthy happen to be on vacation. He was in hawaii and join quality time away from his work at the dnc and gets an email from google that says someone has used your password. Said someonem and tried to do it from ukraine and recommended he changed his password immediately. At 4 00 a. M. He was frustrated, change his link, password, and went back to bed. What he actually did was gave the russian government access to the dnc. They took off from there. Most other Staff Members of the got any mouth that looks like this. Everyone with a google account knows that looks like the real thing. When you hover over the change password it shows a google account connection where it is going to, but it wasnt. It was going to the russians. It is my understanding that 91 of attack start with a phishing attack that looks like this. In practical terms for the state and what happens in my state and other states, first how does russia identify potential target . This is not just a random email that came to him. It was targeted directly at him to his address. It looked very real because they know who he was and where he worked. How are the russians that savvy to track this person, and how does it work in the future . I cannot go into great detail in this forum, but Intelligent Services do not they are looking for vulnerabilities. That in the cyber sense would be computer vulnerabilities. As far as targeting specific individuals, i dont know all of the facts around that email and all of the emails sent, but my guess is they did not just send it to one person. Like that toemail a variety hoping that one would click on it. How do they get that information . Go to the website and gather all the emails, tracked the individual to get more information so it looks like something they would click on . A variety of ways. Maybe by reviewing source material, online or otherwise, but they collect a lot of information through human means. Let me ask, when someone clicks on a link like this, what access to information do they get, typically . It depends on the system itself. I imagine that is probably a enustrating response, but giv and this is important for the theic to understand as threat evolves, they are going to continue and we educate the public not to click on certain things. Make sure you know the sender. Gets better, the offense will look for other means. In this case, ideally you want people to look and see what is this that they are actually clicking on before they click it. Ane organizations when individual clicks the link they do not allow that to go to that destination, because they know that it is suspicious or they a container to put it in and look at it. Others dont have that. It depends on your Risk Management and technical control in place. Who has primary responsible for federal Election Integrity . States oversee their own, but which federal entity is working saying that they are the prime agency to do it . For election Cyber Security, our department is in coordination with the fbi and others and leading the partnership with state and local. For yourall of you appearance here today and your testimony. Being a former secretary of in west virginia, also a former governor, the utmost concern was for fraud. At was voter fraud. Every time we would have a report of voter fraud leave it see the election participation decrease, thinking their vote did not count. Is there any reason anyone has the knowledge that you have, or that anyone on our committee from the Intelligence Committee which give you any doubt that russiawas involved, and was involved with the intent of doing harm to our election process as far as the confidence level that voters would have . Do any of you have any concerns whatsoever . Any doubts whatsoever that russians were involved and involved at a higher level . All three of you . End. Doubt from the fbis you have th interacted with the Intelligence Community . Yes, sir. Also, no doubt. No american should have reasonable doubt the russians were involved. Were all 50 states notified on russias intentions . State in charge of elections in west virginia, would you have notified them to be on the lookout . Out,r products that we put we did put out products that were not public products, but we did put out products primarily leveraging connections to all 50 states. cios. Andngage with the election National Associations that represent those individuals to ensure that we were able to reach. This is not a community that we had historically engaged with. We did print off multiple products prior youre not sure if the secretary of states dispersed that information to put them on high alert . We believe they did, sir. Inheld Conference Calls august, september, and again in october. Both highlevel engagement and Network Defense. Question, asked this if i could ask this question, what was russias intention, and you think they were successful in what they try to do, even though you could seek no alterations of the Election Results . Do you believe it had an effect on the outcome of the 2016 election . Yeah, as far as russias broader to be undermined democracy. One way that it sought to do this was to undermine the legitimacy of where they successful on the outcome . The fbi does not look at that as far as did russia achieve its aims in that regard, sir. Are there counter actions that the u. S. Can take to what they have done and their intentions continue . What is your opinion of the sanctions we have placed on russia . Sure, you know the fbi does not do policy. I am here to provide an overview of the picture as i understand and see it. U. S. Government did take action postelection in regards to making a number of russian officials any activity since we have taken some actions . They have left people to carry out their activities. That has had an impact on the number of people. We shared this with our allies, our european allies, who are going through election processes . Have they seen the same intervention in their election process we have seen in ours . Is sharing this information with our allies, absolutely. Dhs . We are also sharing information with our eyes. Eeing what we are seeing in the 2016 election . Their media reporting directs, we do not have government to government relationships from a dhs relationship, but there is media reporting they are seeing increased activity. Thank you all for your appearance. The question over whether donald trump had become an unwitting agent of rusher in their efforts to sow discord and discontent about our election, which you declined to answer, which was understandable. Hillary clinton has blamed her loss on the russians, Vladimir Putin, fbi, james comey, twitter, facebook, and my favorite, farms in macedonia. Liming her loss on these actors, has Hillary Clinton become an unwitting agent . Im sorry, sir. I would rather not comment. Lets turn to other matters. State andadvise localities in conduct in the elections or more broadly in their Government Services not to use or not to do business with companies that do business with kessler or use kessler products and systems . Sir, i cannot comment on that in this setting. Would you advise them not to use the products . I also cannot comment on that in this form. Um. I dont even have to ask. Yes, sir. I cant comment either. We talked a lot about treasures and tenant in our election. I think people realize it is further than the other actions in the 2016 campaign. Is it true that russia cyber actors have been programming u. S. Medical infrastructure for years . Yes, sir. I cannot go into specifics, but they probe a lot of things of critical importance to this country. As the header counterintelligence, you write in your statement that for rushs president ial influence election at its boldest to date in United States, which implies there have been previous efforts. To say the fbi had strengthen the Intelligence Community assessment because of our history investigating russias intelligence operations within the United States, suggesting this keeps you busy in your portfolio and counterintelligence . Correct. Orand this is not just cyber a threat from traditional human intelligence, what we might call spies . Yes, sir. Do socalled diplomats who work out of the Russian Embassy in washington, d c have it responsibility to notify our state department if they plan to travel more than 25 miles and give notification in advance . They do. The state department is supposed to notify the fbi in advance of those travel arrangements . Yes. Is it true that russian nationals often fail to get that at all, or they could it had 4 55 on friday afternoon before a weekend trip . I prefer not to go into those details here. I will leave it at that. Does it complicate you and conductnts efforts to your Counterintelligence Mission to have russian nationals wandering around the country more than 25 miles outside of their duty assignment . Sure. If that were to happen that would absolutely complicate. The secretary of defense indicated that russia is in violation of a treaty that we have with russians and other to overflyt allow us their territory and take pictures. They do the same here. To the socalled Russian Diplomats traveling to places in conjunction with open sky flights that russia is conducting in this country . I cannot comment on that here. Last summer, an american diplomat in moscow was brutally the doorstep of our embassy in moscow. Do we take steps to retaliate against russia for that assault in moscow . Did we declare persona non grata on any of the diplomats in the United States . If i recall correctly, we did not immediately do anything in that regard. This committee passed unanimously last year something that just passed in april, a provision that would require the state department to notify the fbi of in a request for Russian Diplomats to travel more than 25 miles outside of their state and report violations to you. First requiring the state department to report those regularly to our committee. What is the status of that provision now that it has been involved for two months. Is the state department cooperating with you . , i would rather not done that here. We are working on the implementation. I hope that starts. You mention that you notify the owners. Im not clear on who the owners are. The vendors . What i meant to clarify is that in some cases, it may not be the secretary of state or state election director who owns that particular system. In some cases it could be a locality or vendor. Is there a policy of who should be notified when there is a threat . Were working through that policy with the secretaries of state. That is one of the commitments as electionhen directors to ensure that they have appropriate information while preserving the confidentiality of the victims. Can you tell us and which state you notified a vendor instead of note of notifying the secretary of state . We keep the Vendor Information confidential. Did not states were you notify the person elected by the people of that state to oversee elections . I do not believe that is the case, but i will get back to you. Warningpecific was the that you sent . How did you notify the state and vendors . Depending on the scenario and information that we had, and did when weat we get classified information is related to classify as much as possible. For this particular one, what we took was Technical Information that we had that we believed was suspicious and emanating from russia in our system. He asked them to look at their system. This is part of the broader dissemination. We asked all states to look at their systems to identify if they had an intrusion or if they blocked it. In most cases, they blocked it. You have a copy of the notification you sent to most vendors or secretaries of state . I do not, but i can get it back to you. Will you provide this committee with a notification . Were done inem person. I can show you the Technical Information. That was rolled up in the information that we published in december. I can show you what we provided to the states and localities. To notify each of them in the same way, or did you tailor the notifications . For alller the process of the victims were potential victims. Be an fbi field agent, sometimes an apartment official. Department official. With who provide us notified each stage, and healing that state was notified, the vendor or state elections official, and also what specifically they were notified of. With07, california worked leading security researchers, bolland. Tary debra they instituted some of the best practices we believe for Election Security. My understanding is that it is considered a cold standard. Standard. A gold my question is does dhs have that authority to coordinate that for all states . The technicale capability and authority to conduct those. Have you pursued that as a the stateson to help do everything they can to secure their systems . That is one of the areas we are considering. At that in looked california in 2007 . If not, i would encourage that. I have not. The federal government does not have all of the information it needs where there has been a breach. Is there any requirement the state notify the federal government when there has been a breach . No, maam. In terms of the American Public and voters, is there any requirement that the state notify the residents when the state suspects there may be a breach . I cannot comment i know that multiple states have different sunshine laws that apply to data breaches within that state. I could not make that a general statement about with the requirements of the state are. Do any of you have any thoughts over whether there should be such requirements in terms of the state reporting to the federal government and states reporting to their own citizens about any breaches of their election systems . Require data breach reporting is a complicated area. We prefer, and we had a fair amount of success with voluntary reporting and partnership, we would be happy to work with staff in understanding how that might apply here. Any other thoughts . No . Ok. Thank you. Say since a number of over theave questions agencies, especially those here of thering with congress investigation, i will just say that the chair and vice chair were briefed at the earliest possible time and continue to be. Riefed throughout the process then it was opened up to all of the members of the committee. Im not sure that i had ever share that with everybody, but i wanted to make sure everyone was aware of that. Thank you, so much. Any directionof from President Trump to conduct this investigation about the russians in our election . I cannot comment. It could be related to things sder the special counsel purview. To clarify the question, direction from the president the president of the United States directed that federal activitie youct ares conducting, investigations, into the russian hacking into the election . I cannot comment on the president directly, but the secretary is committed to understanding what happened and ensuring that we are better protected in the future. He has not communicated that direction of the United States . No, sir. Sir, this comes directly down. It has been quite a while. The secretary completely supported it. Nothing from the president directly, sir. I thought senator king raised interesting issues. Like to think about it, they are not decided in certain states, but they are decided in certain cities and counties. It raises an interesting question. You are very assertive about the diagnosis of an intrusion that was altering voter votes. That . An you do within weeks of the election, on election day, after election day . From an i. T. Perspective, would we would do is look at the threats themselves that were targeting entities. There are elements we would look at. If there was any statistical anomalies. Weould also point out that are talking internet connected systems. In all of the key counties that you would represent would be those internet connected systems. What you said is you have to of hisr confirmation coming in on the election day. That raises the question of what we do . The votes of already been cast. Planning on what reaction we take . Differ. Ht have to efer. Might have to d that activity would be difficult to detect. It would be difficult to go on undetected. We were discussing both at the polling station or the jurisdiction that it would be hard for someone to do that without anyone, not necessarily the department, would have that immediate insight. To answer your question, yes, it is something that is a part of our planning and what we look for in partnering with the state and local officials on understanding. We are 18 months away from election. Anhave to be able to develop organizational infrastructure that could react on very short notice to discovery that actual votes were being tempered, is that accurate . Absolutely, sir. Both technical and organizational. Do think there is enough emphasis on terms of resources and support to do that, the collaboration . And among those many of the voting jurisdictions, not at the state level, but the city and towns, are we taking it seriously enough . This is one of our highest priorities. I would note that we are not only looking ahead to 2018, as Election Officials remind me routinely, elections are on a regular basis. It is the highest priority. Today testified information was infiltrated by the russians. What type of information was taken, and what can it be used for . Yes, i do not want to get into the details of what victim information was taken. We have a variety of pending investigations. Again, it could be used for a variety of purposes. It could have been taken to understand what was in the systems. It could have been taken to try to target and learn more about individual so they could be targeted. It could have been taken in a way to publicize, to send a message that foreign adversaries have the ability to take things and so doubt in our voters minds. Given the activities the russians deployed, resources and constant effort over probably a decade, do you think they have a better grasp of the vulnerabilities of the American Voter system then you have . I hope not. I think it is an excellent question. , i hope not and i dont think so. But if they did, i do not think they do anymore. Thank you. Before we moved to the second panel, one less question for you. Is there any evidence that the penetrate the dnc was for the purposes of launching this Election Year intrusion one of, or was this hishinge p expeditions by russian actors in the United States . In my opinion, it was one of many efforts. Ngu call it a phishi expedition, but to determine what intelligence they can collect. They go after lots of places. Tens, hundreds, thousands . At least hundreds. I want to wrap up the first panel with a slight recap. I think you have thoroughly covered there is no question that russia carried out those attacks on your state election systems. Affected,llies were or affected the outcome of the elections. Russia continues to engage in exploitation of the u. S. Elections process. It elections are now considered critical of the which is extremely important and does bring interesting potential new guidelines that might apply to other Critical Infrastructure that we have not thought of because of the economy of each and the autonomy of each state and control of their election systems. Im sure this would be further discussed as the appropriate committees talk about federal jurisdiction. Here that extends to clearly, i think it is this committees responsibility as we wrap up our investigation to hand off to that committee somewhat of a roadmap to what we have learned, areas that we need to address and will work closely dhs and the bureau as we do that. I will call it the second panel. Everybody to call the second panel to order. Ask the individuals to take their seats. Shifting from a federal government focused to a statelevel focus. We will gain insight into the experiences of the states in the , as well as hear about efforts to maintain Election Security moving forward. For the second panel i would like to welcome our witnesses. The midwest Regional Representative to the election directors, and the administrator of the wisconsin Election Committee. The executive Director Director of the Illinois State board of elections. Dr. Halderman, professor of computerscience science and engineering at the university of engineering. Collectively, you bring a wealth of knowledge and depth of understanding of our state election systems, potential vulnerabilities of our voting process, and the mitigation measures we need to state at the state level to protect our foundation of american democracy. In january this year, then secretary of Homeland Security jeh johnson designated the election of the structure used in federal elections as a component of u. S. Critical infrastructure. Dhs stated the designation established election a priorityure as within the National Infrastructure protection plan. In enabled the department to prioritize our Cyber Security assistance to state Election Officials to those who requested publicly known that the election infrastructure enjoys all of the benefits and protections of critical of the structure that the u. S. Government has to offer. Some of your colleagues objected to this designation, seeing it as federal government interference. Today i would like to hear your views on this specifically, but more broadly how the states and federal government can better work together. I am a proud defender of state rights, but this could easily be a moment of divided we fall. We must set aside our suspicions and see this for what it is, an opportunity to unite against the common threat. Together, we can bring considerable resources to bear to keep the election system safety or that would like to thank our witnesses for being here. I would like to turn to the vicechairman for any comments. The vicechairman doesnt have any. I would assume by some process you have been elected to go first . Unless there is an agreement. Where do we start . Toi was going to defer secretary lawson, if that is ok with you, chair. Secretary, you are recognized. Good morning. I want to thank you for the chance to appear before you today. It is an honor to represent the nation secretaries of state. 40 of whom service chief state Election Officials. I am connie lawson, indiana secretary of state and president elect of the bipartisan National Association of secretaries of state. Im here to discuss the capacity to secure state and locally run elections from significant and persistent nationstate Cyber Threats. With statewide elections in new jersey and virginia this year, and many more to contest many more contests to follow in 2018, i want to ensure you assure you thats ever securities being taken seriously. This hearing offers a chance to fiction fact from regarding the president ial election. As noted many times we have seen no evidence that vote casting or counting was subject to manipulation in any state or locality. Nor do we have any reason to question the results. Summary of what we know about documented foreign targeting of state and local election systems. In the 2016 election cycle, as confirmed by the department of Homeland Security, no major Cyber Security issues were reported on election day, november 8. Last summer, intelligence agencies found 20 state agencies have been proto buy agencies rattling the door knobs to check doors. Ockedx access toable to gain arizona and illinois, prompting securityo prompt measures to be increased. In more recent days we have learned from a topsecret nsa report that the identity of a services iniding several states was compromised. It is concerning Election Officials have only recently learned about the threats of elite nsa report, given the fact that the former dhs secretary, jeh johnson, repeatedly told my colleagues and i that no specific or Credible Threats existed in the fall of 2016. It is unclear why our intelligence agencies would threatd timely information from officials. I have confident that other panelists will address voting equipment risks and conceptual attack scenarios. Emphasize safeguards against cyber attackers. Our system is complex and decentralized with a great deal of agility and low levels of caning to the. Levels of connectivity diversity can exist from one locality to the next. This serves as a check on the capabilities of nefarious actors. I want to mention the recent designation of election systems as Critical Infrastructure. With thees exist designation, including a lack of clear parameters around the order, which provides dhs and other federal agencies with a large amount of unchecked executive authority over our elections process. At no time between august of 16 in january of 17 and its members ever have a thorough discussion with the designation means. Threat sharing has been touted as a key justification. Nearly six months later, no secretary of state is currently authorized to receive classified threat information. From information gaps to threatensgaps this to erode Public Confidence in the election process as much as any foreign cyber threat. It is shredding the rights that states hold to determine their own election procedures. The designation ultimately yeduces diversity and autonom in our process. The potential for perceived or real Cyber Attacks will likely be much greater, not the other way around. Looking ahead, the National Security task the force was created to ensure that officials are working together to create partnerships with stakeholders. In guarding against Cyber Threats, the trend is positive that mark can be done. Most notably, many states and localities are working to upgrade voting equipment. If i have one major request today, other than rescinding the Critical Infrastructure designation, it is to help Election Officials gave access to classified information sharing. We need this information to defend state elections from four interference and respond to threats. I look forward to answering your questions. Thank you, secretary lawson. Who would like to mr. Hoss. Good morning. Chairman burr, warner, committee members. Thank you for this opportunity to share what states learned from the 2016 elections and the steps we are taking to further secure our election systems. As chief election official, i am a member of the executive board. Many of our state Election Officials across the country are holding secretary of state office, but many are not. The 2016 president ial election reinforced basic lessons, though sometimes in a new context. All of us understand the of constant communication to ensure that all actors have the tools they need. Twist in 2016 involved communicating about the security of election systems with the department of Homeland Security, as well as the states who provides Cyber Security protection to Voter Registration databases. Heard, some states expressed concerns about timeliness and details of communications from Homeland Security regarding potential threats, security threats to state election systems. The recent report about attempted attacks on state Voter Registration systems which occurred last fall cognitively states by surprise. We look forward to working with to and federal officials develop protocols and expectations for communicating similar information Going Forward. For example, state Election Officials believe it is important that we be in the loop regarding context that dhs has with local Election Officials regarding security threats such as the spearfishing efforts that were publicized. They should be aware of this information to protect their systems and so that we can provide additional training and guidance to local Election Officials. I appreciate the concern that was expressed this morning that this is a twoway street. At the state level, we need to think carefully about how to most effectively communicate with our local Election Officials if it when there is an incident that we are aware of at the state level. As part of the dhs designation systems is critical of the structure, coordinating councils could help to facilitate decisions regarding the proper balance between notifying state and local officials and protecting confidential and sensitive information. The coordinating body should consist of eight broad representation of stakeholders and we have expressed our interest in participating in those bodies. Is a coulde the abort requests the support of the u. S. Elections commission a specific agency as a logical federal agency to partner with dhs to provide subject matter expertise and assistance communicating with local Election Officials as the communication of the structure is already in place. The 2016 elections also reinforced the need for constantly enhancing the security of Voter Registration databases as we have heard this morning. Voterhacking into a Registration System has no effect on tabulating the Election Results, intrusions could result in unauthorized parties getting access to data regarding voters, candidates, contests, and polling places. While most of that information is public upon request, there may be confidential data held in those databases such as a voters date of birth, drivers license number, last four digits of the Social Security number. Different rates have different laws about what pieces are confidential. The 20 elections demonstrated that state and local election steps to can implement improve the security of voter data and many of these steps are not complicated. Andaddition to the cyber Risk Assessments, states are implementing greater risk of multi factor authentication for users of our system, updating of lockingthe use unauthorized users and completely blocking access from any foreign ip address. The final lesson relates the voting equipment. This has been said many times this morning, there is no evidence that Voting Machines or Election Results have been altered in u. S. Elections. I appreciate the committees emphasis. For the public, that cannot be stated enough and strongly enough. As Election Administrators must exercise vigilance to ensure that such theoretical attacks did not become reality. We must continue to educate the public about safeguards in the system. Decentralizedth both include a decentralized structure. Cases, voting equipment is not connected to the internet and cannot he attacked through cyberspace. Also, it is important to keep in mind that three out of four ballots cast in the American Election are on paper ballots. Equipmentouch screen also has a paper tro so voters can immediately identify their vote and Election Officials can use. There are several redundancies in the testing and certification of voting equipment. It is important to realize the equipment is not only used on election day. Its functionality is tested several times. Short, the 2016 elections taught us that the potential for disrupting election processes and technology by foreign or domestic actors is a serious and increasing concern. Th statee election directors and continued cooperation more effective communication, along with complete vigilance animation will ensure the integrity of voting processes and Election Results. We look forward to working with our federal partners as we planned for elections Going Forward. Thank you for the opportunity to share these thoughts and i would be happy to answer any questions. Thank you. Good morning. The state board of elections staff did not become a queer of it first. Aware of it first. Processors usage had spiked to 100 with no explanation. Analysis of the server logs revealed the heavy load was a result of repeated database queries on the status page of our paperless online voter application website. The server log showed the queries were malicious in nature. It was a form of cyber attack known as sql. Sql injections are unauthorized database queries entered into a data field in a webbased application. They originated from foreign ip addresses. As programmers introduced code changes to eliminate this ,robability, the following day the decision was made to take the website and database offline to investigate the severity of the attack. Staff maintain the ability to law can all site access attempts. Malicious traffic from the ip addresses continued, though it was blocked at the firewall level. Firewall monitoring indicated they were hitting ip addresses five times per second 24 hours a day. These attacks continued until august 12 when they abruptly ceased. Staff begin working to determine the extent of the breach, analyzing the integrity of the database and introducing security enhancements. On july 19, we the assembly of the security breach. In addition, we notify the Attorney Generals Office. On july 21, the state board of elections i. T. Staff completed enhancements and begin to bring the system back online. On july 20 eight, the illinois Registration System and paperless application became fully functional once again. Occurred, theck state board of elections has maintained the following ongoing activities. The dhs scans the systems for vulnerabilities on weekly basis. The Illinois Department of innovation and technology continuously monitors activity on the illinois century network, the general network that provides firewall protection for the state Computer Systems. This department of innovation and technology provided Cyber Security Awareness Training for. Ll employees the state board of elections i. T. Staff continues to monitor web server and firewall logs on a daily basis. Addition, Virus Protection Software is downloaded on a daily basis. Informing the Attorney Generals Office, the state board of elections was contacted by the fbi, and we have fully cooperated in their ongoing investigation. The fbi advised that we work with dhs, United States computer emergency readiness team, to ensure there is no ongoing malicious activity in any systems. , the dhs confirmed confirm there is not any ongoing malicious activity in any Computer Systems. To comply with the personal 70ormation protection act, 6000 registered voters were contacted as potential victims of the breach. Provided towas these individuals on steps to take if they felt they were victims of identity theft. In addition, an online tool was developed to help affected individuals and the specific information in the voter record that may have been compromised. As far as looking to future concerns, one concern facing our state and many others is aging equipment. The help america vote act established requirements for equipment while funding was made available to replace the old equipment. Additional funding has not been further appropriated. If additional funding is not available, we would like to receive authorization to use the states existing funds to allow spending on enhanced security across all in election related systems. The database is a federal mandate through the help america vote act. Cyber attacks targeting users are also of particular concern. Decurity training funde would also be beneficial in our view. Addition, any guidance or recommendations as to the protection of Voting Systems from cyber intrusions are always welcome. And imu for the time, happy to answer any questions. Thank you. Burr, vice chairman warner, members of the committee, think you for inviting me to speak with you today about the security of u. S. Elections. I am a professor of Computer Science and have spent the last 10 years studying the electronic Voting Systems are nation relies on. Isconclusion from that work that our highly computerized election infrastructure is vulnerable to sabotage and even to Cyber Attacks that could change votes. Risk making our Election Results more difficult for the American People to trust. I know americas Voting Machines are ponderable because my colleagues and i have hacked to aem repeatedly as part of decade of research stating that technology that operates in elections. A tax that can spread from machine like a computer virus and silently change election outcomes. We have studied touchscreen and optical scan systems. Case, we found ways for attackers to sabotage machines and a steel boats. These capabilities are certainly within reach for americas enemies. As you know, states use their own voting technology, and while some states are doing well, others are alarmingly vulnerable. This puts the entire nation at risk. In close elections, an attacker can probe the most important swing states or counties, find areas with the weakest protection, and strike there. In a close Election Year, changing a few votes in a few localities could tip national results. From 2016 is that these threats are real. We have heard that russian efforts to target Voter Registration systems spread to 21 states and have seen reports detailing efforts to spread an attack from an Election Technology vendor to local offices. Attacking vendors and municipalities could put russia in the position to sabotage equipment on voting day causing long lines or disruption. They could have engineered this chaos to have a partisan affected by Striking Places that lean heavily towards one candidate. Votingy the fact that machines arent directly connected to the internet makes them secure. Unfortunately, this is not true. Not asmachines are distant from the internet as they seem. Before every election, they have to be programmed with races and candidates. Created on aing is desktop computer then transferred to Voting Machines. Infiltrated these Computers Come it could spread an attack to vast numbers of machines. I dont know how far russia got or whether they managed to interfere with equipment on election day, but there is no doubt that russia has the technical ability to commit widespread attacks against our Voting System, as do other hostile nations. I agree with james comey when he warned here two weeks ago, we know they are coming after america, and they will be back. We must start preparing now. Fortunately there is a broad consensus among Cyber Security experts about measures that would make americas election infrastructure much harder to attack. Letter that id a entered into the record from over 100 leading Computer Scientist come experts, and officials that recommends three essential steps. First, we need to upgrade obsolete and vulnerable machines and replace them with optical scanners that count paper ballots. This is a technology that 36 states already use. Physical record of the vote that simply cant be hacked. President trump made this point well on fox news the morning of the election. He said, there is Something Really Nice about the old paper ballot system. You dont worry about hacking. Second, we need to use the paper to make sure the computer results are right. This is a common sense quality control. It should be routine. A limiting audit, samples can be checked for high assurance the outcome was correct. Only two states, colorado and new mexico, currently conduct audits to reliably detect Cyber Attacks. Lastly, we need to harden our systems against sabotage and raise the bar for a tax of all sorts by conducting comprehensive threat assessments and applying Cyber Security best practices to equipment and management of elections. These are affordable fixes. Replacing insecure voting million would cost 130 to 140 million, limiting audits. That would cost less than 20 million a year. These amounts are small compared to the National Security improvement they buy. State and local officials have been extremely difficult job without having to worry about hostile attacks by governments. The federal government can make prudent investments to help them secure elections and uphold voter confidence. We all want results we can trust. If Congress Works closely with the states, we can upgrade our election infrastructure in time for 2018 and 2020, but if we fail to act, it is only a matter of time until an major election is disrupted or stolen in a cyber attack. Thank you for the opportunity to testify today and your leadership on this critical matter. I look forward to answering any questions. Thank you. Itselfir will recognize for five minutes and members will be recognized by seniority. How many states is a secretary in state in charge of the elections process . Yes, sir. It is 40. Would you be specific. ,hat do the secretary of states what is it they do not like about elections being designated Critical Infrastructure . Issue,most important sir, is there have been no clear parameters set, and even after the three calls that we had with secretary jeh johnson before the designation was made, we consistently asked for what would be different if the designation was made and how we would communicate. Nothing has negatively happened except you dont have the guidance to know what to do . Nothing has negatively happened to this date, but also nothing positive has happened. Illinois is one of the few states that has publicly been identified. I guess that is important because you took the initiative to do it. You gave a good chronology, 23 june, first sign. 12 july, state i. T. Staff took action. 12 august, the attack stopped. What point was the state of illinois contacted by any federal entity about their system having been attacked, or was at the state of illinois the contacted the federal government . Fbi. Were contacted by the i dont have the exact date. Was after we had referred the matter to the Attorney Generals Office. My guess would be probably one week after. A week after . After the ag was notified by us about the breach. That was approximately when . July 19. At what point in the state of illinois know it was the russians . Actually, to this day we dont know it was the russians with certainty. We have not been told by any official entity. The only one we are aware of that was investigating is the fbi, and they have not told us definitively that it was the russians. Our i. T. Staff was able to identify seven ip addresses from a foreign location. I believe it was the netherlands. That does not mean the attack originated in the netherlands. We have no idea where it originated from. Did your i. T. Staff have some initial assessments on their own . Anything of that nature would have been speculative, and we did not want to do that. We wanted to leave that to the professional investigators. You gave an update on what you are currently doing to enhance security. Dhs weekly security checks, in your estimation has the federal government responded appropriately to date . I believe they have, yes. I have heard nothing from our i. T. Division, and they would be the persons that would know. I have heard nothing from him that it has been less than satisfactory. Let me ask all of you, do you extent of Cyber Threats to election system should be made public before the next election cycle . Should we identify the states that were targeted . Think as election directors we are sensitive to the balance that Homeland Security and others need to make. I think so far as far as we have as thee want to know victims or potential victims, the i think as part of coordinating council and designation of Critical Infrastructure that there has to be a conversation is there a right of the public in your state to know . Yes, i believe there is. If there was a hack into our system, we would certainly want to consult our statutes and so , but we believe in transparency and would want to let the public know. And needs the public details about these attacks and the vulnerabilities of the system in order to make informed decisions about how we can make the system better and provide the resources that Election Officials need, so, yes. I lay awake at night worried about Public Confidence in our election systems, so i think we need to be very careful and balance the information. The worst thing we can do is make people think their vote does not count or it could be canceled out, so if telling the areic that these attacks out there and our systems are vulnerable and it does not undermine confidence and makes them know we are doing everything we possibly can to stop those attacks, i would be in favor of it. Thattake it for granted none of you have evidence that vote tallies were altered in the 2016 election . I recognize the vicechairman real quickly, when you and your colleagues hacked election systems, did you get caught . We hacked election systems as part of academic research. I get that. Did you get caught . Did they see your intrusion into their systems . The one instance when i was invited to hack a real Voting System while people were watching was an washington, d. C. In 2010, and in that instance, it took less than 48 hours for us to change all the boats and we were not caught. Votes and we were not caught. I would like to thank all the witnesses for their testimony. I find it a little stunning your answer. I dont know, i think if you saw the preceding panel, you had the dhs and fbi unambiguously say that it was the russians who systems,to these 21 and i find it a little strange they have not related that information to you. What we have discovered in the earlier testimony is that we this closure that the 21 states were attacked. We found that even though we know those 21 states attempted to be hacked into or doors rattled, whatever analogy you want to use, in many cases, the state Election Officials, directors or secretaries of state, may not have been notified. I think that is stunning. Clearly lots of local Election Officials where the activities take place have not been notified, so i have a series of questions and i will ask for brief responses. , senator kinge mentioned in earlier testimony, you dont need to disrupt a whole system. You can disrupt a single jurisdiction and a state, and if you can wipe that ledger clean, you can invalidate potentially not just that local election, but then the results of the and ultimately the nation, is that not correct . Yes, that is correct. I believe in our centralized system that we are only as strong as our weakest link, is that correct . That is correct. , do youtary lawson believe all 21 states that were attacked that the state Election Officials are aware . Cant answer that question, sir. I am not certain. I tell you that indiana has not been notified. I dont even know if we are on the list. I dont know for sure except that dhs did indicate in a teleconference that all of the states that were attacked have been notified. We were told earlier that that is not the case. We were told the vendors may have been notified. Do you know when wisconsin was attacked . We do not know. Are you comfortable either one of you with not having that knowledge . We are hypersensitive about our security, and i would say that when the f the i sent the notice in september for states to look for certain ip addresses had been their systems penetrated or attempted to be penetrated, we absolutely at 15ed and looked million 500,000 logins that happened in our system since the first of january that year, so we believe that our system has not been hacked. That both also state our office and the chief Information Officer of the state in his office would likely be able to detect two leading state Election Officials not knowing whether their states were one of the 21 that were probed. Let me finish, please. I see, i understand, but the notion that state Election Officials would not know, that local Election Officials clearly have not been notified, i appreciate the chairmans offer and the chairman and i will write a letter to all the states. You view your self as victims. I think there is a public obligation to disclose to make sure we are prepared for 2017 where i have state elections in 2018, and to do otherwise because there are some still in the political process that believe this whole russian incursion into our elections is a witchhunt. Ivi could see some elected officials saying this is not a problem, this is not a bother. I dont need to tighten my security procedures, and that would do a huge disservice to the trust you say you want to try to present and provide for our voters, so i hope that when that youve a letter would urge your colleagues to come forward. Again, not to embarrass any state, but i find it totally an acceptable that the public does not know, local Election Officials dont know, that you two as the leader of the state Election Officials dont even know whether your states were part of the 21 that has been testified by the dhs that it least they were, if not looked , actual information from the Voter Registration efforts were affected, so my hope is that you will work with us on a cooperative basis. We want to make sure that dhs and others are better sharing information and you get those classified briefings you deserve. Thank you very much. 12 was the date you first discovered you had issues, is that right . That is correct. The result of a high volume spike, is that correct . Yes, that is correct. Youhen you looked at it found the intrusion attempts had started june 23, is that correct . Yes. Those were low point spike starting on june 23 . Yes. If they had never cranked up the youme, is it fair to say never would have discovered it or would not have discovered it . I would say it probably would not have been discovered, certainly not right away, and if the volume was low enough, even an analysis of our server logs might not catch Something Like that because it would not stand out, so the answer to your question is yes. Then you said seven days later on the 19th that you notified the attorney general, is that correct . Yes, correct. That was the illinois attorney general, not the u. S. Attorney general, is that correct . Notifye law requires we the illinois attorney general. The next thing is you were contacted by the fbi . That is correct. Im just trying to understand the facts. Are you assuming that the illinois attorney general contacted the fbi or. Know that are not know that . I do not know that for sure, but i would suspect they probably did. That is where i was getting. That was not the result of some federal analysis, that there was not a federal analysis of this that turned up what had actually happened, is that a fair statement . I think so, yes. Then did some things to try to mitigate what had happened. Had you share this with other states as to what you had done in order to develop a best practices, if you would, to formalid not have any notification to all 50 states, no. Timenk our focus at that was trying to repair the damage and assess what needed to be done, especially with respect to the voters who had their information accessed. I believe that once the fbi became aware of this, i know they contacted the different states. I dont believe our Attorney Generals Office did come although i dont know that for certain. We did not have any all formal communication with all 50 states. Do you believe that you have developed best practices actions after this attack that you describe for us . I believe so, yes. Bedo think that would appropriate to get that out to the secretary of states organizations or other organization so all states could have that . Certainly. Absolutely. Youre hacking that you have would youror us, ability if you were sitting in with theght now ability to do the same thing you had done, would that be dependent on machines or whatever systems used being connected to the internet . Onthat ability would depend election i. T. Of whereent, i. T. Offices the election programming is prepared, are ever connected to the internet. The machines themselves dont have to be directly connected to the internet for a remote attacker to target them. That would you recommend the Voting System be ,isconnected from the internet that is be a standalone system that cannot be access from the outside . Practicea best certainly to isolate vote tabulation equipment as much as possible from the internet, including isolating the systems used to program it. Other pieces of election infrastructure that are critical such as Electronic Online Registration Systems do sometimes need to be connected to the internet to systems that have internet access. But that would not necessarily require it be connected to the internet for the actual voting process, is that right . Thats right. The extrication of that information out the voting machine, would that be fair . Thank you, mr. I want to start with you professor haldeman. What are the dangers of manipulation of Voter Registration database . If it isnt apparent until election day when big show up at the polls to vote . This coulderned that be used to try to sabotage the election process election day. If voters are removed from the database and they show up on election day that is going to cause problems, if voters are added to registration database that can be used. I am trying to get my arms around this world of contractors , any ideantractors even a ballpark number of how many of these people there are . 10, 70, 200 . Vendors that host the voters Registration System . Im sorry, i dont have an answer. I dont have an exact number, but in indiana we have six different voting types but they are all certified the program. Somebody is doing over theseon contractors and subcontractors and equipment vendors and the like . Does that include Voting Machines . It does. Most states will have a mechanism to certify the Voting Machines they are using, the tabulation machines, making sure they comply with federal and state law and making sure that happy auditing process do you have a high degree of confidence that these processes are not leaving this other world of subcontractors in the light vulnerable . Have several concerns about the certification processes, including that some states do to require certification federal standards, is that the federal standards that we have are unfortunately long overdue for an update and have significant gaps when it comes to security. And that the certification process does not necessarily the actors that are involved in that process, including the day to day operations are companies that do preelection programming. A member of my colleagues are supportive of our effort to take photos white male national. For mail. At got computers, plenty of time to correct Voter Registration problems if there are any. Arent those the key elements of trying to get on top of this . It seems to me the paper trail, you want to send a message to the people who are putting at risk the integrity of our inlet electoral institution, having a paper trail is fundamental to have the backup that we need. I think you are nodding affirmatively professor halderman. When either of you like to take that on . Vote by mail has Cyber Security benefits. It is difficult to hack a vote by mail system from an office in moscow. Whether it is appropriate for every state is a matter for the states. I think it offers positive security benefits. Goldman, haldeman, how do you count vote by mail ballots . Would be counted using optical scanners. Ballots areal scan audited you can get highsecurity from that process, but yes. Thats a different question. Do you prefer a per balance and an audit trail and i do, too, but lets not assume that they are counted any differently they are counted at a more that doesntion, mean all the manipulation you talked about their we need to protect against would not happen in a float by mail election best vote by mail election. Thats correct. Er auditing and otherwise how would you audit a nonpaper system, if it is a touchscreen touch screen system. How would you do a nonpaper audit . I think it would be difficult or impossible to audit nonpaper systems with a technology that we use in the United States to eight high level of issuance. Its pretty hard to audit a system that counted that did not leave a trail. Basically its impossible. Certifylinois, do you counting systems . Yes. Our commission does a protocol. Back in illinois, do you monitor that counting system while it is doing the counting . No, the counting done on Election Night is done luckily locally. Equipment the voting and they have to apply for certification and approval. Practice, other than we do conduct preelection tests of the voting equipment on a random basis before each election, but it is a limited number of jurisdictions. You do that in a way that allows you from your Central Office to get into the local system or do you go to the local jurisdictions or monitor how they check the Accounting System . When we do the preelection test the counties are required to do a public test. It is public. They are required to do testing on the machine, the tabulation. There is a bipartisan election board. The point i want to drive home is not opening that door to the counting system, if you dont have a door nobody else can get through the door as well. There is monitoring there is local testing, i dont suggest that dr. Haldermans test is something we should guard against. Something as we were transitioning to the system, something i was concerned about is what can be done that could be done and undetected. S i like theeason audit trail is if you have something to go back if you have a reason to go back and determine what happened on election day. Lets talk about the much more open Registration System. The secretary lawson, you said hands. 15,500 blog the county courts in indiana are connected to the statewide Voter Registration system. , we collectedns the work they did that year. That is a system that has lots of people coming in and out of that system all of the time. Do local jurisdictions like at the library does registration. Do you have counties where they can put those registrations directly into the system . Other than a counties, no sir. A voter can go online and register themselves. The counties will find that information in their hopper the next day. They will have the ability to determine whether or not the application is correct. Do the three jurisdictions here have some kind of . Rovisional voting if you get to the polling place and the address or name is wrong , is there a way somebody can cast a ballot before they leave . Yes we do. It is very limited. We have electionday registration so people can register at the polls. So the failure to have your name properly i noticed the time on others. The Registration System is much more open than that tallying system. Mean that the system doesnt need to be further protected. The somebody they are the other somebody who gets into the Registration System, we think other Company Countries and governments are doing that as well. You are pretty good at packing Voting Machines. Do you think the russians are as good as you . The russians have the resources of the nation state. I would think their capabilities would significantly beat mine. I think that is an important point. You testified that you were able to hack into a voting machine and 48 hours nobody knew you had done it. If you could do it i think the point is the russians could do it if they chose. We have been talking about registration lists. Quite often a Voters Registration list is linked up with the computer that has a Voters Registration is linked up with configuring the Voting Machines and even tallying votes. Is that true . Knows sir. Connection between the list in the Voting Machines . Knows sir. No, sir. Deadlinesay be some designs of the system where the fine in and vote counting system are linked. If the voting registration lists is tampered with in some way on election day it would be. Haos if names disappeared isnt that correct . If a person showed up at the polls to vote in their name wasnt on the list if they were expecting they would be given a provisional ballot. The lines would increase significantly if there was a large number of people who had to do that in each precinct. That is what i was referring to. On august 1, two 2016, there was an fbi notification to their field offices about the danger of cyber intrusions into Voting Systems. Supposedly those were passed on to state election systems. Did you get something from the fbi around august 1 that gave ip addresses and what should be done . Fbi inwe did receive an flash in august. We did as well. One of the things i am hearing and appreciative and happy that you all do receive that notice, there seems to be a lack of information sharing that goes on that we need to be sure if something happens in this and if we learn things here in washington, the fbi can alert people around the country. The best time to deal with this is before the election. After the election or on election day is much more difficult. Yes, i would support further information sharing. Finally, we have talked about what we do about this post a paper trail has come up. Is that the principal defense . Question to the prior panel, what would you tell my elections clerk in brunswick, maine, would be the three most important things they should do . Of state inary maine to protect themselves against a threat we know is coming . The most important things are to make sure we have votes recorded on paper, paper ballots which cannot be changed in a cyber attack, that we look at enough of that paper in a postelection risk limiting audited know they have the electronic records have not been changed, and make sure we are generally increasing the levels of our cybersecurity practice, and information is an example of a good and recommended practice as our firewall and systems that have been suggested. , and there arele some press reports about this, of a cyber attack on the vendors of these machines to somehow tamper with the machines before they go out to the states. Is that a risk . I would be concerned. Vendors isumber of an example of how our persistent in practice is not as decentralized as it may appear. It could be a way to reach Voting Agreement over a very large area. There have been press reports that in fact was attempted. Yes, that is correct. Thank you, mr. Chairman. Mr. Chairman, this is such Important Information for the public and for our democracy. I appreciate your work here. Senator harris . Thank you. There is a saying im sure many of you have heard which is you know the difference between being hacked and not being hacked is knowing you have been hacked. Dr. Haldeman, the recommendations you and her colleagues have made because it also seems to hover the various elements of what we need to do to protect ourselves as a country in terms of our elections, which is prevention and then the issue of detection and also resilience if we discover that we have been manipulated. Lets have the ability to stand back up as quickly as possible. I have a few questions in that regard. First of all, have each of you you received for the states received certification from the fbi. The second wreck . Is that correct . Yes. Reach of you notified by dhs . We effective medications with dhs. Communications with dhs. I dont recall how it was initiated. I do know there were Conference Calls. It may have been through the fbi that occurred. Im speaking up before the 2016 election. Yes. Secretary lawson . Yes, we did have conversations with department of Homeland Security, however, it was through our National Association. It was not direct contact with the state. Thank you. We were one of the states that took up with dhs to do cyber scans. Was for aert i think specific incident, but our communications with dhs were more general, steps that can be taken to protect our systems. As a followup to this, if each of you can recall the conversations, if you could share that with the committee that would be helpful so we can figure out how the vacations might be more helpful to you in the future. Hopefully, theyre not necessary, but if necessary. Secretary lawson, what in your opinion, are the pros and cons of requiring states to report to the federal government if there has been a breach or a hack . What can imagine would be the pros and cons of a policy that would require that . Thatll, the prowould be if, for example, the fbi or the department of Homeland Security has better ways to counter those thecks or to make sure that recognizance reconnaissance is done after an attack is more sophisticated than the states, honestly, that would be a pro. Indiana did not take the opportunity to have dhs do our cyber cleaning because we felt we were in better shape than what they could provide for us. So that would be the con. Before this last election cycle, there have been a lot of talk through the years in various states. Send her blood, im sure you are part of the discussions about the efficacy of online voting because it would bring convenience, speed, efficiency, accuracy, and now we can see there will be potentially vulnerability by doing that. Can you talk to me a little bit thet in terms of policy, is day of discussing many for online voting, has that they passed because of the vulnerabilities associated with that . I think that online voting, unfortunately, would be painting a bullseye on our election system. I myself have hacked an online Voting System that was about to be used in real elections. Having found vulnerabilities and online Voting Systems that are used in other countries, the Technology Just is not ready for use. We needprofessor to do more, the government needs to adopt technology. I think were advocating good old days of paper voting are the way to go at least, an emphasis on that instead of using technology to vote. You,ou tell me, and any of it is my understanding that some of the election system vendors have records dates to sign required states to sign agreements. Are you familiar with that . That have been something that inhibit it the thames by researchers like me to attempts by researchers like me to study in the past. Do you believe that is a practice that is continuing . I dont know the answer to that question. Have any of you had experience like that with your vendors . In illinois, no, we have not. I dont think illinois law would allow such an agreement. I dont believe that what happened in indiana, either, senator, because in order to sell voting equipment in the state of indiana, it has to be certified. Which requires testing. Thank you. Thank you, senator harris. Let me wrap up. I want to thank all of you for your testimony today. Secretary lawson, to you, i really encourage you as the next representative of secretaries of states to remain engaged with the federal government. Specifically, the department of Homeland Security. I think with any transition of in administration, there is a handoff and they ramp up and a ramp. I have been extremely impressed with our witness from dhs who not only was here today, but she has taken the bull by the horns on this issue. I think you will see those guidelines very quickly. I hope there will be some interaction between secretaries of states since in 40 states you control the voting process. And you can find the system of federal guidance and collaboration that works comfortably with every secretary of state in your organization. I think it is absolutely critical that we have not only a collaboration, but a communication between the federal government and the state as it relates to our Voting Systems. If not, i fear there would be an attempt to in some way shape or form nationalize that. That is not the answer. I will continue to point mr. Sandoz to illinois as a great example of a state that apparently focused on the i. T. , andstructure and staff did not wait for the federal government to knock on the door and say, hey, you have got a problem. You identified your problem. At some point, the federal government came in as a partner. And i think where we see our greatest strength is to work chase peoplend to like you, dr. Halderman, who luck to break into im just getting with you. I think what you did is important. I think the questions you raised about the fact that you really can target to make the impact of what youre trying to do very, very effective. That is clearly what campaigns do every day. We should not be surprised if the russians actually looked at that or anybody else who wants to intrude into our Voting System and our democracy in this country. I have got to admit that the , sixtion of voting methods in indiana, where i dont know how many counties you have, i have 100 in North Carolina. It may be that i found out every county in North Carolina has the power to determine what Voting Machines, what Voting Software they have. This can get extremely complicated. To standardize everything which i dont think is the answer is, how do we create the mechanism for the federal government to collaborate directly with those heads of election systems in the state . And understand up front what we bring to the table and how we bring it so that we are all looking at the same thing. The integrity of every vote going to exactly who it was intended to do. Were going to have debates on paper or electronic. Were going to have debates on what should the federal role be. At the end of the day, if we and not got collaboration to medication, i assure you we will be here with another congress, with another makeup of a Committee Asking the same questions because we wont have fixed it. But i think what dr. Haldeman as such as, there are some ways which we can collectively approach this to where our certainty of intrusions in the future can go down. The accuracy of the vote totals can be certified. I think all four of you for ourg here today on he second panel. This hearing is now adjourn. [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, guest which is responsible for its caption content and accuracy. Visit ncicap. Org] pseudorepublicans until Senate Republicans unveil their health care measure. A vote on the bill could come next week. You can watch live coverage of the Senate Healthcare debate on cspan 2. Live today on cspan, and got is next. The house returns at 10 00 a. M. For general speeches. At noon, take up legislation dealing with worker training programs. Later, water storage projects. Coming up in an hour, california representative ro khanna, budget and armed services. 30, thomas massie, oversight and Government Reform Committee member, here to talk about congress and the concealed carry law. Later not 00, discussion on the future of the debt limit with shai akabas, director of fiscal policy at the bipartisan policy center. Good morning. After weeks of work behind closed doors, details of the Senate Republicans healthcare bill have been circulated. Washington post has it largely mirrors the version in the house. Senate republicans will meet behind closed doors this morning for what politico describes as a comprehensive presentation on the proposal. We will talk about the republicans plan coming up on the washington journal

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.