Space with overseas the strategy and operations foror global team with over 6000 employees. His teams are responsible for delivering cybersecurity solutions, Global Training and logistics, and productg support services in support of Critical Missions for government agencies, businesses and nations. Within is chris, the Vice President of System Security and the chief Information Security officer at election systems and software, the largest provider of Election Technology in the u. S. He is here with us all the improvements being made to Election Security to ensure secure, accurate, and auditable elections. Matthew masters and currently serves as senior senior cyber t advisor at the department of Homeland Security when he focuses on Election Security issues. He bravely serve as a commission at the Election Assistance Commission from december 2014 until march 2018, including serving as the commissions chairman in 20172018. Trevor has served as the colorado secretary of state as chief Information Officer since 2007 after eight years as deputy cio and director of software development. Thank you very much for this panel. Thank you very much to each of you for listening, and now i will turn it over to john. John . Thanks, tom. Im very excited to be here with this distinguished panel and moderate is very important topic for our country today. I would like to dive right into it and i like to get the first question out to matt. Matt is a deep expert in the area. Id like you to set the stage forer us. The very heart of our democratic process depends on citizens trusting the result of these elections. My company understands the complex systems system with the correct use of encryption, Key Management audit trails and sohe forth. That gives system owners confidence in the outcome. For many ways elections represent a case study with the inco having confidence that votes cast authentic encounter. With 55 days left, can you talk about how the government is addressing the needs of these election systems of systems . Absolutely, john, and thank you for moderating this panel and opportunity on it. For us at Cybersecurity Infrastructure security agency, our focus is on supporting the over 8008 and state and local officials that a we have running elections across this country in the private sector. That were canceled had with them. To manage elections. System assistant is a perfect way to describe the election ecosystem. The reality is that in many counties the Election Office is a largest i. T. Operation as far as number facets. You Voter Registration systems can election reporting systems, theres so many pieces of infrastructure that exists at the state level and so for us at cisa our focus is on one, making sure that access to time and actionable information and intelligence to manage risk to the systems. These are largely resource challenge district matches my life but i. T. Wise. They dont always have fulltime i. T. Employees and in many cases they are reliant on third parties to provide that i. T. Support. Giving time i chill information out to understandti the risk to the system is critically important to the second step is providing support and services that we do everything from cyber hygiene scans which is scanning the outward facing networks to penetration test, Phishing Campaign assessment to tabletop exercises to architecture reviews, all with an eye towards meeting them where they are, where their level of maturity and complexity exists and providing them tangible steps they could take to shore up their systems and build resilience, and she said. Its not just about the fence. Certainly that is big part of this but we recognize incidents cant and will happen and so how do they recover. The nice part for us with with election to metered his Election Officials are natural risk managers. They spent almost all of their time asking themselves what could go wrong, how do i prepare for that come out of response of the powder talk to my voters about why the process comes integrity and security of the process remains intact. Thats been a natural conversation for us to have. Recently there was an article about i meteor or asteroid blasting close to earth around election day. Some county electionos officials updating the Response Plan on how to respond to that because thats the wayay they think. And so us its been an engagement around embracing that tendency, that characteristic election first to say how to secure the systems. To your point about resilience, as we look at 2020 versus 2016, in 2016 approximately 85 85 f votes cast had an auditable record. In 21 you look at 92 of votes cast by that auditable record and is critical not just to the security of the process but to what you talk about which is the assurance level. Now what we need to focus on is how do we effectively officially audit those records and how do we do transparently so the public can have confidence in the votes cast. Thats the starting point for us in working with the state and local officials. Thank you. Trevor, as a cio for state of colorado give unique system. You are one of five states were almost all voters vote by mail. Yet you have electronic pulse for those who vote in person. You were in e the trench and elections occur at the state local level. How do you manage voter authentication in colorado in the face of early concerns of voter integrity in the election process and avoid fraud perception of font which is just as bad . Absolutely, great question. Thanks john in and tom for havg thisis panel. It really starts at the front. There are three phases of elections. There is preparing for elections which means you are making sure voters are registered. Citizens know they can be registered in the big part of that is getting the word out. Most states today have online ways of voters to check the registration and to register if you happen tore not be register. Or to update their address if they need to do so. And today we seen a lot of states also providing ways for voters to indicate that the want to receive a male outcome and absentee ballot in some states. Colorado is onene of the states where we mail out to every act of voter and so it will appear in the mailbox a few weeks before election and then they can sit at the table and mark it with the pen can verify their choices. We have a way they can even reach out to us and request a replacement ballot. If theyre sufficient time before election day we will mail that to them. The recent notice on the postal system and reliant on the postal system for mail ballots is kind of interesting. What i have seen is that some of the media reporting itsso about how long it takes for a ballot to do a roundtrip. The potential discrepancies in state laws and state regulations for some too request a mail ballot way too close to election day. We try to avoid that in colorado. Thats how our state law is geared but we do think that ability to request a mail ballot to update your registration, thats the first part of it is making sure the voters know theres an election coming up, where they can vote, how they can get about whether it is mail or they can go and vote in person and how to make sure their information is accurate. The accuracy of the systems we think that helps support confidence of the voters in the entire process. The resiliency. And that helps support the confidence of voters. Many states have her leave Holding Periods whether mail or on election day walking in and voting on election day, thats the second stage and afterward, its the results reporting. You know . We will see Election Night results, but many ballots will not be in the hand of the elected officials or have been counted, you know, by tuesday at 7 p. M. You know, the laws in various states, they differ. You know, whether its a post mark thats required by tuesday, election day or actually have to be in the hands of the elected official. The post election process this year is going to be one of the areas where one of the times where people are going to express concern so one of the things that Election Officials are talking about a lot is setting the expectations of the voters, of the media so they can be prepared that were probably not going to know on tuesday at 7 p. M. We probably are not going to know tuesday in the middle of the night. You know, so we need to make sure that the expectations are set at the right level for this election. So can you talk a little more about, when you think about data integrity and the validation and verification, in election polling system versus the mailin of your thoughts. And a little about every state is different and dont want you to talk about another state, but give a view of colorado and how that may differ from state to state . Sure, sure. I think the process is largely similar in every state. When someone registers to vote they may register filling out a mailin Voter Registration form. When they show up to vote in person or request a mailin battle they have to show i. D. Its a federal law and states can have some efficient to verify who you are who you say you are. And its the authentication and authorization, you are who you say you are by showing some i. D. And authorized to vote a particular ballot. That is, you live there, right . Because depending where you live in a state youll have a different state senator, a different state representative, different mayor, that sort of thing. So its the authorization to make sure they know who you are. Thats how they make sure this that they get the right ballot in front of you. It starts there. Today. That information is validated by human beings. I mean, i do think at some point in the future there may be a point where we could leverage some Electronic Technology to validate identity. The reality today, the systems in use, you know, those people that are showing up to vote requesting mailin ballots and walking in to vote in person, their identity is verified by a human being. So, chris, as a for the largest Voting Machines in the United States and you have a unique understanding to underpin at a technical level. What is the biggest challenge to voting machine security and how do you mitigate those risks . Sure, thanks for the question and thanks for being inviting me to be a part of the panel. Voting machine security has evolved over the last 20, 30 years, you can remember, if youre old like me shall the lever machines where you would make selections or paper, move levers and then pull down a big lever to indicate your choices. After the 2000 election when the bill was passed, there was an influx of money to and a lot of Technology Providers building electronic Voting Machines so that you didnt have People Holding up punch cards trying to determine voter intent. The electronics at the time captured voter intent, but those machines did not provide a paper trail and in the last 15 years, Election Technology providers moved forward to provide a paper trail, auditable level to make sure voters can check their input to the Electronic Device before its scanned and counted. Each of those generations of Election Technology had their own security issues. Today our industry under the leadership of the Election Infrastructure Subsector Coordinating Council eisdc have come together and tried to move the ball forward when it comes to Election Security. Were sharing best practices and meeting with sissa, two, three times a month talking about the risks to Election Technology and making sure we do all we can to ensure that the technology that a voter interacts with in the polling place is secure, that the counting machines whether theyre in the precinct or Election Central are secure and then the results reported are secure. Thats the first part. The second part is the research and developments, the design, the requirements that go into building a voting machine. We collect those requirements from state and local Election Officials who know their voters best, who know their jurisdictions best and ask the Technology Providers to design sims that meet those needs and go through a verification process overseen by Elections Commission and the test lab to make sure that each piece of technology thats in the field. Meets or exceeds the standards by which the eac has set forth and the voting Systems Test Lab tests again. And then there are a number of additional number of states that do additional security testing. Over and above whatever the federal requirements are. So, the Election Technology providers in our industry are working with all of those stakeholders to make sure that the technology and use today in the polling place, in the Election Office, and in the reporting of results, from start to finish, have the latest and greatest security built in for compensating controls, for issues that or situations that may have not allowed for the inclusion of a patch or a control when the system was served by. So we work very hard to understand the risks to our voting environment, we work with state and local Election Officials to get patches and updates out there, and then, the proof is in the pudding. And in the days leading up to elections, election day, jurisdictions, some jurisdictions are counting absentee ballots and overseas ballots. Others are waiting until election day, but our industry as a whole is right there, shoulder to shoulder with Election Officials making sure that votes are counted as cast and that the results can be trustworthy. Great, thank you. Well, ill throw it out to the group and whoever wants to jump in first. Im interested in understanding what keeps you guys up at night and then what help you would need from either industry or the government to address the concerns that are keeping you guys up. So, whoever would like to jump in first. Ill jump in. Go for it, trevor, go. You know, the confidence of voters in the process. Its really i mean, this is what actually happened in 2016 is that there were a lot of assaults on the confidence of voters in their fellow citizens, in the process and whether the votes were going to be counted accurateliment there were attempts to influence Public Opinion and just sew division, americans against americans, and thats one of those things, its not really a Cyber Security issue, but it influences the entire environment that we work in. Now, i mean, im a technologist, ive done, you know, i. T. Work for a long time. Cyber security is table stakes. Cyber security was table stakes years ago. I dont mean at all to diminish the, you know, the great work that sissa is providing, that the industry side gives to us, with chris and his companies and others involved. I dont mean to diminish the risk of Cyber Security because if you have web accessible machine, it needs to be secure, you need to be monitoring it, it seeds to be scanned, you need to regularly be pin testing it, patching it. But those are standard things for anyone that does anything on the internet. We work in a different environment where theres this huge aura of Public Opinion and Public Confidence that we have to work against. And i tell you, if People Choose not to vote because they dont think the process is trustworthy, then the bad guys have won and thats really what it comes down to, we need to do everything we can to show that were actually taking care of these things. Were doing the utmost to make sure the system is resilient. And so, that people can vote with confidence because, you know, thats what its all about. Get out and vote. Yeah, id just add to trevors point exactly. Whats been keeping me up at night this week, it probably changes on a weekly basis, is have we and are we doing everything we can at sisa to support the state and locals, the vast majority of elections in this country are mid to spaul jurisdictions that really are challenged resourcewise, and just need that support to understand where the risks lie, understand what patches do i need in place. How do i segment my networks, you know, implementing multifactor authentication, but its the next step in that. And trevor is right, elections have been securing the process for years, talking about this for years, how do i turn and talk to my voters. Am i giving tohose local officials everything they need. Particularly during the pandemic. Election administration isnt in the conversation nationally how it is ever. In my 13 years ive rarely seen this. How are we sorting through the dynamic environment, the confusion because we know uncertainty is a fertile Development Ground for disinformation. How are we getting clear, concise messaging out to voters about the steps to secure the process, what their options are and how they can engage to be prepared, to be patient and to participate in the process because as trevor said, the best response to all of these attempts to undermine confidence we know is the adversarys goal in 2016. We know is an ongoing goal for multiple actors at this point now. How do we get the information over and over again to voters that they say, okay, i know where i can get what i need to understand. Am i registered. How do i participate . What are results going to look hike like . And the process is secure. The constant messaging. I worry so much were not doing enough to support the state and locals, support the private sector and other trusted, that say weve run at the state and local level. If you have questions engage directly with those to run it and if you have questions, go serve as a poll worker. We need you and its the best way to run the process. Its the hybrid security with info and control the battle space now. Thats critically important. I agree with these guys, john. Sisa has done a great job of categorizing the risk. Expert after expert has said the likelihood of a polling place machine, whether its a marketing device or a scan, its likely those to enact to somehow manipulate unofficial results, its very low. What we are worried about and what we have been working with sisa to focus on is the public facing systems like Voter Registration environments. Electronic poll books. Election night results reporting. Those three areas in our view are because they are public facing, have a very large attack surface in Cyber Security terms. Thats not good. So we have focused a lot of effort on implementing controls in those three areas. Eii stack have pushed out hundreds of albert spencers, theyve signed up thousands of Election Officials to threat sharing information channels, we also participate in those albert sensors and threat information sharing to make sure that we know what threats are being pushed against the Tech Knowledge so we can react to them. So far so good. Every test say that our tests are good and we cant let our guard down for a minute. Youve probably heard the old addage that actors only need to be right once, and we need to be prepared all the time. And thats where the industry is focused add so the American Public is rest assured they can sleep at night. That the technology that theyre using in the conduct of elections is safe, security, and auditable. Thank you. I think youve mentioned misinformation or disinformation and obviously now it can come in electronic form or physical form with different mailin fraud. Id like to start with you, matt, steps to get information out to the public in order to sort through the attacks coming from them and you mentioned our adversaries and we know that our adversaries are using our social media platforms to kind of conduct some of their operations. What are your thoughts how we can potentially use the media platforms to help integrity in our election, as from an adversary standpoint. For us at sissa, our foe has been building resilience, having trusted conversations, through secretary of state, local Election Officials, mayors, civic groups. Getting the simple messaging out around the process and turn to your sources of information. And go to our official state websites, dont rely on a post on facebook telling you how the process work. And two, understanding how misinformation and disinformation is targeted and spread. We issued something pineapple on pizza product which talks the controversial issue of pineapple on pizza and use it to show how a Disinformation Campaign issue. And obviously, pineapple doesnt belong on pizza and our adversaries win. Read, take a critical eye on something youre about to share, who are the sources and the true sources of information particularly around the election process. Can a state and local election website can be used instead of someone asserting, here is the truth about inperson and absentee battles. And we have regular meeting with the social media companies, all the major platforms to talk about, one, what type of information is out there. Two, how they can leverage the state and local election information on their platforms. Weve seen all of the major platforms take and use state and local u. S. Secretary of state, mike pompeo is prepared to speak about his recent trip to europe, u. S. Global leadership and trip to china at atlantic council. Live coverage on cspan2