[inaudible conversations] today that ca committee convenes their sixth open hearing of 2017 to further examine russias interference in the elections. This is another opportunity for the committee and the American People to drill down on this vitally important docket. In 2016, a hostile foreign power reach down to the state and local levels to touch motor data. It employed relatively sophisticated cyber tools and capabilities and helped moscow to potentially build detailed knowledge of how our elections work. It was also another example of russian efforts to interfere into a democracy with the goal of undermining our system. In 2016, we were woefully unprepared to defend and respond, and im hopeful that we will not be caught flatfooted again. Our witnesses are here to tell us more about what happened in 2016, what that tells us about russian intentions, and what we should expect in 2018 and 2020. I am deeply concerned that if we do not work in lockstep with the states to secure our elections we could be here in two or four years talking about a much worse crisis. The hearing will feature two panels. The first panel will include expert witnesses from dhs and fbi to discuss russian intervention in 2016 elections, and u. S. Government efforts to mitigate the threat. The second panel involves those from the National Association of state election directors, National Association of secretary of state and an expert on Election Security to give us there on the ground perspective on how federal resources might be brought to bear on this very important issue. For our first panel, i would like to welcome our witnesses today. Doctor samuel laos, acting director of cyber diversion within the office of intelligence and analysis at the department of Homeland Security. Jennifer, acting deputy undersecretary of the National Protection and programs, also at dhs, and jenness, i think i told you, next time you came i did not want acting in front of your name. Now i publicly said that to everybody at dhs. Hopefully next time that will be removed. We have worked through so far over five and a half months of our investigation into the 2016 elections. As youre well aware, the this committee is in the midst of an investigation on this issue, the extent of whether the russian government conducted intelligence activities targeted at the 2016 u. S. Election. The Intelligence Community assesses while russian influence access to multiple u. S. State and local election boards, those systems were not involved in vote tallying. During the first panel i would like to address the depth and the breadth of russian government cyber activities during the 2016 election cycle come the efforts of the u. S. Government to defend against these intrusions and the steps that dhs and fbi are taking to preserve the foundation of our democracy, free and Fair Elections in 2018 and beyond. I think all three of our first witnesses. Thank you. Welcome to the witnesses and thank you again for all the work youve done. We all know that in january the counterIntelligence Community reach the unanimous conclusion that russia took extraordinary steps to intervene in our 2016 president ial elections. Russias interference in our elections in 2016 i believe was a watershed moment in our political history. This was one of the most significant events i think any of us will be asked to address during our time as senators. Only with a robust and comprehensive response will we be able to protect our democratic processes from even more dramatic incursions in the future. What the russians did was wellknown. Spreading fake news, flooding social media, hacking personal emails and leaking them for maximum political benefit. Without firing a shot, and at minimal cost, russia sold chaos in our political system and undermined faith in our democratic process. As weve heard from earlier witnesses, sometimes that was aided by certain candidates in terms of their comments of the legitimacy of the process. Less well understood as the Intelligence Communitys conclusion that they also secured and maintained access to elements of multiple u. S. State and local electoral boards. Now again, as a german has said, there is no reason to doubt the validity of the vote totals in the 2016 election. However, dhs and the fbi have confirmed, and i will come back to this repeatedly, only to intrusions into Voter Registration databases in both arizona and illinois. Even though, no data was modified or deleted, at the same time we have seen published reports that literally dozens, 39 states were potentially attacked. Certainly its good news that the attempt in 2016 did not change the result of that election. The bad news is, this will not be their last attempt. I am deeply concerned about the danger posed by future interference in our election and attempts to undermine confidence in our whole electoral system. We saw recently, this was just not happening here, obviously we saw russian attempts to interfere in the elections in france. I think the chairman that next week we will be having a hearing on these russian efforts. We can be sure that Russian Hackers will continue to refine their tactics in the future. Especially if there is no penalty for these malicious attacks. Again, its one reason the senate voted so overwhelmingly and i think all my colleagues for that 97 to vote to strengthen our sanctions on russia. I hope that sends a message that there will be a heavy price to pay for attacks on our democratic system. Make no mistake, its likely we will see more of these attacks, not just in america, but against our partners. I heard this morning on the radio that the russians are already actively engaged in the german election cycle that takes laces fall. Some may say why the urgency . We have election in 2018 but we have statewide elections this year. This needs a sense of urgency. The process, the machinery, the manpower, counting is a local and state responsibility. In many states we have a very decentralized approach which can be a strength and weakness. In virginia, for instance, the centralization helps deter largescale hacking or manipulation because our system is sold with abuse. They use a dozen different types of Voting Machines, none of which are connected to the internet. We have a number of machines so the tabulations actually could be broken into on an individual machine basis. All of this makes large Cyber Attacks on our electoral system more difficult. It also makes maintaining consistent coordinated Cyber Defense is more challenging as well. Furthermore, states may be vulnerable when it comes to the defense of Voter Registration and voter databases. Thats why i strongly believe the threat requires us to harden our Cyber Defense and thoroughly educate the American Public about the danger. Yesterday i wrote to the secretary of Homeland Security , i urged dhs to work closely with state and local Election Officials to disclose publicly , and i emphasized publicly which states we were targeting. Not to embarrass any state, but how can we put the American Public on notice when weve only revealed two states yet we have public reports that there are literally dozens. That makes absolutely no sense. I know its a position of dhs that since the states were victims it is their responsibility, but i cannot believe that this was an attack on physical infrastructure in a variety of states that wouldnt be a more coordinated response. We are not making our country safer if we dont make sure that all americans realize the breath and extent of what the russians did in 2016. Frankly, if we dont get our act together, what they will do in more dramatic form in 2018 and 2020. While its not my responsibility or not my job i dont believe its an acceptable decision. I hope we here plan on how we can get more information and make sure we have best practices to all states are doing whats needed. Im not urging or suggesting in any way that the federal government intervenes and what is a local and state responsibility, but to not put all americans on notice, to not have a number of states that were hacked into cap secret is just crazy in my mind. My hope is ill get some answers. They did designate the infrastructure and thats important. If we call it Critical Infrastructure but dont tell the public how many sites were tacked or how many could be attacked, i dont think we could get where we need to be. This is the new normal and i appreciate the chairman for holding this hearing and i look forward to getting my questions answered. Thank you. With that, doctor i understand you will go first. Chairman burr, Ranking Member warner and members of the committee, thank you for the invitation to be here. I represent the cyber Analysis Division of Homeland Security, office of intelligence and analysis. Our mission is to produce intelligence and analysis, represent our partners and correlate and cooperate on products and share intelligence at the lowest classification possible. We are a team of dedicated analysts who take threats seriously. I would like to begin by characterizing the threat we observed the 2016 election. Prior to the election we had no indication that adversaries were planning Cyber Operations against the u. S. Infrastructure that would change the outcome of the coming u. S. Election. However throughout spring and summer we and others began to find indications that the russian government was responsible for compromises and leaks of email from political figures and institutions. As the awareness of these activities grew, they began to receive reports of scanning and probing of election related information in some states. From that point on they began working together, analyze and share Additional Information about the threat. Ina participated in red team events looking at scenarios, collaborated and coauthored with other members, and the National Intelligence council. We provided direct support to the cyber center, the Cyber Security and integrations and worked handinhand with the state and local partners to share threat information related to their networks. By Early September we determined Internet Connections were potentially targeted by russian actors. Its important to note that none of these systems were involved in vote tallying. It is still consistent with the scale and scope. This activity is best characterized as hackers attempting to use tools to exploit known system vulnerabilities. The vast majority of activity was scanning activities similar to someone walking down the street to see if you are home. A small number of systems were unsuccessfully exploited as though someone had rattled the door now but was unable to get in. Finally a small number of networks were successfully exploited. They made it through the door. Based on the activity, dhs made a series of assessments. It started out with having no indication prior to the election that adversaries were trying to change the outcome of the election. We also assessed multiple checks and redundancies in the of the structure, including diversity of structure, non internet connected Voting Machines, preelection texting , all of these made it likely that the cyber manipulation intended to change the outcome would be detected. We also assessed that the types of systems russian actors targeted or compromised were not involved in vote tallying. Dhs has not altered any of these prior assessments. Having characterized the threat as we observed it, i will stop there to let my colleague talk more about how dhs is working with election systems. Thank you for the opportunity to serve on this committee. Im here to discuss the departments mission to reduce threats to the nations critical, cyber and physical infrastructure. Our nam nations infrastructure is under constant attack. In 2016 we saw Cyber Operations directed against u. S. Infrastructure and political entities. As awareness of this group, dhs and the partners provided actionable information in capabilities to help Election Officials identify and fit. [inaudible] it led to potential malicious activity, potentially targeted by russian cyber actors in multiple states. When we became aware of detected activity, we worked with the affected entity to understand if a successful intrusion had occurred. Many of these represent vulnerability scanning activity, not successful intrusion. This activity and partnership with these potential victims and targets enhanced our Situational Awareness of the threat and further informed our engagement with state and local officials across the country. Given the vital role that elections have been a free and democratic society, on january 26 of this year, the former secretary of Homeland Security established election infrastructure as a critical subfactor. Dhs is leading efforts to partner with state and local officials as well as privatesector vendors to formalize the privatization of voluntary securityrelated assistance and to ensure that we have the Communications Channels and protocols as senator warner discussed to ensure that Election Officials receive information in a timely manner and that we understand how to jointly respond to incidents. Election infrastructure now receives Cyber Security and assistance similar to what is provided to other Critical Infrastructure such as Financial Institutions and electric utility. Our election system is run by state and local governments and thousands of jurisdictions across country. Importantly, state and local officials have already been working individually and collectively to reduce risks and ensure the integrity of their election. As they become sophisticated, they stand and partnership to support their effort. Safeguarding and securing cyberspace is a core mission at dhs. Through our national Cyber Security and mediation center, dhs is the state and local customers as part of our daily operation. Such assistance is completely voluntary. It does not entail regulation or federal oversight. Our role is limited to support. In this role, we offer three types of assistance. Assessment, information, and Incident Response. For the most part, dhs has offered two kinds of assistance to state and local officials. First the cyber Hygiene Service for internet systems which provides a recurring o report identifying vulnerabilities. Second hour Cyber Security experts can go onsite to conduct risk and vulnerability assessments and provide recommendations to the owners of both systems for how best to reduce the risks to their network. Dhs continues to share actionable information on Cyber Threats through multiple means. We publish best practices for securing for the registration databases and address potential threats. We se share indicators and other analysis that Network Defenders can use to secure their system. We partner with the multistate sharing and Analysis Center to provide threat and vulnerability information. This organization is partially grant funded by dhs and has representatives that sit on the floor and can interact with our analysts and operators on 247 basis. They can also receive information throughout the country and in partnership with the fbi. We provide Incident Response assistance at the request to help state and local officials identify and remediate any possible cyber incident. In the case of an attempted compromise affecting infrastructure, we will share that Technical Information with other states to assist their ability to defend their own systems from similar activity. Moving forward, we must recognize that the nature of the threats will continue to evolve. With the establishment of a subsector, dhs is working with stakeholders to establish these councils and are mechanisms. They will formalize our mechanisms for collaboration and ensure longterm sustainability of this partnership. We will lead the federal efforts with resilience efforts. Before closing, i want to reiterate that we do have confidence in the overall integrity of our electoral system because our vote infrastructure is fundamentally resilient. It is diverse, subject to local control and has many checks and balances built in. They will continue to support state and local partners by providing information and offering assistance. Thank you very much for the opportunity to testify. I look forward to questions. Thank you for the opportunity to appear before you today. My statement for the record has been submitted. Rather than restating it, i would like to step back and provide a description of the broader threat as i see it. I want to begin by asking one question. What does russia want . As you well know during the cold war, the soviet union was one of the worlds two great powers. In the early 1990s, it collapsed and lost power, stature and territory. In the to who thousand five speech, Vladimir Putin referred to this as a major catastrophe. The soviet unions collapse left the u. S. As the sole superpower. Since then, russia has substantially rebuilt but it hasnt been able to fully regain its status or its former territory. The u. S. Is too strong and has to mailing. They hope to regain its prior stature and russia has decided to try to weaken us and our allies. One of the ways russia has sought to do this is by influence rather than brute force. They have referred to this as information warfare. Its information they use as a weapon. Russia used information to try to undermine the legitimacy of our election process. Russia sought to do this in a simple manner. They collected information via computer intrusions and via their Intelligence Officers and they selectively disseminated emails they hoped would disparage certain political figures and shed unflattering light. They also pushed fake news and propaganda and they used online amplifiers to spread the information to as many people as possible. One of their primary goals was too so discourse and undermine a key democratic principle. Free and Fair Elections. In summary, i greatly appreciate the opportunity to be here today to discuss russias election influence efforts. I hope the American People will keep in mind that russias overall aim is to restore its relative power and prestige by eroding democratic values. In other words, it is election related activity that wasnt a onetime event. Russia will continue to pose and influence threat. I look forward to your questions. Thank you. Thank you very much to all of our witnesses. We will proceed by seniority for recognition for up to five minutes and the chairman will tell you when you have used all of your time if you proceed that far. The chair recognizes himself for five minutes. Yes or no to all three of you. Most important question, do you have any evidence that the votes themselves were changed in any way in the 2016 president ial election . No, sir, there was no detected change in the vote. No, sir. No, sir. This adversary is determined, their aggressive in getting more sophisticated by the day. The diversity of our election system is a strength, but the intrusions in the state systems also show that moscows willing to put considerable resources towards an unclear result. In 2016, we saw boulder data stolen. How could moscow potentially use that data . They could use the data in a variety of ways, unfortunately, in this setting, i can go into all of them. First of all i think they took the data to understand what it consisted of, whats there so they can better understand and plan accordingly. When i say plan accordingly, that means in regard to possibly impacting future elections and or targeting a particular individual. Also by knowing whats there and studying it, they can determine if its something they can manipulate or not, going forward. Theres a couple other things that would be appropriate in this setting as well. Too any of you, youve heard the vice chairman talk about his frustration of publicly talking about how many states. Can you tell the American People why you cant disclose which states and the numbers . Thank you for the question. Through the long history, the department has in working with the private sector and state and local on Critical Infrastructure and Cyber Security issues, we believe its important to protect the confidentiality that we have in the trust that we have with that community so when the entity is a victim of a cyber incident, we believe strongly in protecting the information around that victim. That being said, what we can do is take the Technical Information that we learn from the engagement with that system and anonymize it so its not identified with that entity or individual and we can take all the Technical Information and turn it around and share it probably with whether its an affected sector or broadly across the entire country. We have multiple mechanisms for sharing that. We believe this has been a very important key to our success in developing trusted relationships across all of the 16 Critical Infrastructure sectors. Are we prepared today to say publicly how many states were targeted . As of right now, we have evidence of 21 states, or election systems and 21 states that were targeted. But in no case were actual vote tallies altered in any way she performed. Thats correct. How did the french respond to the russian involvement in the french elections a month ago . Is that something we followed . From the bureau standpoint, that is something we followed from afar. We did have engagement with french officials, but were not deliberately to go into what those consisted of. Weve talked about last year, russias intent to target, lets talk about next year. Lets talk about the 17 elections in virginia in the 18 elections and gubernatorial elections. What are we doing this november and next november. This is a Critical Infrastructure subcategory that has allowed us to prioritize and engage with them. We are identifying additional resources, prioritizing our engagement with them through information sharing, identifying in partnership with the state and local community, those communication protocols and how we ensure that we can declassify information quickly should we need to and get it to the individuals that need it. We are also committed to working with state and local officials on Incident Response playbooks. How do they understand where to engage with us, whered we engage with them and how do we bring forces to help secure their election system. Thank you for the answer. Twentyone states is almost half the country. Weve seen reports even higher in the vote totals were not changed can you explain how are made safer by keeping the identity secret from the public since arizona and illinois. I bring back the earlier point, one of the key pieces for us is our ability to work with our partners because of our collection mechanisms work. Its built on a high level of trust. With the public be safer by not knowing their water system or power system was attacked. For other sectors we apply the same principles. When we have a victim of an incident or in the water sector, and we keep the name of that entity confidential. Some of the sectors do have a breach recording requirement. Are all 21 of the states aware that they were attacked. All the system owners within those dates are aware of the targeting. At the state level could they penetrate at the state level that they would not know their state had been subject to russian activity. We are currently working with state Election Officials to ensure communication between the local and the state. At this time there could be a number of officials that dont know their state was targeted. Is that right. The owners of the systems do know they were targeted. The owners may know because we have a centralized system. Many local i understand the notion, but i do not believe our country is made safer by holding this information back from the American Public. I have no interest in trying to embarrass any state, but weve seen this for too long where people tried to sweep this under the rug. We had no idea, we had no idea to predict this beforehand. We had 21 states and we have to that have come forward. While no Election Results were changed, we do know there were a number of states, how many states to the russians actually affect the data such as registration lists. I prefer not to go into those details in this form. We are attacking,. To the states who had their data compromised by the russians, are they aware of that. Yes sir. Is there any coordinated response on how were going to deal with this going forward. How we make sure, if states are not willing to acknowledge that they have vulnerabilities that they were subject. We are in a brave new world. I understand your position. Im very frustrated, but i get this notion. I think we need a reexamination of this policy. The designation by former secretary johnson with Critical Infrastructure, what does that change in how our operations are going forward. By that designation in january, appreciate it. What does that really mean in practical terms. It means three things. First is a statement that we do recognize these systems are critical to the functioning of americans lives. The second is that it formalizes and sustains the departments privatization of engagement with this community , and the last is that it provides particular protection for sharing of information that allows us to have conversations to discuss vulnerabilities. I talked with secretary kelly last week. I would like us to get more information. What ive heard today is there a 21 states that within those 21 states, i have no guarantee that local Election Officials are aware that their state system may have been attacked. Number two, we dont know how many states. [inaudible] have you seen any stoppage of the russian activity after the election or are they continuing to paying and try to fill feel out our system. On the first two questions, i will be happy to get back to you. I spoke to the secretary and on the second question i will defer to the fbi. I cant comment on pending investigations related. You cant say should the public take away a sense of confidence that the russians have completely stopped as of november 2016 . Have they stop trying to interfere with our Electoral Systems . Is that what youre saying. Thats not what im saying. The russians will absolutely continue to influence operations in the u. S. Which will include cyber intrusions. Thank you. To dhs into the bureau, a quick question. Would your agency be opposed to the chair and vice chair sending a letter to the 19 states that have not received the letter, asking them if they would consider publicly disclosing that they were targeted at the last election. Sir, i would be happy to take that question back to my organization. I would just add that the role you are, your committee is playing is critically important for this country. The bureau is trying to balance the messaging end of that by doing things that hopefully dont impact what we can learn through our investigation. I know its a fine balance. The bottom line is you play a key role in raising awareness of that and i thank you. we did emasculates of few resources from our analysis and operations analysis and to put a number on it is somewhat challenging. Was a substantial . The mac a substantial level of effort spinnaker you confident when you obtained what you wanted. Guess the key priority was to develop the main meet you in the relationship to the community for those broader indicators we can share with over 800 indicators so we do believe we have accomplished that we dont want to put that level down we want to continue that. You are confident you got the information that you needed for what was going on . Yes, sir,. The fbi considered this a very grave threat so we dedicated substantial resources to this effort as well. Everyone on this committee sorry comfortable to identify or do you feel that is classified . Other than what is mentioned in the unclassified version i would rather not go into those details. Were any of those agencies identified . Let me ask this question and i come at this from maryland will different perspective from all the work of all of the agencies and the people involved with all of the digging with what the russians had done and their attempts, and have you found any evidence come in direct or circumstantial down to race in to lead any person that communicated with the russians in their efforts . Im sorry i just cannot comment that falls under the special counsel kirk purview. Are you aware of any such evidence . Im sorry i cannot comment. Also i cannot comment. Candidly i am very disappointed by live the testimony we have learned a great deal and the public has learned a great deal and it seems we have to deal with what we have learned. You have said that russia decided to weaken us through covert influence rather than brute force and if it is a correct assessment and the key for having the courage to make it. Here is a question, to the best of the knowledge of the fbi have they conducted covert influence in prior election campaigns in the United States . If so, when . What . How . Absolutely they have influence operations in the past but what made this different was the degree of what you can do through electronic systems. In the past it was trying to put it a bias or half true stories into the press or peel plants that people would read. The internet has allowed russia to do so much more today than they have never been able to do with the past. So prior campaigns were eased initially developed to influence one campaign above another and denigrate the candidate issue if elected and to support another candidate solely . I am saying that for years they have conducted implements operations. Equal to this one . Not equal to this. What made this different different . The scale and the aggressiveness in my opinion makes this different because of the electronic infrastructure of the internet today that allows you to do things in the past they could not do. Was this effort tailored to achieve certain goals . Absolutely. I think the primary goal was for discord to try to delegitimize free and Fair Election process i also think another goal from the United StatesIntelligence Community stands behind was to denigrate secretary clinton to help president drug. Was this done prior elections . To denigrate a specific candidate or try to help another . Yes maam they have. Which elections are those . And sorry i cannot think of an example of of the top of my head from the cold war of through the most recent elections in my opinion they try to influence all of the elections and it is a common practice. If they admitted what is today of the 21 states . If they have i am not aware. The scale and aggressiveness separates these from their previous activity. Has the fbi look at how they were targeted . Absolutely. We have a number of investigations in regard to that but theyre all still pending sort rather not go into those details. Also keep in mind we continue to learn things. There was some activity prior to the election so as we learn more we share more. It is the intent of the fbi to make this information public at some point . This gets back to an issue the vicechairman raises. I think it is critically important to raise awareness to a undermine our democracy. Part of the understanding is where we learn more and more so what do we need to provide two partners so they can best protect themselves verses not interrupting our investigations if made public. We have already decided we will invite the bureau for a classified briefing to talk on the open investigations and what may be on their mind. One of the mandates of the investigation is to work with the bureau and other appropriate agencies to make a public report in as great of detail as we can with their findings on russia so it is the intent of the chair to make sure as much as we can declassified is done so the public gets a true understanding. Ed is critically important most importantly to tell the American People how this happens so were prepared for the next time and to outline their goals we know they have tried. With the first undermines the credibility of the electoral process for curve that is the real democracy it causes problems the second to undermine the credibility of our leaders. They want that person to go into the office hobbled by scandal and questions and third is to control the outcome either through public messaging are actually being able to manipulate the vote and by the way theyre not mutually exclusive you can do all three they work in conjunction a think we can argue they have achieved quite a bit but then what i always point to we have something in american politics called Opposition Research to find out about your opponent any package it and then run ads and report on that so imagine to be able to do that with email or to weapon is that to link week that to somebody who will oppose that and create norways is one of the capabilities. Also straight out misinformation run a story that is not true have your trolls click and it rises as a trending topic by the time the figure out it is not true people think it is. I remember seeing one early fall that obama out what the pledge of allegiance. Ideal wasnt true but people were asking if it was and that was just somebody with too much time on their hands and obviously people talk about affecting that but even the news that the hacker from a Foreign Government potentially got into the Computer System is enough to create the impression of a losing candidate election was rigged and most americans dont fully understand but if you give that narrative with fake news and before you know what you have the specter of a political problem and then claiming the election is stolen. I dont know why they were probing because obviously a lot of the information was publicly available. You can buy the voter rolls but i would speculate because they wanted the stories to be out there to create that specter to argue that the election is invalid proposal that is why a it is so important to the extent possible that part of it as much to be available as possible because the only way to combat disinformation is with truth and fact and explain, i know it is proprietary, but it is really critical people have confidence when they go vote , that vote will count and i just really hope we err on the side of disclosure said he will have full confidence i remember people asking me repeatedly will my vote count . Was afraid they would not vote because they thought it would not count for gore noted assured decision to make but it is really really important americans understand what happened and what didnt and that we can communicate data in realtime so in 2018 as these reports emerge again we can put out enough information so people dont have doubts. That is at your decision to make but i hope that is part of the push because it is critical. Pleyels 82 the three of you respectfully that on the big issue which is what states were effective of 2016 the American People dont seem to be getting more information than what they already half from when they showed up. Were sensitive to security concerns but that question has to be answered sooner rather than later. We obviously need to know paul vulnerabilities and better cybersecurity to protect the elections from being hacked in the first place that is the vote by mail system with enough time to fix the problem if they pop up. So now you mentioned in the january intelligence conference the we observed russian actors targeting or compromising. Your prepared testimony makes another point they think is important and you say it is likely that cybermanipulation of the u. S. Elections intended to change the outcome of a National Election would they be detected . That is different from what we have heard so far. So well level of confidence does the department have been its assessment of 2016 was not targeted or compromised does that apply to state and local elections that lovell of the effort makes it nearly impossible to avoid detection the security of preelection testing a level of a number of standards end in addition and the vast majority to make sure there tabulated as expected and then to bring that idea. Los are those statistical anomalies. What about state and local elections . From the standpoint of the nation state to have the same internet connected system the same level of confidence. This also gets to senator rubio is point of difficulty to understand the variety of systems that used in the election process publicly. So we broke our level of engagement down into a couple of different areas. Is also looking at the Voting Machines themselves. With those voluntary coding standards and guidelines and by best practice. And the department on the vote tallies. What i would suggest what has been demonstrated by security researchers to manipulate the vote and a scale thats would be virtually impossible to occur with one of the current election systems. Is there any kind of postelection on those though the machines . We are currently engaged with many vendors to look into lou conducting they with the little analysis but we have not conduct ted transix. And order to reassure on the votes . I would say that we do currently have voluntary standards in place that vendors are enabled and that they require certifications and then be interested with that level of analysis. So that depend on a lot of people thirdparty contractors are you confident the federal government has identified all of the private sector targets . I am confident we have identified a potential target for. Is a great pleasure so in 2003 a the details of the homeless Security Committee and to draft that intelligence for four. So you testified this morning what does russia want . You said to undermine the legitimacy of the elections, all of the American Public. Despite the exposure and the publicity given do you have any doubt they will continue their activities in subsequent elections . I just dont know that scale or aggressiveness but i have no doubt there will continue. Is there any question they have been planted computer techniques and to our election system . In america cannot comment due to the pending investigation. Secretary, the secretaries of state responsible for the election system are to have a pretty blistering attack in the testimony we will be heard so they save nearly six months of the devastation of the election systems and despite of comments the their rushing to establish protections that knows secretary of state is currently authorized to receive classified threat information and to help them with their election system. Why not . I would note this community the secretaries of state and the director is not one the department has historically engaged with and what we have done with the process with trust and learning how they do their work with the need to provide clearance to that community and committed to work through that process through the fbi. Let me ask you about budget now to show Intelligence Community that right have access but if anybody in the agency is ready to put all relevant and classified information with this including the election and systems. Despite the fact we are not part of the Intelligence Community so we feel very confident ministers of the at and hit for the Intelligence Community in their relationships organizations such as the fbi or nsa or others and we receive information quickly. And fast to declassified there are responses in the work through the partners to ensure that happens quickly. There is room for improvement absolutely but we have a full support to support us that the information we need. County states have implemented that after what is recommended in those documents developed . I would have to get back to you on the specific number of states. Do you think most states . Many of them noted day had adopted these but they would. Bakes for house seriously you had taken since and you have answered questions this morning but you hit the nail on the head when he said to step back and ask the fundamental question what do the russians want . Sold by outlining they want to undermine the legitimacy of our system to a ride the free interior of his elections billion a step in the specifics of 2016. In your view were the russians successful to reach their goals in their activities . But maybe to distract us from other things bin on the other hand, exactly but to me in my opinion so i dont know. The jury is out for the future but looking at the discord and the impact on 2016, i hope the outcome here is to make sure in 2018 through 2020 to that i know much rockwell they have been successful. You stated very correctly one of the primary goals was to delegitimize the democracy. Are you familiar with the term unwitting agent . Yes i am. In day intelligence context it is where the Intelligence Service tries to levants certain teams to reach out to a variety of people some of which they may try to convince to do certain things for the people they contact we carry this out for Different Reasons than what was wanted so they do that unwittingly. But i effectively reinforcing that russian narrative to say this system is rigged in did bin kennedy trump what is called the unwitting agent . I dont blame you for not answering that question of. [laughter] can you talk about the relationship between the election penetration in that we saw in the neck with it coincidence of what russia used that senator rubio talk about social media to manipulate the media cycle and how those fit together. Im sorry . Their relationship from a technical point of view and in the media cycle by using trolls. Edits a a well planned with the election in process and in democracy and that might sound complicated but it is straightforward to collect intelligence from a variety of sources they want to evaluate that intelligence and they may selectively disseminate some of that order to more strategic discussions that would give an advantage and well coordinated and well funded to disseminate. This is a very sophisticated and highly resource to. Lets talk a little bit to start with a comment vhs made that says the system and russian actors are compromised were not involved. Is that because the vote tallying systems are harder to get into them for registration . I cannot make a statement as to why the different systems were targeted by it whether it was the machines at the polling station or to tally were very difficult to access and given bulla will lovell of observation to vote tally at every level of the process and we led have identified issues and there were nine. Nine. If you can get into this system to impactobviously that is the place to do that. I would also suggest all of your efforts would be to continue to do what averred vhs things they need to do to of bias state and local Election Officials to be sure it is protected. The Voter Registration system is generally a accessible and lots of ways you have a lot of them apart from the sources and he made a point the best practice would not have that vote tally system in any unnecessary way. Is that right . So for those not to connect to the internet paul so the paper audit trail as well. A paper trail is significant and i think more prevalent as people are looking at new systems but also any type of thirdparty monitoring just creates another way into the system. My advice said he just does not want to be rewritten all Voting Systems of the country do you want to comment . We look dad the diversity and the fact reevaluated that with the Risk Assessment we look at that as one of the great strengths. I hope you would think about that is a great strength with that Critical Infrastructure that is also one more avenue for somebody else to get into the system and that Voter Registration system given out to people but almost all Election Officials that have this to share that with the public face and there is a reason to share the security to make thats accessible and that vhs or nobody else decide to will save the system by having more avenues. In then to do that voluntary partnership. This is a very grave threat to upset the local system and any doubt that it was the russians . Any doubt they will be back . No, sir. To the vhs witnesses of the states where this has happened have been notified officially . The odors of the systems had been notified. What about the Election Officials . We are looking to make sure theyll understand as well. Caddie had a conference of all state Election Officials here on this issue . I have had at least two teleconferences and in person we will engage with them in july. I would encourage you to put some of the look urgency on this if were talking well systems in registration the time is going by so ted is a very grave threats and shame on us if were not prepared. Every heather week we hold a teleconference of all officials from the National Associations from those bipartisan individuals it is of the utmost urgency to ensure we have better protection going forward. Nobody is talking about a federal takeover or the rules but and perhaps some findings . And read that financial horror Nuclear Sector is voluntary to provide soon information to potential victims to ensure they have access to we have access to do to better defend themselves. We have the National Election that is too large. But we dont we have 50 states elections and each one can depend on counties there are probably 500 people within the sound of my voice can tell you what it will determine the next president ial election so a sophisticated factor could pack just by focusing on particular counties remember dade county in the year 2000 sotto they get works to say it is the big system will protect us because it is rarely county by county or city by city or state bond state and the sophisticated actors could determine where to direct their attacks. A separate point is what do we recommend . The dutch to a tad any election to make it paper and counted by hand for this reason. As the previous senator mentioned with the vote tally system to insure they are not connected to the internet and second to ensure there is an audit team process in place to educate those to look for suspicious activity. But the audit means a paper trail . Even guess i recommend to the paper back up. Del pc cannot salivation . We are seeing some consolidation many are committed on those voting standards and guidelines. And while there is some concern about consolidation in a very engaged communities. With one of the most daunting and that there were unsuccessful to change the votes but they were not doing that in 21 states for fun. They will be back with knowledge but this should have kept up most urgency. Negative say heads that there are some states like that to have the paper ballots we cannot with the optical scanning that we can verify with paper is this that i am into simultaneous hearings today with the department of Homeland Security it is also happening on the same issue. I brought this with me today the famous email from the red dnc while on vacation he was out in hawaii enjoying quality time and gets an email that says somebody used your password to sign into your google account from the ukraine and recommended he change his password immediately. So he was frustrated and clicked on the link to change his password and went back to bed they just gave the russian government access to the dnc. Also other Staff Members the other emails just like this. Now everybody will know that really does look like a google account when you hover over the change password it showed the google canal account connection but it was not. Ninetyone start with the spear fish attack looking like this. So what happens in my state your other states . How does russia identify the potential target . Said they knew whod he was sore where it works. So how does this work in the future . I cannot go into great detail in this forum but they are looking for vulnerabilities as far as targeting specific individuals i dont know all the facts surrounding where the emails were sent but to have an email like that just hoping one would click on that. And then they begin to track those individuals . You have hit on the at to review the open source material but they also collect information through the human means. Selfie click on the link to access what do they get typically . It depends on the system i imagine that is a frustrating response but this is important for the public to understand to educate the public make sure you know, the senator so in this case ideally we want people to see what it isnt they are clicking on before they collect so when that individual . They choose to not allow that to go to that destination because it is suspicious other organizations do not take those steps. Who has primary responsibility for integrity . Obviously the states see their own but the federal agency works with the state their the prime agency to do that. For election in cybersecurity that leads the partnership. They called you for your appearances here today in your testimony being former secretary of state my biggest concern was voter fraud unfussy participation decrease so is is there any reason anybody has the knowledge that you have from the Intelligence Community give you any doubt that russia was involved with the confidence level that voters have . To any of you have any doubts . No doubt from the fbi and. We have no doubts. Also during that 20 election cycle would you notify me to be on the lookout . The products that we put out the public the primarily leveraging which has connections to all 50 states and we engaged with the commission that represent those individuals that we have not historically engaged with to put out multiple products. So oh to disperse that information and . We also hold a Conference Call were all 50 secretary of state did not have that responsibility in august or september or october with highlevel engagement. What was is russias intention if you think they were successful even though there are no alterations of those Election Results . Yes or irs says russias intention and to undermine democracy it was to undermine the legitimacy. The fbi does not look at that. So are their contractions for what they have done with their intention to continue in order your own opinions of those sanctions . The fbi does not do policy of the threat to picture but not receive u. S. Covering it did take action postelection. Did they take side with any of their activities . You may have less people to carry out their activities so added impact. Have we share this with our european allies . Have the see the same intervention. I cannot speak for dhl is that we are sharing this with our allies. Were also sharing allies is this data l look awful we have never seen before . So without relationships from that of vhs perspective with increased activity. In response to the question if there is the unwitting agent of russia, you said you declined to answer which is understandable since her defeat Hillary Clinton has blamed her lost the farms in in macedonia but please her loss donizettis actors if she and the unwitting agent agent . Im sorry i would rather not comment. I am understand. Believe will turn to other matters. Where do of bias state or localities not to use zero words do business the use those products in their systems . I cannot comment on that in this setting. Wed to advise them not to use those products . I also cannot comment in this forum spinet i cannot comment either. The senator says he will in seven he can speak later. Talk about russias intent that it is important with that 2016 campaign is it true it is bin probing Critical Infrastructure for years . There is a lot of things and is of critical importance to this country. So with the president ial election and the influence the previous efforts also or to strengthen because of the history investigating that would suggest it keeps you pretty busy . Correct it is it just a cyberthreat but what they could call a spy . Tsr. Do the so called the diplomats have a requirement to notify the state department and they will travel more than 25 miles and 48 hours in a finance . Radio. Can bear to notify the fbi and the advance of those arrangements . Yes. Is it true they failed to give that notification before a weekend trip . I prefer not to go into those details but i will leave it at that. But if we have russian nationals wandering around the country more than 25 miles outside of the duty assignment . If that would happen that would said complicate the efforts. So to find out what russia is in violation that allows us to take pictures so do we see those Russian Diplomats that brochette is conducting in this country . We cannot comment. Last summer a diplomat was a salted on the doorstep that the innocent embassy in moscow. Last year something that jusa provision that would require the state department to notify the fbi for any request for diplomats to travel more than 2y and to report violations. It requires them to report violations regularly to this committee. What is the status of that provision now that it has been in law for two months . Will the state department cooperate more fully with you . I would rather not comment on that here. Were still working to the limitation. I surely hope they start. Thank you. Senator harris. You mentioned that you notify the owners, i am not clear on who the owners are . Of the the vendors . What i meant to clarify is that in some cases may not be the secretary of the state of the state election director who owns that particular system. So in some cases it could be a locality or a vendor. So is their policy of who should be notified when you suspect there is a threat . We are working to that policy with the secretary of the state, that is one of the commitments that we may to them. And election directors in order to issue in sure they have appropriate information will preserving the confidentiality of the victim. You please tell us which state come in which state to notify the vendor instead of notify the secretary of state . We keep that information confidential as well. Other states as well that you notify that you did not notify the person who is elected by the people of that state to oversee elections . I dont believe that is the case but i will back to with a definitive answer. How specific was the warning you sent . What exactly is that you notified the states or vendors of . Pending on the scenario and information we had a more generally what we do is we get classified information we look to declassify as much as possible. For this particular one, but we took was Technical Information that we had, that we believe was suspicious and emanating from russia was targeting their system. We asked him to look at their system. This is part of the broader dissemination as well. We asked all states to look at their system to identify whether they had an intrusion or whether they blocked it. In most cases they blocked it. To have a copy with you with the notification they sent with the various vendors . I do not, but we can get back to. I we provide this committee with a copy of the notification that you sent for vendors . Many were done in person, but what i can show you is the Technical Information, that was also rolled up in the information that we published in december. I can show you what we provided to the states it and localities. Did you notify each of them the same way . Or did you tailor the notifications to each state . We tailor the notification. Its a process for all the potential victim notification. It may be an fbi field agent echoes out there, sometime it be a Department Official echoes out there. In your follow up to the committee, please provide us with specifically who notified each state and who in that state was notified, the vendor of the state election official. Also, what specifically they were notified of. In 2007, california worked with leading security researchers, the secretary of the state at the time was debra bowen, they instituted some of the best practices, we believe for Election Security. My understanding is that it is considered a gold standard. My question is, does dhs have the Technical Capability and authority to courtney to study like that for all of the states . We do have the Technical Capability and authority to conduct those studies. Have you pursued that as a viable option to help the state to everything they can to secure their system . That is one of the areas we are considering, yesman. Can be taken a look at that study those commissioned in california 2007 . If not, anchorage you do. I have not personally, but i will. A most concerned that the federal government does not have the information it needs any situations where theres been a breach. Is there any reason why they need to can you tell me is there any requirement that the state notifies residence when the state suspects there may be a breach . I cannot. I know multiple states have different sunshine laws that apply to data breaches within the state. I cannot make a general statement about what the requirements are at the state level. Do any of you have any thoughts about whether there should be such requirements both in terms of state reported to the federal government and also states reporting to their own residents and citizens about any breaches of their election system . Required data breach reporting is a complicated area. We prefer and we have had a fair amount of success with voluntary reporting partnerships. We would be happy to work with your staff and further understanding how that might apply here. I appreciate that. Any other thoughts, as we think about preparing and sharing information . Thank you. Let me just say that since a number of members have questioned the agencies, especially those who are here and sharing with congress of the investigation, ill just say that the chair in the vice chair were briefed at the earliest possible time and continue to be briefed throughout the process to all the members of the committee. Im not sure i share that with everybody. Thank you very much. Are you aware of any direction or guidance from President Trump to conduct this investigation about the russian in our elections . I cannot comment on that. It could be potentially related to things under the special counsels purview. Thank you. In terms of security, where you ever need direction by the president to conduct these types of operations or investigations . Sir, to clarify the question, direction from the president. By the United States has directed that we that we and other federal agencies conduct activity that youre conducting the investigation into the russian election. I cannot comment on the present instruction specifically. Our secretaries committed to understanding what happened in ensuring that we are better protected in the future. He is not communicated that this is at the direction of the president of the United States . No sir. Sir, this comes directly from has been working on this for quite a while and the secretary has fully supported it. Nothing from the president directly. I think senator king raised interesting issues, but typically theyre not decided in certain states but in certain cities and counties, it raised an interesting question, youre very assertive about that you would be able to diagnose an intrusion that was altering votes literally. What could you do that . Within weeks of election, after election day . The way we would do that is to look at the threats themselves and targeting specific entities. The other element is as the report was coming in if theres any statistic anomaly and id also point out that were talking internet connected systems and not all of the key counties you represent would be those internet connected systems. Effectively what youve said is that you would have to wait for confirmation until the results coming in on election day which raises the issue of even if you detected on election day, what we do . Are the votes cast, anyone planning on, what is the reaction that we taken had we notify people. And i do want to clarify that that activity would be difficult to attacked it be difficult to go undetected were discussing both at the polis station that it would be hard to do someone without anybody not necessarily the department would have that immediate insight. To answer your question thats a part of. So the two months with the election we have to be able to develop technical infrastructure but an organizational infrastructure that could react a very short notice to discovery that actual votes have been tampered. And do think theres enough evidence for the resources and support that we do that, we get 50 states and among those states many of the voting jurisdictions where we taken it serious . This is one of the highest priorities i would note that were not just looking ahead to 2018 as Election Officials routinely there connected on a regular basis. Perhaps correctly, but you testify today and your colleagues said information was by the russians, what type of information was taken in what could be used for . I dont want to get into the details of victim information was taken, we have a variety of pending investigations, but it could be used for a variety of purposes, couldve been taken to understand what is in the systems, couldve been taken to used to target and learn more about individual so they could be targeted. It couldve been taken in a way to publicize and send a message that a former adversary has the ability to take things and to instill doubt and voters minds. Given the activities at the russians have deployed, significant resources, constant effort over over a decade, do you think they have a better grasp on the american Voting System then you have . I hope not. I think it is a next line question first of all i hope not but if they did i dont think they would do anymore. Thank you very much. Is there any evidence that the attempt to penetrate the dnc was, for the purposes of launching the selection your intrusion process that they went on, or was it at the time one of multiple fishing expeditions that existed by russian actors in the United States . In my opinion it was one of many efforts, you would call it a fishing expedition but to determine whats out there and what Intelligence Committee collect, they dont go after one place, they go after lots of places. Tens, hundreds, thousands. At least hundreds. I want to wrap up the first panel with a slight recap. I think you have thoroughly covered there is no question that russia carried out attacks on state election systems, no vote tallies were affected or affected the outcomes of the election, russia continues to engage in a plantation of the u. S. Elections process and elections are now considered a Critical Infrastructure which is extremely important and does bring interesting potential new guidelines that might apply to other areas of Critical Infrastructure that we have not thought of because of the autonomy of each individual state in the control within the state of the election system. Im sure this will be further discussed as the appropriate committees talk about federal jurisdiction, where that extends to an clearly a think it is this committees responsibility as we wrap up the investigation to hand out to that committee somewhat of a roadmap of what we have learned or areas we need to address and we will work closely with dhs as we do that. With that i will dismiss the first panel and call up the second panel. [inaudible] [inaudible] [inaudible] [inaudible] [inaudible] [inaudible] [inaudible] i like to call the second panel to order. As those visitors to please take their seats. As we move into the second panel are hearing is shifting from a federal government focus to a state level focus. During the second panel we will gain insight into the experiences of the states in 2060 as well as hear about efforts to maintain a look security moving forward or. I like to welcome our witnesses, connie lawson, president elect of the National Association of secretaries of state the secretary of state of indiana and the administrator of the wisconsin commissioner. Steve, executive director of the Illinois State board of elections and doctor j alex holderman, professor of commuter Computer Science and engineering at the university of michigan. Thank you for being here. Collectively you bring knowledge and understanding of our state election systems, potential vulnerabilities over voting process and procedures and the mitigation measures we need to take at the state level to affect the foundation of american democracy. In january of this years secretary of Homeland Security jay johnson designated the infrastructure used in federal elections as Critical Infrastructure. Dhs made the designation established election infrastructure is a priority within the National Infrastructure protection plan. It enabled the department to prioritize Cyber Security assistant to state local officials to those who requested a minute publicly known the election infrastructure enjoys all the benefits and protections of Critical Infrastructure that the u. S. Government has to offer. Some of your colleagues objected to this scene it is federal government interference. Today i like to hear your views on the specifically but more probably how the states and the federal government can best work together. Im a proud defender states rights, but this could easily be a moment of divided we fall. We must set aside our suspicions and see this for what it is, an opportunity to unite against the common threat. Together we can bring considerable resources to bear keep the election system safe. Again, i think our witnesses for being here and i now turn to the vice chairman for any comments. The vice chairman doesnt have any i assume by some process you have been elected to go first unless there is an agreement. Actually think we are going to defer to secretary lawson to start if thats okay with the chair. And secretary you are recognized. Good good morning and distinguished members of the committee. I thank you for a chance to appear before you today. Its an honor to represent the nation secretary of state, 40 of whom serve as chief state Election Officials. On the indiana secretary of state and also president elect of the bipartisan National Association of secretaries of state. Im here to discuss our capacity to secure state i locally run election for significant Cyber Threats. With statewide elections and jersey this year morning more contest followed 18 i went to 8inch assure you and all americans that Election Officials across the United States are taking Cyber Security very seriously. The searing offers a chance to separate fact from fiction regarding the 2016 president ial election. We have seen no evidence that both casting or counting was subject to manipulation in any state or locality. Nor do we have any reason to question the results. Just a quick summary of what we know by documented for targeting of state local election systems, and the 2016 election cycle is confirmed by the department of Homeland Security, no major Cyber Security issues were reported on election day, november 8. Last summer, our Intelligent Agency felt up to 20 state networks had been probed by entities essentially rattling the doorknobs to check from locked doors. Foreignbased hackers were able to gain access to Voter Registration systems in arizona and illinois, prompting the fbi to warrant state election offices to increase their election skirting measures for the november election. In recent days we have learned from a topsecret nsa report the identity of a Company ProvidingVoter Registration support services in several states with compromise. It is concerning that Election Officials have only are learned about the threats learn leaked, especially given the former dhs secretary repeatedly told my colleagues in a that no specific or Credible Threats existed in the fall of 2016. Its unclear why intelligence agencies would withhold timely and specific threat information from Election Officials. I have confidence that other panelists will address voting risks and scenarios for you today. I want to emphasize systemic safeguards that we have against cyber attackers. Our system is complex and decentralized with a great deal of agility and low levels of connectivity. Even within states much diversity can exist from one locality to the next. This serves as a check of the capabilities of various actors. I want to mention the recent designation of recent systems as infrastructure. Real issues exist including a lack of clear parameters are on the order which currently provides dhs and other federal agencies the large amount of unchecked executive authority over our election process. I know time between august of 16 in january of 17 did we or the members of her have a thorough discussion with dhs on what the designation means. Pressuring has been touted as a key justification for the designation, yet, nearly six months later know secretary of state is authorized to receive classified threat information from our intelligence agencies. From information gaps to knowledge gaps that are not been addressed, this process threatens to erode confidence in the process as much as any foreign cyber threat. Its shredded the right states hold to determine their own procedures subject to the act of congress. If the designation ultimately reduces diversity and autonomy in our voting process, the potential for adverse effects from perceived or real Cyber Attacks will likely be much greater and not the other way around. Looking ahead, the National Association and the task force was created to ensure that state Election Officials are working together to combat threats and foster effective partnerships with the federal government and other publicprivate stakeholders. In guarding against Cyber Threats the trend line is positive. Most notably ministates are looking to replace or upgrade their voting equipment. If i have one major request through today other than rescinding the Critical Infrastructure designation for elections, is to help Election Officials get access to classified information sharing. We need this information to defend state election from foreign interference respond to threats. Thank you, i look forward to answering your question. Think his secretary lawson. Thank you, good morning. Chairman and committee members, on behalf of the National Association of directors thank you for this opportunity to share what states learn from 2016 elections and steps we are taking to further secure our election system. I serve as the wisconsin chief election official, i am a member of the nasa executive board. We do not have state elected official who oversees elections in wisconsin. Many of our state election directors are housed in the secretary of states office, but some are not. The 2016 president ial election ring for several basic lessons, although sometimes in a new context. For instance, although of us understand the importance of constant and Effective Communication to ensure that all actors have the tools they need. In 2016 it about communicating about the security of election systems with the department of Homeland Security as well as the staff that provide Cyber Security protection tour Voter Registration databases. As we for this morning, some states have expressed concerns about the timeliness of the details in communications from Homeland Security regarding potential threats and security threats to state election systems. The recent reports about attempted attacks which occur less well cut ministates by surprise. We look forward to working with dhs and other federal officials to develop protocols and expectations for communicating similar permission going forward. For example, state Election Officials believe it is important that we be in the loop regarding contacts that dhs has with local Election Officials regarding security threats such as the spearfishing attempts that were recently publicized. We should be able to provide additional training and guidance to local Election Officials. Appreciate the concern that was expressed this morning that this was a twoway street. We at the state level needs also think carefully about how to most effectively communicate with local officials if and when there is an incident that we are aware of at the state level. As part of the dhs election system with Critical Infrastructure and protecting confidential information. They believe those corn anybodys should consist of a broad representation of stakeholders and weve expressed strong interest to dhs and participated in those bodies. I note the executive board supports the request of the u. S. Election serves as a specific agency as a logical federal agency to partner with dhs to provide subject matter expertise and assistance in communicating with local Election Officials as they have the communication structure already in place. The 2016 election also reinforce the need for constantly enhancing the security of Voter Registration databases as weve heard this morning. While hacking has no effect on tabulating Election Results, intrusions could result in on authorized parties getting access to data regarding voters, candidates, and polling places. I would note that while that information is public upon request, there may be some confidential data held in those databases such as the voters data birth, the drivers license number in the last four digits of a Social Security number. Different states have different laws about what pieces confidential. The 2016 election demonstrated that state and local Election Officials can implement steps to improve the security of voter data in many of these steps are not complicated. In addition to the cyber hygiene scams states are implementing greater use of for users of our systems, updating firewalls, the use of white list to block unauthorized users and completely blocking access to any ip address. The final lesson i would like to address relates to voting equipment, to be clear as it has been said this morning theres no evidence of Voting Machines are Election Results have been altered in u. S. Elections. I appreciate the committees emphasis on that. I dont think that can be stated enough and strongly enough. So we must exercise vigilance to ensure such theoretical attacks do not become reality. We must educate the public about safeguards system. The safeguard include the decentralized structure of elections that weve heard about this morning the diversity of voting equipment. Also the most cases voting equipment is not connected to the internet and therefore cannot be attacked or cyberspace. Also its important to keep in mind that three out of four ballots cast paper ballots. Most ballots are cast on touchscreen equipment also have a paper trail that voters can verify their votes and Election Officials can use for audits and recounts. There several redundancies and its important to realize voting equipment is not only used in election date, the functionality is tested several times during the process. In short, the election taught us the potential for disrupting the process by foreign or domestic actors is a serious and increasing concern. However we believe that continued cooperation the more Effective Communication along with continued vigilance will ensure the integrity of our voting processes and Election Results. We look forward to working with their federal partners as we planned for elections going forward. Thank you for the opportunity to share these thoughts. Good morning, thank you chairman Burr Westerman worn and distinguished members of the committee. As the director i would like to briefly describe an agency does, we are an independent bipartisan agency created by the illinois constitution charged with general supervision over the election and registration laws in the state of illinois. As he seemed to be aware almost one year ago today on june 23 the Illinois State board of elections was a victim of a malicious cyber attack of unknown origin against the illinois system database. Because of the initial lowvolume nature of the attack, the state board of election staff to not become aware of it at first. Almost three weeks later on julf election it staff was made aware of performance issues with the database server. The usage had spiked 100 with no explanation. The analysis revealed the heavy load was a result of rapidly repeated database queries on the application status page of our voter website. Additionally they show that the queries were malicious in nature, it was a form of cyber attack known as sq r, sq r injections are on authorized malicious database queries entered into a data field. We later determine they originally from several form based ip addresses. As programmers introduce code changes to eliminate this vulnerability the following day, july 13 they made the decision to take the website and iv rs offline to investigate the severity of the attacks. Spe staff made the ability to log in you all attempts. They continued though it was blocked at the firewall level. Firewall monitoring indicated the attackers were hitting the ip addresses five times per second 24 hours per day. These attacks continued until august 12 when they abruptly ceased. Theyre working to determine the extent of the breach and introducing security enhancements to the iv rs web servers and database. A week later on july 19, we notified the illinois General Assembly of the Security Breach in accordance with the personal information protection act. In addition we notified the Attorney Generals Office. On july 2 july 2021st, they comd security enhancements and begin to bring the ivr system online. A week after that point illinois Registration System and the paperless voting application became fully functional again. Since the attack occurred the state board of election has maintained the following ongoing activities. The dhs scams this for vulnerabilities on a weekly basis, the Illinois Department of innovation and technology which is a state right entity that coordinates cat systems of many of the illinois agencies monitors activity on the network which is the general network that provides firewall protection for the state Computer Systems. That affirmative innovation and technology provided Cyber SecurityAwareness Training for all state of illinois employees. The state board of it staff in addition Virus Protection Software is downloaded also on a daily basis. As a result of the Illinois Attorney Generals Office of the breach the state board of elections was contacted by the fbi, we have fully cooperated with the fbi in their ongoing investigation. The fbi advised that we work with the department of Homeland SecurityUnited States computer he Readiness Team to ensure there is no ongoing malicious activity on any of the systems. They confirmed that there is no ongoing malicious activity occurring in spe Computer Systems. To comply with personal information act newly 76000 registered voters were contacted as potential victims of the data breach. They provided information on steps to take if they were the victims of identity theft. Additionally they developed an online tool for effective individuals with specific information in their voter record that they had been compromised. As far as looking for future concerns, one of the concerns facing our state many others is aging equipment. The help america vote or act establish requirements while initial funding was made available to replace seal punchcard equipment. Additional funding has not been further appropriated. If additional funding is not available we would like to receive authorization to receive the states existing funds to allow spending and enhance security across systems. The ivr estate a base is a federal mandate. Cyber attacks targeting endusers are concerned. The funding entities such as eac or dhs would also be beneficial in our view. In addition to guidance and recommendation from cyber intrusions are always welcome. Thank you for the time. Im happy to answer any questions. Thank you. Chairman advised german worn, thank you for inviting me to speak with you today about the security of u. S. Elections. Im a professor of Computer Science and have spent the last ten years studying the electronic Voting Systems that are nation relies on. My conclusion from that work is that our highly computerized election infrastructure is vulnerable to sabotage uneven to Cyber Attacks that could change modes. These realities risk making our Election Results were difficult for the American People to trust. I know the Voting Machines are vulnerable to my colleagues and i have hacked them, repeatedly as part of a decade of research studying technology that operates elections in learning how to make it stronger. Weve created attacks that can spread from machine to machine and silently change outcomes. Weve studied optical scan systems and in every case we found ways for attackers to sabotage machines is still votes. These capabilities are within reach for americas enemies. As you know, states choose their own Voting Technology and while some are doing well with security, others are vulnerable. This puts the entire nation at risk. In close elections an attacker can probe the most important swing states or counties, find areas with the weakest protection and strike there. In a close Election Year changing a few votes and key localities could be enough to tip national results. The key lesson for 2016 is that these threats are real. Weve heard russian efforts to target Voter Registration system struck 21 states and weve seen reports detailing efforts from an attack from intellect and technology vendor, attacking vendors and municipalities cooper rush in a position to sabotage equipment on election day. Cussing to fail and causing long lines or disruption. They couldve engineered the chaos to have a partisan effect by striking cases that lean heavily towards one candidate. Some say the fact that they are not directly connected to the internet make some secure but that is not true. Forty machine are not as distant from the internet as they may seem. Before every election after be programs with races and candidates. That programming is created on a desk top computer and transferred to Voting Machines. If russia infiltrated these, couldve spread a vote stealing attack to many machines. I dont know how for they got or whether they managed interfere with equipment on election day. There is no doubt that russia has the technical ability to commit widespread attacks against our Voting System is rather hostile nations. I agree with james comey when he warned that we know theyre coming after america and ill be back. We must start preparing now. Fortunately theres a broad consensus among Cyber Security experts about measures that would make the infrastructure much harder to attack. Ive cosigned a letter that i ventured into the record from over a hundred leading experts and officials that recommend three steps, first we need to upgrade obsolete and vulnerable Voting Machines such as paperless touchscreens and replace them with scanners that come paper ballots. This is a technology that 36 states already use. It provides a physical record of the vote that cannot be hacked. President trump made this point on fox news the morning of the election, he said there something nice about the old paper ballot system, you dont worry about hacking. Second, we need to use the paper to make sure the computer results are right. This is a common sense quality control. Should be routine. Using whats new known as a risk limiting audit officials can check a sample of the ballot to quickly and affordably provide insurance that the outcome was correct. Only two states currently conduct audits robust enough to conduct Cyber Attacks. We need to harden our systems against sabotage and raise the bar against attacks by conducting thread assessments and providing best practices to voting equipment and elections. These are affordable fixes. Replacing sick cure paper machines would cost 130 130 140 million. The cost less than 20 million a year, theyre banishing really small compared to the National Security improvement they buy. Stay local Election Officials have been difficult job even without having to worry about Cyber Attacks. But the federal government can make investments to help them secure elections in a poll voter confidence. We all want Election Results that we can trust. If Congress Works with the state we can upgrade this in time for 2018 and 2020. If we fail to act its only a matter of time before a major election is disruptive or stolen. Thank you for the opportunity to testify in for your leadership on this critical matter. I look for to answering questions. Thank you. The chair will recognize itself for five minutes. Members will be recognized by seniority. How many states is a secretary of state in charge of what the election process . 40. Would you be specific, what to the secretary of states, what is it they do not like about elections being designated Critical Infrastructure . Most important issues there have been no clear parameters to an even after the three calls we had with secretary jay johnson before the designation was made we consistently asked for what would be different if the designation was made and how we would communicate. So nothing has negatively happen except that you dont have the guidance to know what to do. Nothing has negatively happen to the state, but also nothing positive has happened. Illinois one of the few states that a publicly been identified i guess thats in part because you took the initiative to do it, you gave a good chronology, 23 june and 12 of july, the state it staff took action and 12 of august in the attack stop. At what point was the state of illinois contacted by any federal entity about their system having been attacked or was of the state of illinois that contacted the federal government . We are contacted by the fbi. I dont have the exact date. It was after we had refer the matter to the Attorney Generals Office. My guess would be probably a week after. A week after the age he was notified by us of this brief. In the age he was notified approximately one . July 19 and will point to the state of illinois know that it was the russians . Actually, to this day we dont know with certainty that it was the russians. We have never been told by any official entity the only one were world that was investigating was the fbi and and they have not told us definitively it was the russian. Our it staff was able to identify seven ip addresses from a foreign location, i believe in the netherlands. That doesnt mean the attack originated there,. Did you have some initial assessments of their own . No, because anything of that nature would have been speculative. We did not want to do that. We wanted to leave that to the professional investigators. Give us an update on what you currently doing to enhance the security of dhs weekly security checks, has the federal government responded appropriately . I believe they have. Ive heard nothing from our it division when they would be the persons that would know. Ive heard nothing from them that dhs is working that its been less of than satisfactory. Do you believe the extent of Cyber Threats to election systems should be made public before their next election cycle . Should we identify those states that we targeted . I think we are certainly sensitive to the balance that Homeland Security and others need to make. As far as we have gone, we want to know as the potential victims and then i think its part of the coordinating council undesignated Critical Infrastructure there has to be a conversation. Is their right of the public in your state to know . I believe so. If there is a hacking tour system i think we would certainly want to consult our statutes and so forth. We believe in transparency. I think the public needs details about the attacks about the vulnerabilities of the system to make informed decisions about how we can make the system better and provide the resource Election Officials need. Will onward about Public Confidence in our election system. I think we need to balance the information. Worst weeks do is make people believe that their vote doesnt count. To telling the public that these attacks are out there and our systems are vulnerable and it doesnt undermine confidence it makes them know were doing what we can to stop the attacks id be in favor. I take for granted none of you at the table have evidence that vote tallies were altered . Correct. Before recognize the vicechairman, when you and your colleagues hacked election systems did you get caught . We can hacked them as part of academic research. Did you get caught . Did they see her intrusion into their systems. The one instance when i was invited to hack a real Voting System all people were watching was in washington d. C. In 2010. In that incidence it took less than 48 hours for us to change all the votes and we were not caught. I like to think the witnesses for their testimony. I find a little study here is her if you saw the preceding panel you had the dhs and fbi unambiguously say it was the russians who hacked into the 21 systems and i find it strange they have not relayed that information to you. What we discovered in the earlier testimony as we finally got 21 states were capped and we found that even though those 21 states were hacked into her whatever analogy you want to use, many cases the state Election Officials were secretary of state may not have been notified. Thats stunning. Clearly local Election Officials where the activities take place have not been notified. I was serious question that i would one a brief response. Can you just restate, you dont need to disrupt a whole system, you could disrupt a single jurisdiction in the state and white that ledger clean you could invalidate potentially notch is that local election, but the results of the state and the congressional level in the nation, is that not correct . Thats correct. I believe in essentially system, we are only as strong as our weakest link. That is correct. Do you believe all 21 states that were attacked that the state Election Officials are aware . I cant answer that sir. Im not certain. I can tell you indiana has not been notified, dont even know for in the list. I dont know for sure except he adjusted indicate in a teleconference at all of the states that were attacked have been notified. Were told earlier thats not the case, that the vendors may have been notified. To know if wisconsin was attacked. Are either one of you comfortable with not having that knowledge . Were hypersensitive about our security. I would say when the fbi said the noticed in september for students to look richard ip addresses to see if their system had been penetrated, we absolutely searched we looked at 15,500,000 logins that had happened since the first of january that year. We believe our system has not been hacked. I will also state that both our office and the chief Information Officer of the state in his office would likely be shocked. So you have to officials not knowing if their state was one of the 21. Let me finish place. I understand the balance. But the notion that state Election Officials wouldnt know, that local Election Officials clearly have not been notified, i appreciate the chairmans offer and we will write a letter to all the states if you view yourself as victims i think there is a public obligation to disclose, not to relitigate 2016 but to make sure that were prepared for 2017 and 2018. There are some in the political system that believes this is a witchhunt. I could very easily say some local Officials Say this is not a problem, i dont need to tighten it by security procedures at all. I hope when we received the letter from that you would urge your colleagues to come forward, not to embarrass any state but i find it totally unacceptable that the public doesnt know local Election Officials dont know that you as the leaders of the state Election Officials dont even know whether your states part of the 21 that has been testified by the dhs the lease they were if not looked at or were actual information were actual border. I hope youll work with us on a cooperative basis and that you get the classified briefings you deserve. Thank you very much. July 12 is the date you first discovered he had issues is that right . Correct. And that was a result of a highvolume spike, zach request mark. Yes the when you looked at it you found out that the intrusion started june 23, correct . Yes on those were lowvolume spikes on june 23. Survey another cranked up the volume is it fair to say that you wouldnt have never discovered it probably would have . I would say probably not have been discovered certainly not right away. The volume is low enough even the analysis of our server logs might not catch Something Like that because it would not stand out. I think the answer to the question is, yes. Then he said seven days later on the 19th you notified the attorney general that right . Correct think that was illinois attorney general not the u. S. Attorney general, correct . Yes. So then you are contacted by the fbi. Yes. Im just trying to get an understanding of the facts, you assuming the illinois ag contacted the fbi or do you know that are not know that . I dont know for sure. I would suspect they probably did because how else with the fbi know . Thats where i was getting, that was not the result of some federal analysis or federal analysis of the set turned up what had actually happened is that of her statement. Yes. You then did some things to try to mitigate what it happened. Have we shared this with other states as to what you had done in order to develop a best practices if you would . We did not have any formal notification to all 50 states, no. I think a focus at the time was trying to repair the damage and assess what need to be done to have the information access. Was happy i became aware of the site know they keep contacted different states and i dont believe our Attorney Generals Office did but im not certain. We didnt have formal medication with all 50 states regarding this. Do you believe you have developed a best practices action after this attack that you describe . Yes. To think it would be appropriate for you to get that out through the secretary of state organization or other organizations other states could have that . Certainly. Your hacking that you describe force, if youre sitting in russia right now i wanted to do the same thing that you had done, but that ability have been dependent upon the machines or whatever system was use being connected to the internet . That ability would depend on whether pieces of election it equipment, it offices where the election programming is prepared are connected to the internet, the machines themselves to not have to be directly connected to the internet for a remote attacker to target them. So would you recommend that the system be disconnected from the internet and be a standalone system that can be accessed from the outside. Its a best practice relate to eyesight for tabulation, including isolating the systems use to program it. But other systems of infrastructure critical such as electronic books or online Registration Systems do sometimes need to be connected to internet systems that have internet access. I am concerned manipulating Voter Registration database could be used to try to sabotage the election process on election day. If voters are removed from the database or if they show up on election day that could cause problems or if they are added to the database that could be used to conduct further attacks. Diatribe to get my arms around contractors and subcontractors a and vendors and the ids in a ballpark how many ideas how many people there are . Im sorry i dont have a number. I dont have any exact number either bet we have six different Voting System types. So somebody is doing certification with the contractors a and subcontractors and the equipment vendors. Sova states will have day mechanism to certified those tabulations to make sure they qualify for federal or state law. You have a high degree of confidence that the certification process is not leaving this other world and others will verbal . I had to have concerns that some states do not require certification to the federal standards and those that we have are long overdue with an update so that certification of process doesnt necessarily cover all of the actors involved in with those day today. The number of my colleagues are supportive thus the so in effect i was the countrys first and a fitted senator in 1986 we have a paper trail and to correct those Voter Registration problems and there are any citizen that the key element to try to get on top of this . Because with a paper trail if you want to send a message to those theyre putting at risk the electoral system the paper trail is fundamental i think you are nodding affirmatively but so would be their view like to take cattle and . Said to have significant cybersecurity benefits from an office in moscow weather vote by a male is appropriate or if it is a matter for the states it offers positive security benefits. So on the last question how do you count the ballots . Generally by using optical scanners. See you count them the same way that you count the ballots . If the optical skean ballots are audited you can. That is a different question so do prefer paper ballots in the audit trail but do not assume of vote by mail are counted any differently but probably in a more Central Location but that does not mean all of the manipulation the you talk about would not happen in the vote by mail election to go back with a paper trail to count. Correct with paper and auditing so while i have you there how would you audit the non paper system to mention in colorado and manchin in mexico if that is what the states want to do howdy do that non paper audit . That would be impossible with that technology we use in the United States. So if you dont have something to audit it is pretty hard. It is basically impossible. So do you certify those county systems in illinois . Yes we do. Secretary . Yes, sir,. In your jurisdiction . Somebody does so with that commission with the testing protocol. Back in illinois a do you monitor . No actual accounting done on election day is from the county Clerks Office recertified of boating equipment to apply for certification or approval through a rigorous test but in actual practice to conduct preelection test on a random basis but it is a limited number. So that allow issue from the Central Office to get into the local system we go to the local jurisdiction or how they checked the accounting system. Actually visit us jurisdiction. It is similar but the counties are reacquired some of his public eric required to test on the machine. So the point that i want to drive home is not opening that door if you dont have a door nobody can get through as well so i dont suggest itll the doctors comments are not important of was an election official for 20 years and the chief for eight of those industry were transitioning to the system look a possibly be done undetected one of the reasons i like to the audit trail is you do have something to go back to determine what happened on election day purpose of talk just a moment the registration in system. With 15200500 longdens. Those 92 county clerks are connected to the statewide Voter Registration system. 15 million . 15,000,005 and a thousand thats has people coming in and out of the system with the local jurisdictions and to have counties they can put those directly into the system . But we do have indiana voters. Com so that is compared to where the countys find that information so the next day have the ability to determine if the application is correct. Does that have provisionals voting is there a way they could cast the ballot . Yes. Darr provisional but they are very limited also election day registration so people can register at the polls. So the failure to have your name i understand, the Registration System is much more open that doesnt mean it doesnt need to be further protected but the idea somebody gets into the Registration System there are plenty of ways to do that and others may do that as well. You are pretty good by your testimony. The russians have the resources that capabilities would significantly exceeds mine. I suspected that was your answer but that is an important point because testified today you could pack into a voting machine in 48 hours to change the results and nobody had known the you had done it so the point is if you could do it then so could the russians if they chose. Solyndra standing at some point in the process is linked with configuring of Voting Machines. So there is no connection between the registration list in the voting machine . No. No. Thats correct. I was mistaken. It depends 90 specific requirements. If you testified that voting registration is tampered on election day would be chaos is that correct . The person that showed up at the polls to vote thought they would be given a provisional ballot the danger is the winds would increase significantly if there was a large number who had to do that with each precinct. That is what i was referring to. On august 1st there was the fbi notification to all field offices supposedly those were passed on. Did you get something from the fbi a around August August 1st with warnings of what should be done . Yes. We did receive the fbi flash that was the date. Yes. So there issam interconnection so what i am hearing and appreciative of and happy that you do receive the notice but there seems to be a lack of information sharing so we really need to know if something happens in illinois a system to alert your colleagues across the country to look out and if we learn things in washington that the fbi could alert people around the country because the best time to deal with this is before the election but after or on election day is much more difficult. So the paper trail has come up is that the principal defense . What was it you tell my elections clerk or my secretary of state against the threat we know is coming . The most important thing is to make sure we have the paper ballots that cannot be changed in a cyberattacked so generally increasing severs security information sharing as is the firewall system. Is it possible of the cyberattacks on the vendors to temper with the machines before they go out to . I would be concerned about that added is not as much as they may appear so that could be a way to reach the voting equipment over a larger area. This is so important for our democracy. So there is the saying that the difference of being hacked or not being attacked so i appreciate the recommendations it seems to cover those various elements to protect ourselves does a country with prevention and also resilience so lets have the ability to stand up as quickly as possible. So you have received a notification . Yes maam. Were any a view also notified by a vhs the a chess. We have but i dont recall how they were initiated but they do know there were Conference Calls through the fbi. We did have conversations with department of Homeland Security it was not a direct contact with the state. We did have a number of communications the fbi had specific but had more general steps that were specific. So to the nature of those conversations if we compare that it would be helpful to you in the future so hopefully they are not necessary. Secretary can you tell me what requires the states to report to the federal government . What is the policy that would require that . So the department of Homeland Security to make sure the reconnaissance is done after such an attack it is more sophisticated than randy it attack socalled indiana did not take the opportunity because we felt we were in better shape than what they could provide for us. Professor can you tell me before this last election cycle there was talk of the various states i am sure your part of those discussions of the efficacy of online voting and now we can see the vulnerability is so talking in terms of policy so has the day passed i think online voting unfortunately is a bullseye on election system and todays technology for the online election you would need and they say that myself having hampton online Voting System with those liabilities it issues in other countries. That is the irony to always believe that we need to adopt technology so with an emphasis on that technology. So can you tell me that it is maya distending that they require the states to present or inhibit security testing . With those attempts to study those elections systems in the past. So i know the answer to that question. Host experience with your vendors . And dont think illinois law would allow such an agreement. I dont think that what happened in indiana either because in order to sell voting equipment and passed to be certified which require testing. So now i will wrap up. Thanks for your testimony today will encourage yogh as the next representative to remain engaged with the federal government specifically the department of homelands security so with any transition with a handoff and a ramp up. I am extremely impressed and to take the bull by the horns so to be that interaction to control the voting process so that federal guidance and collaboration that works comfortably with every secretary of state is absolutely critical we have nattily a collaboration but a communication is a relates to the Voting System. To nationalized that is not the answer but one great example is the state that focuses on infrastructure. Into now wait for the federal government to knock on the door in to be mediated at some point to come in as a partner that is the greatest strength to work with those. I think what you did it is important than the questions you raised to impact what you try to do is very excited. So to intrude in that democracy with that and know how many counties you have but but every county can show what Voting Machines short of trying to standardize its how to recreate that mechanism and to understand the front with the integrity to do what it was intended to do. So if we dont have cooperation or collaboration i will assure you we will be here with another Congress Asking the same questions and then to new collectively approach this with that accuracy in the vote totals. Thanks for being here in the second panel. Recharger and. [inaudible conversations] [inaudible conversations]. [inaudible conversations] tonight on cspan2, a house hearing on Health Care Programs for the needy. Then a discussion with two members of the house on their plan to provote vocational training. And interior secretary testifies at a Senate Hearing on his departments annual budget. Funding for the Childrens Health insurance program, or chip, is set to expire at the end of september. A house hearing looked into the extending it and other Health Care Programs. You will hear testimony from state and federal health care officials. Congressman Michael Burgess chairs the house