b"<html>\n<title> - PROTECTING THE 2016 ELECTIONS FROM CYBER AND VOTING MACHINE ATTACKS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n                     PROTECTING THE 2016 ELECTIONS\n                 FROM CYBER AND VOTING MACHINE ATTACKS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           September 13, 2016\n\n                               __________\n\n                           Serial No. 114-91\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n\n\n                                  ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n22-560 PDF                     WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California\n    Wisconsin                        DANIEL LIPINSKI, Illinois\nDANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nMO BROOKS, Alabama                   ALAN GRAYSON, Florida\nRANDY HULTGREN, Illinois             AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut\nTHOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas\nJIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts\nRANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia\nJOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado\nSTEVE KNIGHT, California             PAUL TONKO, New York\nBRIAN BABIN, Texas                   MARK TAKANO, California\nBRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois\nBARBARA COMSTOCK, Virginia\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\nRALPH LEE ABRAHAM, Louisiana\nDARIN LaHOOD, Illinois\nWARREN DAVIDSON, Ohio\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                           September 13, 2016\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     5\n    Written Statement............................................     7\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................     9\n    Written Statement............................................    11\n\n                               Witnesses:\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology\n    Oral Statement...............................................    14\n    Written Statement............................................    17\n\nHon. Tom Schedler, Secretary of State, State of Louisiana\n    Oral Statement...............................................    27\n    Written Statement............................................    29\n\nMr. David Becker, Executive Director, The Center for Election \n  Innovation & Research\n    Oral Statement...............................................    35\n    Written Statement............................................    38\n\nDr. Dan S. Wallach, Professor, Department of Computer Science and \n  Rice Scholar, Baker Institute for Public Policy, Rice \n  University\n    Oral Statement...............................................    42\n    Written Statement............................................    44\n\nDiscussion.......................................................    56\n\n             Appendix I: Answers to Post-Hearing Questions\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology.....    88\n\nHon. Tom Schedler, Secretary of State, State of Louisiana........   107\n\nMr. David Becker, Executive Director, The Center for Election \n  Innovation & Research..........................................   110\n\nDr. Dan S. Wallach, Professor, Department of Computer Science and \n  Rice Scholar, Baker Institute for Public Policy, Rice \n  University.....................................................   113\n\n            Appendix II: Additional Material for the Record\n\nWashington Post article How to hack- and rig-proof U.S. elections   122\n\n \n                     PROTECTING THE 2016 ELECTIONS\n                             FROM CYBER AND\n                         VOTING MACHINE ATTACKS\n\n                              ----------                              \n\n\n                      TUESDAY, SEPTEMBER 13, 2016\n\n                  House of Representatives,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Committee met, pursuant to call, at 10:11 a.m., in Room \n2318, Rayburn House Office Building, Hon. Lamar Smith [Chairman \nof the Committee] presiding.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Smith. The Committee on Science, Space, and \nTechnology will come to order. Without objection, the Chair is \nauthorized to declare recesses of the Committee at any time.\n    Welcome to today's hearing entitled ``Protecting the 2016 \nElections from Cyber and Voting Machine Attacks.'' I'll \nrecognize myself for an opening statement and then the Ranking \nMember.\n    We are here today to discuss the subject of election \nsecurity. It's hard to imagine a more bipartisan issue. \nElection security is fundamental to the fairness of elections \nand democracy in the United States. Elections are a key \ncomponent of democracy, and voting is the very essence of what \nPresident Abraham Lincoln meant when he said a government by \nthe people.\n    Voting is the means by which Americans express their \nopinions about their government. It provides Americans with the \nopportunity to affirm policies they like and change what they \ndon't. When our citizens vote, they not only elect their \nleaders, they choose a direction and set priorities for our \nnation. Elections with integrity strengthen democracy. They \nconfer legitimacy and boost public trust in government.\n    Concerns with earlier versions of voting and election \nsystems led to the passage of the 2002 Help America Vote Act. \nThis act requires the National Institute of Standards and \nTechnology, over which we have jurisdiction, to work with the \nElection Assistance Commission on technical, voluntary \nguidelines for voting.\n    Today, we will discuss the current technical voluntary \nguidelines that are in place for States to protect their voting \nand election systems. Though these guidelines are voluntary, I \nhope to hear whether they are sufficient to safeguard our \nelections and whether States effectively use them.\n    This discussion is timely as many concerns have been raised \nin recent months about the vulnerabilities of electronic voting \nmachines, voting over the Internet, and online voter \nregistration. In response to these concerns, our discussion \ntoday will review the security of the election system in its \nentirety. We will examine what guidelines are in place, how we \ncurrently protect systems from potential technical \nvulnerabilities, and what kind of work--including research and \ndevelopment in my home State of Texas--is underway to protect \nfuture voting and election systems.\n    Last year, hackers from China infiltrated the Office of \nPersonnel Management's database and stole confidential records \nand personal information on more than 22 million current and \nformer federal employees, including those involved in our \nnational security effort with the highest security clearances. \nThe attacks on voter registration databases in Illinois and \nArizona are the latest instances of such attacks, this time \nwith alleged ties to Russia. We have yet to take decisive steps \nto defend ourselves and deter attackers.\n    The President says we are more technologically advanced, \nboth offensively and defensively, in cyber warfare than our \nadversaries. So why won't he take the necessary steps to \nprevent cyber attacks on our elections systems by foreign \ngovernments? If we are attacked repeatedly and do nothing, we \nwill have surrendered unilaterally and put at risk our economy, \nour national security, and our very freedoms.\n    This committee has held more than a half-a-dozen hearings \non cybersecurity issues in this Congress. We know it isn't \nenough to respond to cyber attacks with diplomatic protest. We \nare going to hear from witnesses today about how the Federal \nGovernment can help States keep our election systems secure. \nBut the single most important way to protect our election \nsystems, to protect each American's right to vote and be heard, \nis for this Administration--and for the next Administration--to \ntake decisive steps to deter and, if necessary, sanction \nforeign governments that attack us in cyber space.\n    [The prepared statement of Chairman Smith follows:]\n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n  \n     \n    Chairman Smith. That concludes my opening statement, and \nthe Ranking Member, the gentlewoman from Texas, Eddie Bernice \nJohnson, is recognized for hers.\n    Ms. Johnson. Thank you, Mr. Chairman, and good morning.\n    Ensuring that our elections are fair, accurate, and freely \naccessible to all American citizens is fundamental to our \ndemocracy. Every instance of malfunctioning voting technology \nand without question every cyber attack on our election system \nis significant. And all efforts to improve voting security, \nreliability, privacy, and access are welcome and important.\n    I am confident by the testimony of today's experts and many \nothers that we are in a much better place today than we were 10 \nor 15 years ago. I'm deeply concerned, however, by some of the \nrhetoric in recent weeks that seems to--seems intended to erode \npublic confidence in our election system. Prominent voices have \nsuggested that the U.S. election system is riddled with fraud \nand somehow rigged. Those conspirator allegations, like many \nothers, that have been floated in the public sphere this \nelection cycle are not supported by actual facts, and they \nthreaten the election process we have relied upon for more than \n2 centuries.\n    I'm eager to hear from the distinguished panel today about \nthe challenges of securing our election system in the digital \nage and what actions have been taken at the federal, state, and \nlocal levels to strengthen cybersecurity. However, given the \nreckless rhetoric, as well as other serious threats our \nelection system is facing, I want to take this opportunity to \nput the cybersecurity challenges in context.\n    The U.S. election system is complex and highly \ndecentralized, encompassing approximately 10,000 local, county, \nand state election offices. Further, there are few connections \nbetween individual voting systems and the Internet. And at \nleast 75 percent of the voters will be able to verify their \nvote with a paper ballot this fall. This compartmentalization \nand paper trail provides a strong firewall against any cyber \nthreats.\n    The recently publicized attacks against voter registration \nrolls in Arizona and Illinois are serious but have not resulted \nin any changes to voter data or to any voters. In Arizona the \ncybersecurity firewalls worked to contain the threat. What I \nfind most concerning are reports that these recent threats may \nbe linked to the Russian intelligence operation. So we must be \nvigilant, and I hope these incidents will lead to improved \ncybersecurity protocols and practices.\n    While security of the election system is important, voter \naccess is fundamental to our democracy. Baseless allegations of \nwidespread voter fraud have been used as an excuse to \ndisenfranchise large numbers of minority and young voters \nthrough discriminatory voter ID restrictions.\n    News21, a journalism program established by the Carnegie \nCorporation of New York and the John S. and James L. Knight \nFoundation found voter impersonation fraud to be \nextraordinarily rare. An analysis of 2,068 alleged election \nfraud cases in all 50 States from 2000 to 2012 out of 146 \nmillion registered voters identified only 10 cases of voter \nimpersonation fraud. You don't enact laws because of 10 cases \nof fraud in 12 years unless you have an ulterior motive. \nFortunately, the courts have been right through the most \nblatantly discriminatory state laws.\n    In addition to the state-sanctioned voter ID laws, the \nBrennan Center for Justice and others have continued to \ndocument cases of voter intimidation, deliberate spreading of \nmisinformation to keep minorities and students from voting, and \nother attempts to target and disenfranchise minorities and \nyoung voters. These threats to tens of hundreds of thousands of \neligible voters were either orchestrated by public officials or \nlone troublemakers should be taken as seriously as a cyber \nthreat.\n    Mr. Chairman, I know my remarks have moved beyond the \nintended scope of this hearing, but you know well how \npassionate I am about this issue. It is my hope that with this \nhearing that we can have a thoughtful discussion of the \nchallenges and actions that have been taken related to \ncybersecurity and other voting technology issues, while \navoiding adding to the noise and confusion surrounding these \nissues just 8 weeks from the crucial election.\n    With that, I'd like to welcome our witnesses for being here \ntoday. And this is a distinguished panel. I look forward to \nhearing from our collective experience and expertise.\n    Thank you, Mr. Chairman. I yield back.\n    [The prepared statement of Ms. Johnson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n   \n    Chairman Smith. Okay. Thank you, Ms. Johnson. And I'll \nintroduce our witnesses. Our first witness today is Dr. Charles \nRomine, Director of the Information Technology Laboratory at \nthe National Institute of Standards and Technology. In this \ncapacity, Dr. Romine oversees a research program that develops \nand disseminates standards, measurements, and testing for \ninteroperability, security, usability, and reliability of \ninformation systems, which includes cybersecurity standards and \nguidelines for federal agencies in U.S. industry.\n    Dr. Romine previously served as a Senior Policy Analyst at \nthe White House Office of Science and Technology Policy and is \na Program Manager at the Department of Energy's Advanced \nScientific Computing Research Office.\n    Dr. Romine received both his bachelor's degree in \nmathematics and his Ph.D. in applied mathematics from the \nUniversity of Virginia.\n    I'll now recognize the gentleman from Louisiana, Mr. \nAbraham, to introduce our next witness, who happens to also be \nfrom Louisiana.\n    Mr. Abraham. Thank you, Mr. Chairman. It is my pleasure to \nrecognize Hon. Tom Schedler, the Secretary of State from the \ngreat State of Louisiana. Secretary Schedler was appointed to \nthe position in 2010 and was reelected in 2011 to serve a four-\nyear term. He is past President of the National Association of \nSecretaries of State with his term ending this past July. And \nhe served as Co-Chairman for the National Association of \nSecretaries of State Task Force on Emergency Preparedness for \nElections.\n    As Secretary of State of Louisiana, he is committed to \nprotecting and defending the integrity of every election in the \nState and has worked diligently to streamline the election \nprocess. The result is been a more efficient and cost-effective \nsystem with Louisiana becoming one of the first States to \nimplement online voter registration and the first State in the \ncountry to launch a smartphone app for voters to use to get \ntimely election information. My pleasure for you to be here.\n    I yield back, Mr. Chairman.\n    Chairman Smith. Thank you, Mr. Abraham.\n    Our third witness today is Mr. David Becker, Executive \nDirector and Co-Founder of the Center for Election Innovation \nand Research. Mr. Becker founded CEIR to increase voter turnout \nand give election officials the tools they need to ensure all \neligible voters can vote conveniently and assist them with \nmaximum integrity.\n    Prior to founding CEIR, Mr. Becker was the Director of the \nElections Program at the Pew Charitable Trust where he worked \non reforms in election administration. These reforms included \nusing technology to provide voters with information they need \nto cast a ballot.\n    Mr. Becker received both his undergraduate and law degrees \nfrom the University of California at Berkeley.\n    Our final witness today from my home State of Texas is Dr. \nDan Wallach, Professor in the Department of Computer Science \nand Rice Scholar at the Baker Institute for Public Policy at \nRice University. Dr. Wallach's research covers a variety of \ntopics in computer security. This includes electronic voting \nsystem security where he served as the Director of an NSF-\nfunded multi-institution research center, A Center for Correct, \nUsable, Reliable, Auditable, and Transparent Elections, acronym \nfor which is ACCURATE. He also served as a member of the Air \nForce Science Advisory Board from 2011 to 2015.\n    Dr. Wallach earned his bachelor's degree in electrical \nengineering and computer sciences at UC Berkeley and his \nmaster's and Ph.D. from Princeton University.\n    We welcome you all, appreciate your expert advice.\n    And, Dr. Romine, if you'll begin.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n               INFORMATION TECHNOLOGY LABORATORY,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Thank you, Mr. Chairman. Chairman Smith, \nRanking Member Johnson, and Members of the Committee, thank you \nfor the opportunity to discuss NIST's role in voting systems.\n    Improving voting systems requires an interdisciplinary, \ncollaborative approach that must be accurate and reliable, yet \ncost-effective, secure, and usable and accessible to all \nvoters. The design and standards must consider the diversity of \nvoting processes and ballots across the States, and none of \nthese can be considered in a vacuum.\n    NIST expertise in testing, certification, information \nsecurity, trusted networks, software quality, and usability and \naccessibility provides the foundation for our voting systems \nwork, but our experience working in multi-stakeholder processes \nis critical. We must bring together election officials, \nindustry, technical experts, and advocacy groups to address \nthis challenge.\n    The NIST role is limited to the research to develop \nstandards, tests, guidelines, best practices, and assistance \nwith laboratory accreditation that the Election Assistance \nCommission, or EAC, and state and local jurisdictions may use \nat their discretion.\n    Since the signing of the Help America Vote Act, or HAVA, \nNIST has partnered with the EAC to develop the science, tools, \nand standards necessary to improve the accuracy, reliability, \nusability, accessibility, and security of voting systems. Our \njoint accomplishments include new voting system guidelines; \nguidelines in support of Military and Overseas Voters \nEmpowerment Act, or MOVE; and the Uniformed and Overseas \nCitizens Absentee Voting Act, or UOCAVA; the establishment of \naccredited testing laboratories for voting system equipment and \na testing and certification program upon which many States \ndepend.\n    The Technical Guidelines Development Committee, or TGDC, a \nfederal advisory committee to the EAC chaired by NIST, assists \nin the development of the voluntary voting system guidelines. \nIn 2015, the EAC approved the TGDC's latest recommendations, \nVoluntary Voting System Guidance, or VVSG 1.1, with new \nrequirements for human factors, audit and election logging, and \nnew security requirements on access control, physical security, \nauditing, cryptography, software quality, and software \nintegrity.\n    To support overseas and military voters, including the use \nof the Internet to cast absentee ballots, NIST research \nconcluded that widely deployed security technologies and \nprocedures could mitigate many of the risks associated with \nelectronic blank ballot delivery but the risks associated with \ncasting doubts over the Internet were more serious and \nchallenging to overcome.\n    Based on that research, NIST documented security best \npractices and considerations for election officials on the use \nof electronic mail or the Web to expedite transmission of voter \nregistration materials and blank ballots. In early 2011, NIST \nanalyzed current and emerging technologies that may mitigate \nrisk to Internet voting.\n    We also identified several areas where research and \ntechnological improvements are needed to ensure the security, \nusability, and accessibility of Internet voting. Many of these \nchallenges are not unique to Internet voting such as strong \nidentity management, protection against malware, and the \nresiliency of Internet-connected systems. The unique challenges \nof Internet voting are the requirements and expectations, \nnotably ensuring the integrity of the voting process while \nprotecting privacy.\n    NIST and the EAC have recently organized public working \ngroups that provide an open and transparent development process \nand give the EAC and state election officials the opportunity \nto work directly with academic, industry, and Federal \nGovernment experts. The working groups help inform NIST, the \nEAC, and the TGDC in updating the VVSG.\n    There are three election working groups--pre-election, \nelection, and postelection--that are providing insight on \nelection processes. These groups are supported by four \ntechnical groups--cybersecurity, human factors, \ninteroperability, and testing. The election working groups take \ninput from the technical groups to inform requirements \ndevelopment for consideration by the TGDC.\n    Ensuring that voting systems are secure and auditable is \ncritical to providing trust and confidence in the voting \nprocess. The cybersecurity technical working group is \ndeveloping guidelines and best practices to secure voting \nsystems. The group is focused on election security best \npractices, including physical security, auditing, and \ncontingency planning.\n    To provide a firm foundation for next-generation security \nguidelines, NIST is researching threats and vulnerabilities to \nvoting systems and the best practices and technologies that can \nmitigate those risks. As part of that research, NIST has \ncatalogued published vulnerabilities and weaknesses in voting \nsystem software. The goal is to understand the types of \nvulnerabilities by looking at historical evidence and creating \na voter-specific list of vulnerabilities and mapping these with \nweaknesses to requirements in the VVSG. This work has \nidentified issues that should be addressed in future security \nrequirements and test methods and by voting system \nmanufacturers.\n    NIST is committed to continue collaborating with the EAC \nand others to fulfill our role defined in HAVA, MOVE, and \nUOCAVA. We leverage our research, which is applicable to a wide \nvariety of organizations and used by industry and governments \nthroughout the world. Active collaboration between the public \nand private sectors is the only way to effectively meet this \nchallenge, leveraging each participant's roles and \nresponsibilities.\n    Thank you for the opportunity to testify today on NIST's \nwork in voting systems, and I would be happy to answer any \nquestions you may have.\n    [The prepared statement of Dr. Romine follows:]\n    \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n \n    \n       \n    Chairman Smith. Thank you, Dr. Romine. And, Secretary \nSchedler.\n\n                TESTIMONY OF HON. TOM SCHEDLER,\n\n             SECRETARY OF STATE, STATE OF LOUISIANA\n\n    Mr. Schedler. Thank you. I want to thank the Committee, \nChairman Smith, and Ranking Member Johnson for the invitation \nto address you today. I think it's very important for you to \nhear from actual election officials who actually conduct \nelections. And our job--at least in my opinion, is to make \nvoting easier, more accessible, and to make it tough to cheat.\n    But in recent weeks, reports on cyber attacks have voters \nquestioning whether their vote will actually count, and that in \nmy opinion is more damaging than the potential for hacking.\n    We are all on high alert. This whole exercise has put every \none of the 50 States working on national security issues with \nall national agencies in an effort to try to improve the system \nwe have or to recheck the system we have. But the fact is \nStates are always evaluating security measures and emergency \nplans. As I speak, in Louisiana I'm dealing with 30 precincts \nfrom the record flooding that we had in the Baton Rouge area on \ncontingency plans and what I'm going to do to move those \nprecincts, notify voters, and the like.\n    So yes, we--are we concerned about potential interference \ninto our election process? We absolutely are, but voter fraud \nis much, much harder to accomplish than you may think. As was \npointed out by Ranking Member Johnson, we have some 10,000 \njurisdictions of voting in this country hundreds of thousands \nof voting machines in various locations. The complexity of our \nelection system has reinforced the election process, and what I \nmean by that is if you think about the complexity of that, it \nmakes it very difficult for any player to go in and actually \ndisrupt a federal national election.\n    Specifically, States have developed online registration \nsome 31 States have the best practice to improve customer \nservice. They've also developed different ways to guard against \nintrusion. In Louisiana, for instance, information collected \nthrough our online voter registration system does not flow \ndirectly into our statewide system. Instead of voter \ninformation is sent from a Web site to each parish register in \nthe State of Louisiana. The register has direct access to the \ndatabase, not the voter.\n    While it would certainly be disruptive to have registration \nsystems hacked, as we saw in Arizona and Illinois, voters could \nstill vote and Election Day would still occur. Anyone who \ndiscovers an issue with their voter registration status still \nhas the option of a provisional ballot. And remember, no voter \ninformation was added or deleted in Arizona or Illinois, and \nmost States have electronic paper ballot backups.\n    In terms of voting machines, it's important to note that so \nfar scientists have only succeeded in hacking voting machines \nwhen favorable conditions existed that do not exist on Election \nDay, including plenty of time and unfettered access. There is \nno evidence that ballot manipulation has ever occurred in the \nUnited States.\n    No State--and I want to make this clear--has Internet \nvoting, and our voting machines are never connected to the \nInternet. In Louisiana, all machines are stored in secure, \nstate-owned warehouses. All maintenance, including most up-to-\ndate software applications, as well as programming, is \nperformed by vetted Secretary of State employees, not outside \ncontractors.\n    Additionally, before every election, Louisiana publicly \nperforms a test-and-seal process in which we demonstrate that \neach machine is working properly before it is locked with a \ntamperproof seal. That testing process is also done at the end \nof each Election Day to demonstrate that each machine is \nfunctioning postelection, which is required by roughly 60 \npercent of the States. And, if necessary, the majority of \nStates can make paper ballots and audits available if a recount \nor review becomes necessary.\n    Finally, please keep in mind that timing is critical. \nElections are no longer one-day events and voting is occurring \nright now as we speak. Ballots have been printed, absentee \nballots are in the mail, and in-person voting begins in days in \nsome States. To say this is an inopportune time for election \nofficials to be discussing this subject instead of real-time \npreparation is an understatement. The train has left the \nstation.\n    During a call with Secretary Jeh Johnson in mid-August, my \ncolleagues and I were assured there would be no intent to \ndeclare an election system as part of the critical \ninfrastructure before the November elections. Some Secretaries, \nincluding myself, have been very vocal that no matter when that \nmay occur, such a designation would undercut the Constitutional \nrole of the States and local jurisdictions. It would only \ncomplicate our ability to properly secure elections.\n    As of today, there is not enough clear information on what \nthe designation would mean or why it's necessary. States get \nwhat we need through existing networks, including the United \nStates Elections Assistance Commission and the National \nInstitute of Standards and Technology, which already identify \nthe kind of testing and certification.\n    And most standards needed to reveal signs of tampering, \nthere is a role for Congress in this. Most States purchase \ntheir voting machines using federal dollars, HAVA, back in \n2005, but there is little interest on the Hill when it comes to \nhelping replace our aging systems. I suggest you revisit HAVA \nand see how an investment in voting technology could benefit \nour nation in the long run.\n    In the meantime, we have received a sobering wake-up call \non the serious nature of cyber attacks. States will continue to \ntake a proactive approach to secure our election systems, and \nat the end of the day, I want to assure every American--and I \nspeak for all of my colleagues, the Secretaries of State \nAssociation--that your next President will be determined by the \nvote of the people and every vote will count.\n    Thank you for allowing me my comments.\n    [The prepared statement of Mr. Schedler follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n \n    \n    Chairman Smith. Thank you, Secretary Schedler.\n    And, Mr. Becker.\n\n                 TESTIMONY OF MR. DAVID BECKER,\n\n                      EXECUTIVE DIRECTOR,\n\n         THE CENTER FOR ELECTION INNOVATION & RESEARCH\n\n    Mr. Becker. Good morning, and thank you, Mr. Chairman, and \nRanking Member Johnson, for the opportunity to testify today on \nthe important issue of the security of our election system.\n    My name is David Becker and I'm the Executive Director of \nthe Center for Election Innovation and Research, a nonprofit \nworking in partnership with election officials like Secretary \nSchedler and technology leaders to improve our system of \nelections.\n    My experience in elections goes back about two decades, \nstarting with a seven-year stint as a senior trial attorney \nwith the voting section of the Department of Justice under both \nthe Clinton and George W. Bush Administrations where I observed \ndozens of elections in hundreds of precincts nationwide and \nthen served for several years as the Director of the Elections \nProgram at Pew where I oversaw efforts to use technology to \nimprove the efficiency and security of elections.\n    As an initial matter, we should be clear about the election \nsystems that are in place and what they each do and what if any \nrelative vulnerabilities might exist. Voter registration \ndatabases or a key election system have been in the news a lot \nrecently. As you noted, there was a breach of the Illinois \nvoter registration database where personal data from several \nthousand voters appears to have been accessed. In Arizona, it \nappears the State successfully detected an attempted hack of \ntheir state voter registration database and prevented access of \nany private data.\n    But in both cases initial investigations suggest no voter \ndata was changed. The voter registration lists remained intact \nwith the primary goal of the hack seemingly being to access \npersonal data for the purposes related to identity theft rather \nthan to manipulate the voter lists themselves.\n    While we should continue to be vigilant about these \ncentralized databases, to my knowledge, every State creates a \nregular backup of their voter registration lists, and most \nStates on a daily basis, so that should anything go wrong with \nthe databases themselves, the list could be reconstructed prior \nto the election.\n    And while there have also been concerns expressed about the \nhack of the Democratic National Committee email system, that \nsystem is completely different than the election systems in \nplace. That was an attack on a centralized email server and a \nnongovernmental entity which bears no analogy to the highly \nregulated systems in place in the States to administer \nelections.\n    The voting machines themselves include paper ballots or \nelectronic devices on which votes are cast and include vote \ntabulation equipment. And with regard to those systems, I can \nsay that while no system is 100 percent hack-proof, elections \nin this country are secure, perhaps as secure as they've ever \nbeen, and that voters should have confidence that their votes \nwill be counted and counted accurately.\n    There are four primary reasons that voters should feel \nconfident in our election system. First, our election system is \nhighly decentralized. Each State governs the administration of \nelections independently, and within each State there are many \nindividual election jurisdictions--counties, towns, and the \nlike--totalling approximately 10,000 nationwide that actually \nadminister those elections.\n    Even within many States, counties use different systems and \ndozens of different technologies to conduct elections, and \nwithin those thousands of election jurisdictions there are well \nover 100,000 Election Day precincts and polling places where \nballots are cast and collected, and that is just on Election \nDay, not taking into account the thousands of early-voting \nsites and tens of millions of mail ballots that will be \nutilized this November. Thus, there isn't a single or \nconcentrated point of entry for a hacker. Rather, there are \nthousands of points hacker would have to successfully navigate \nto manipulate the results of a national election.\n    Second, voting machines are kept securely. These machines \nare subjected to rigorous protocols for chain of custody and \ntesting in every jurisdiction. Machines are held under lock and \nkey with additional protections in place to ensure that nobody \nwithout proper credentials can access the devices. It's \nexceedingly difficult to gain unauthorized access to even one \nof these machines and nearly impossible to gain access to more \nthan one. Prior to every election, not just federal elections, \nbut every time the equipment is used, these machines go through \na series of tests called logic and accuracy tests to confirm \nthat they are working as intended, recording and tabulating \nvotes accurately.\n    Third, unlike voter registration databases or email \nsystems, I know of no jurisdiction where voting machines are \nconnected to the Internet. This makes it nearly impossible for \na remote hacker, whether in Moscow, Russia, or Moscow, Idaho, \nto access the equipment and plan malicious code or otherwise \nhack the system. Without connectivity, it would require a \nhacker to have unfettered physical access and enough time to \nsabotage one machine just to impact the results on one device \nin one polling place. To manipulate election results on a state \nor national scale would require a conspiracy of literally \nhundreds of thousands and for that massive conspiracy to go \nundetected.\n    Which brings us to the fourth reason: Even if hundreds of \nthousands of conspirators operated undetected on a diverse \nrange of systems, defeating the testing and chain-of-custody \nprotections in place, it would likely have no effect on the \nvast majority of election results nationwide because well over \n75 percent of voters vote on paper ballots or on a device that \ncreates a paper record.\n    And in most States--32 plus DC. as of 2014, there is a \npostelection audit requirement that mandates States match the \npaper record to the digital record, and if a discrepancy \nexists, recount the paper ballots for use as the official \nrecord. The States that require such an audit include the \nbattleground States of Arizona, Colorado, Florida, Nevada, New \nMexico, North Carolina, Ohio, Pennsylvania, Virginia, and \nWisconsin, among others, so even if a grand conspiracy were \nviable, a postelection audit requirement would almost certainly \ndiscover it prior to the election results becoming official.\n    There's been a lot of hyperbole surrounding the selection, \nbut the processes in place to ensure the integrity of our \nelection system should not become part of the political \nrhetoric. There are few loudly seeking to sow distrust in the \nsystem, but there are far more working quietly and \ncollaboratively at the federal, state, and local level and \nelection officials across the political spectrum like Secretary \nSchedler here who are working to secure our voting systems and \nreassure voters that the selection will accurately reflect \nvoters' choices.\n    And voters can play a role as well, by attending pre-\nelection voting machine tests and especially volunteering to \nserve as poll workers to see the process firsthand, whether \nit's federal officials offering assistance and resources to the \nStates, state and local officials sharing best practices, or \ncitizens serving as poll workers, this cooperation and \ndiligence will protect our elections in 2016 and safeguard \nfuture elections as well.\n    Thank you and I'd be happy to take any questions.\n    [The prepared statement of Mr. Becker follows:]\n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n    Chairman Smith. Thank you, Mr. Becker.\n    And, Dr. Wallach.\n\n          TESTIMONY OF DR. DAN S. WALLACH, PROFESSOR,\n\n        DEPARTMENT OF COMPUTER SCIENCE AND RICE SCHOLAR,\n\n               BAKER INSTITUTE FOR PUBLIC POLICY,\n\n                        RICE UNIVERSITY\n\n    Dr. Wallach. Chairman Smith, Ranking Member Johnson, \nMembers of the Committee, it's a great honor to speak to you \ntoday about our nation's voting systems and the threats they \nface this November and the steps we might take to mitigate \nthose threats.\n    My name is Dan Wallach. I've been a Professor in the \nDepartment of Computer Science at Rice University in Houston \nfor 18 years. And my main message for you here today is that \nour election systems face credible cyber threats from our \nnation-state adversaries, and it's prudent to adopt contingency \nplans before November to mitigate these threats.\n    In particular, we've learned that Russia may have been \nbehind leaked DNC emails for the explicit purpose of \nmanipulating our elections. We've also learned of attacks on \nvoter registration databases in Arizona and Illinois, and \nthat's only the ones we know about. There might be more.\n    We must prepare for the possibility that Russia or other \nsophisticated adversaries will use their cyber skills to attack \nour elections, and they need not attack every county in every \nState. It's sufficient for them to go after battleground States \nwhere a small nudge can have a large impact. The \ndecentralization that we've heard about is helpful but it's not \nsufficient.\n    My number one concern is our voter registration databases \nbecause they are online, and if an attacker can damage or \ndestroy the voter registration databases, they could \ndisenfranchise a significant number of voters, leading to long \nlines and other difficulties. The provisional voting process \nrequires filling out affidavits, it's slow, it takes time, and \nthat wouldn't work for million voters.\n    Paperless electronic voting systems and their tabulation \nsystems are also vulnerable. Despite not generally being \nconnected to the Internet, these systems were unfortunately \nnever engineered with security in mind, and expert analyses by \nmyself and others have found unacceptable security issues.\n    Our biggest nation-state adversaries have the capability to \nexecute attacks against these systems. For example, Russia was \nbehind an attack of this kind directed at Ukraine's 2014 \nelection where a hacked tabulation system would have reported \nresults favorable to Russia. The Ukrainians were lucky enough \nto catch this.\n    Our options between now and November are largely limited to \ncontingency planning. If we're lucky, we might detect attacks \nbefore Election Day, but it's important to make plans now for \nrecovering from unforeseen cyber disasters in the same way that \nwe make plans for natural disasters, including running drills \nand exercises and having plans written out and thought through.\n    If, for example, we were to conclude on Election Day that \nour computer systems had been unreliable, a contingency plan \nmight be to rapidly print millions of paper ballots and rerun \nthe election the next day. Legislation passed in most States \nfollowing 2012's Hurricane Sandy appears to allow for such \nmitigations. The details vary State to State.\n    Between now and November we should also be aggressive at \ndeploying expert teams to do security audits of relevant \nnetworks and systems particularly in battleground States. If \nsomething has been hacked, the sooner we know about it, the \nbetter. And my understanding is a critical infrastructure \ndesignation would allow States to request assistance from the \nFederal Government in this role.\n    We must also plan for the next few years after November's \nelection is complete. Roughly 1/3--we've heard today--we've \nalso heard 1/4. I'm not sure what the real number is. Roughly \n1/3 of American voters this fall will use aging electronic \nvoting systems with proven insecure designs. Some new hybrid \nvoting system designs with electronic user interfaces and \nprinted paper ballots are being designed by Los Angeles County, \nCalifornia, and Travis County. That's Austin, Texas. These have \nthe potential to substantially reduce costs and improve the \nsecurity of our elections. Federal support could advance their \ndeployment nationwide, and if we do nothing, keeping our aging \nsystems in service holds our elections at risk.\n    As a quick note, our immediate future should not include \nInternet voting. It's hard enough to protect the online systems \nthat we already have. Moving additional voters online increases \nthe risks. Traditional hand-marked paper ballots and these new \nhybrid systems from Los Angeles and Austin are our best paths \nforward.\n    As Don Rumsfeld once said, you go to war with the army you \nhave, not the army you might want or wish to have at a later \ntime. We face a similar situation this November with our \nsystems for voter registration casting and tabulation. None of \nthem are ready to rebuff attacks from our nation-state \nadversaries, nor can we replace them in time to make a \ndifference.\n    Despite this, we can pursue a number of pragmatic steps \nsuch as verifying the integrity of election database backups, \nand we can make contingency plans for how we may respond if and \nwhen we do detect attacks against our elections. If we can \nsomehow determine that tampering with an election voting system \ndid take place, we should have plans in place to print paper \nballots or otherwise keep the election going. The sooner we can \ncreate and agree on these plans, the more resilient our \nelections will be to foreign attack.\n    And even if nothing goes wrong and all this turned out to \nbe nothing but hot air, we should treat these events as a \nwarning. With modest investment, we can improve our practices \nand replace obsolete and insecure equipment, defeating future \nattacks like this before they ever get off the ground.\n    Thank you.\n    [The prepared statement of Dr. Wallach follows:]\n    \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n \n       \n    Chairman Smith. Thank you, Dr. Wallach.\n    I'll recognize myself for questions. And, Dr. Wallach, let \nme address the first one to you. You raised a lot of \ninteresting issues. I guess my question is where do you think \nour election systems are the most vulnerable? What are the one \nor two areas that we'd need to guard against?\n    Dr. Wallach. So I believe my top concern is the voter \nregistration systems because they are generally online, and if \nit's online, it's accessible from the Internet, and if it's \naccessible from the Internet, it's accessible from our nation-\nstate adversaries.\n    And as I mentioned before, if you can either selectively or \nentirely delete people who you'd rather not vote, the current \nprovisional voting system can't really scale to support a large \nnumber of voters who are filling out affidavits and following \nthat process.\n    My second concern is the vote tabulation systems. Generally \nspeaking, these tend to be old computers running old operating \nsystems, in some cases Windows 2000 where security patches \naren't even available from the vendor anymore, and that means \nthat there are significant vulnerabilities where attacking a \nsingle point could result in an interesting result.\n    Chairman Smith. Okay. Thank you, Dr. Wallach.\n    By the way, when I hear you all recommend paper ballots, I \nwince a little bit because those of us from Texas have \nsometimes read about what happened in the 1950s where a ballot \nbox was stuffed with paper ballots and it changed the outcome \nof a Senate race and perhaps elected the next President. So I \nsometimes worry about paper ballots as well.\n    Let me address a question to all the panelists here today. \nAnd we've heard about some of the vulnerabilities. Let me ask \nyou to rate on a scale of one to five with five being the most \nvulnerable, the most at risk, where you think we stand both in \nthis election, and let's take the long view--say this election \nand the next election--how vulnerable are we to being hacked, \nnot necessarily successfully hacked, but how likely is it that \nthere will be attempts to interfere in our elections process by \nforeign countries this election or the next? And again one to \nfive with five being the greatest risk.\n    Dr. Romine?\n    Dr. Romine. It's a little hard for me to answer that \nquestion principally because it involves intent of malefactors, \nand I don't really have any background to be able to determine \nthe level of intent.\n    Chairman Smith. Okay. Let's assume, then, how likely is it \nthat there would be intentional attempted hacking in the next \ntwo elections? If you want to use----\n    Dr. Romine. It's not unreasonable to imagine attempts. In \nfact, as others have testified, there have been a couple of \nattempts to hack into voter registration systems currently. I \nthink most CIOs at most organizations will tell you that \nthere's a sort of constant current of probing of their IT \nsystems. And so with respect to voter registration, I would say \nthe possibility that an attempt could be made is not out of the \nquestion.\n    With respect to the voter--the----\n    Chairman Smith. Maybe I should say likely or unlikely, \nwould you consider that to be an easier way to describe it or \nnot?\n    Dr. Romine. It's still difficult for me to answer that \nquestion, but I would say I would put it somewhere in between. \nI can't say that it's likely but I can't rule it out either.\n    Chairman Smith. Okay. Thank you.\n    Secretary Schedler?\n    Mr. Schedler. I'll take a stab at that. I'll say on the \nregistration side of it, as evidenced by the two States that \nhave had a problem, one of which, from what I understand the \ncode was giving and the other one was detected immediately. I'd \nprobably give it around a three. On the Election Day, one and \none half or two.\n    Chairman Smith. Okay. Good. Thanks. Mr. Becker?\n    Mr. Becker. Yes, I agree. I think it's not out of the realm \nof possibility that there will be an attempted hack either \nbefore the election or at any time, as there was with the voter \nregistration databases. But I think the chance that it would be \nsuccessful is down below two. I think vigilance is important \nbut it appears that the primary goal here is to disrupt \nconfidence in the election rather than actually manipulate \nelection results.\n    Chairman Smith. So likely attempt, unlikely success?\n    Mr. Becker. Correct.\n    Chairman Smith. Okay. Dr. Wallach?\n    Dr. Wallach. So in the cybersecurity lingo we often have \nthis phrase ``advanced persistent threat'' that we use as a \ncolloquial way of talking about nation-state adversaries who \nhave patience and skills and will take the time, might do \nsomething years in advance. It's often the case that \nadversaries are present in very secure and highly protected \nnetworks for months at a time before they're detected.\n    So trying to rank these vulnerabilities, I'm going to rank \nthem relative to access. I think our voter registration systems \nare most accessible so I'm most worried about them. I'm \nsecondarily concerned about the tabulation systems, and then \nI'm concerned about the voting systems themselves, particularly \nthe paperless electronic ones.\n    Chairman Smith. Okay.\n    Dr. Wallach. It's very hard for a remote Internet attacker \nto overwrite printed paper.\n    Chairman Smith. Okay. A final quick question, what more \nshould the Administration be doing to protect us from foreign \ncountries attempted hacking of our election systems? Anybody?\n    Dr. Wallach. So I think the short answer is providing \navailable expertise and teams to go and do intrusion detection, \nnetwork monitoring, and other appropriate tasks to just go \nlooking for it.\n    Chairman Smith. Okay. My time is up. Any other quick \nresponses to what more the Administration could be doing?\n    Mr. Schedler. Well, I think with we should be looking more \nlong-term with additional dollars to improve the States' \nmachinery or equipment at this time. It's been over ten years \nsince we did HAVA funding. And I do want to make one comment. \nAs far as Homeland Security assisting us, we already have that \nassistance through FBI and Homeland Security, and you nearly \nasked, you don't have to be a critical infrastructure to get \nthat service.\n    Chairman Smith. Okay. Thank you.\n    The gentlewoman from Texas, Ms. Johnson, is recognized for \nher questions.\n    Ms. Johnson. Thank you, Mr. Chairman.\n    I take all concerns and challenges over cybersecurity in \nour elections very seriously. At the same time, we face many \nother challenges to ensuring that every vote counts and we \ncount every vote. Some of these challenges are the direct \nresults of human action such as related to old technology, and \nas we've seen in elections past, we even face risks from \nnatural events such as major storms. I'd like each of you to \ncomment on how you would rate the current cybersecurity risk in \nour upcoming election as it relates to other issues.\n    Dr. Romine. Congresswoman Johnson, from my perspective my \nentire orientation or the orientation of my organization is \nlooking at the cybersecurity risks and threats, and so all of \nthe other things that you've talked about are really sort of \noutside of our purview with perhaps one exception, which is \nthat contingency planning that the States and other \njurisdictions and the local jurisdictions are encouraged to do \nunder the voluntary voting system guidelines can also protect \nagain these other kinds of natural disasters and other kinds of \nthings that you referenced.\n    Ms. Johnson. Thank you.\n    Mr. Schedler. Yes, ma'am. I would put that risk again, as I \nindicated earlier, on Election Day very low for the reason that \nno State is on the Internet. I find it difficult to hack \nsomething that's not on the Internet. All machines are not--\nnone of the machines are linked together. They're all separate \ncartridges, so they're independent. My bigger concern on \nElection Day would be something of a physical nature, a \nphysical threat that would be something much more difficult to \ndeal with. And I put that at a very high number.\n    But as far as cyber attack other than what's occurred on \nthe election side--and again, there's been no change. I think \nthat was more of a data collection attempt personally. I know \nin Louisiana if you go--we are an online registration State, \nMs. Johnson. If you went into my system to change party \naffiliation, address, whatever you may do, you may think you're \naccessing my entire system. You're not. You're in a silo and a \nperson behind the scenes drags out that information, \ndisseminates it to the local register and puts it in the public \nside, the campaign side, or in the registration side. So if \nsomeone hacked you, they would only hack Ms. Johnson. They \nwouldn't get the entire list.\n    Mr. Becker. Yes, I agree with that. I think, as Secretary \nSchedler noted, election officials are on high alert, and \nthey're on high alert not just for this election. They're on \nhigh alert for every election. And, you know, in many States if \nit's Tuesday, it's Election Day because there are so many \nelections now.\n    So not only are they trying to make sure that the security \nof the systems are in place and that the process as a whole is \nsecure but they're also doing, I think, a remarkably good job--\nprobably better than ever before--of balancing that with access \nto all eligible voters to make sure they can have a good \nexperience.\n    So whether it's more people having access to easy ways to \nregister to vote, more people having easy access to voting \ninformation like things with the GeauxVote app in Louisiana and \nmany other States or more voters than ever before having access \nto early voting and mail voting option, I think election \nofficials around the country, both Democrats and Republicans, \nare doing a remarkably good job, probably better than ever \nbefore, balancing out the access and security concerns.\n    Dr. Wallach. At the end of the day we need to worry about \nevery problem. We have to worry about hurricanes, we have to \nworry about earthquakes, and we have to worry about cyber \nissues and we need to have plans in place to deal with them \nall. And the interesting thing is if you have plans in place \nfor an earthquake, the earthquake doesn't really care. It's \ngoing to happen or not. But if you have plans in place for \ncyber, you can actually dissuade a cyber attack. If your \nadversary knows it's not going to work, then they're not going \nto bother. So I think it's important to do the planning and the \nforward thinking to make this not be a problem in the future.\n    Ms. Johnson. Thank you very much.\n    Another real quick question--I know my time is running out. \nWe would all agree that making it easier to participate in our \ndemocratic elections process should be a priority. Registering \nto vote and casting a vote shouldn't be an extra burden for \nthose who can't leave their homes or for people with three jobs \nand for a family of caregivers. How do we balance our efforts \nto make voting more accessible with the necessity of having \nsecure elections?\n    Dr. Romine. I'd like to take a slightly different tack. \nWe've actually worked with the Election Systems Commission on \naccessibility issues and usability issues with regard to voting \nsystems so that people who have physical disabilities, whether \nit's vision impairment or mobility impairment or other things, \ndo have access to voting systems that they can also use. And \none of the advantages of electronic voting systems, as they're \nbeing rolled out, is that we can improve the accessibility over \npaper and pencil, for example.\n    Mr. Schedler. First off, we do have early voting, certainly \nsomething in the last decade that we didn't have prior to that, \na paper ballot, relaxed paper ballot laws now. I mean, we all \nremember the days you used to have--almost have to have a \ndoctor's note or an airline ticket to be able to absentee vote. \nThat's no longer the case across the United States. And we do \nhave easy accessibility through nursing home programs, ADA \ncompliant with visually impaired and the like. So I think \nthere's been tremendous improvements made, and voting is \nprobably easier today than it's ever been.\n    Mr. Becker. Yes, I think thanks to the efforts of state and \nlocal election officials all around the country and efforts of \nthe Election Assistance Commission and the Presidential \nCommission on Election Administration and many others, voting \nis easier today than it ever has been before. As I noted, more \npeople have access to easy voter registration options. Many \nStates--20 States, including Louisiana, have joined the \nElectronic Registration Information Center, which allows them \nto keep their voter registration data up-to-date and has \nresulted in registering about a million--almost a million new \nvoters.\n    More people have access to voting information and \nconvenience voting options where they can vote by mail or vote \nearly. That trend has been remarkable, and I think we're going \nto see and I hope that we're going to see the benefits of it in \nthis election and as it expands in many years to come.\n    Dr. Wallach. So we've heard about early voting and Election \nDay vote centers. An interesting thing going on in Travis \nCounty--it's Austin, Texas--every single precinct can handle \nany voter from the whole county. They did that because of \nredistricting. It was to avoid chaos. But it has the \ninteresting benefit that you can vote near where you work \nrather than near your home. So I think that there's a lot of \nopportunity for creative expansion of the availability to vote \nwithout making radical changes in how we vote.\n    Ms. Johnson. Thank you very much, Mr. Chairman.\n    Chairman Smith. Thank you, Ms. Johnson.The gentleman from \nCalifornia, Mr. Rohrabacher, is recognized for his questions.\n    Mr. Rohrabacher. Thank you very much. And thank you, Mr. \nChairman, for holding this hearing. I didn't expect it would be \nas interesting as it's been, so thank you to the witnesses as \nwell.\n    Let me just start off with one question in terms of getting \na sense of information here on one issue the broader issue of \nwhether or not the integrity of our voting process and our \nelection system will be maintained is really vital to the very \nnature of our country. I mean, this goes to the heart of \nwhether or not we are who we say we are. If we don't have an \nelection process that has integrity, we don't have an election \nprocess.\n    First let me ask this. How many examples do we have of \nwhere the Russians have actually--or Russian-based, whoever it \nis in Russia, have hacked in to our election system?\n    Mr. Schedler. I know of none. And to be quite honest with \nyou, I ask the question to Secretary Johnson of Homeland \nSecurity, is there an imminent threat known? And his answer was \nno, and that was reported in several news agencies. So I know \nof zero.\n    Mr. Rohrabacher. Does anybody disagree?\n    Mr. Schedler. I had a request from a Russian Embassy out of \nHouston to come monitor my elections in Louisiana----\n    Mr. Rohrabacher. All right.\n    Mr. Schedler. --and I would suggest to you if I allowed \nthat, I'd be run out of office in Louisiana, but especially----\n    Mr. Rohrabacher. Well, the----\n    Mr. Schedler. --with the conversation we're having. But I \nknow of zero.\n    Mr. Rohrabacher. Does anyone disagree with that on the \npanel? Yes, sir.\n    Dr. Wallach. So the nature of the threat is that they don't \nwant you to see them there, so we can't assume that if we \nhaven't seen them, that they're absent. What we do know is that \nwe've established motive. The attack on the DNC's email server \nis motive for a nation--it shows that they did it for \nexplicitly partisan purposes. And when you combine motive with \nmeans and opportunity----\n    Mr. Rohrabacher. Excuse me. What example was that that you \njust gave?\n    Dr. Wallach. Oh, I'm sorry. This was reported in the press \nthat Russian state actors allegedly hacked the DNC's email \nserver with the intent of releasing emails for partisan \npurposes.\n    Mr. Rohrabacher. Okay. But that's not the election process, \nbut that is an entity that's involved in elections here so they \nhave capability of actually getting into various--whether it's \nRepublican, Democrat, or whatever, but actually in the election \nprocess we have no examples of them actually hacking into the \nsystem and compromising the integrity of any specific election, \nis that correct?\n    Dr. Wallach. The only example I'm aware of happened in the \nUkraine in 2014.\n    Mr. Rohrabacher. Right. Okay.Just to let you know, we have \nseen article after article after article about how Russia is \ncompromising the integrity of our election system. And, Mr. \nChairman, the panelist is just saying that is false and just a \nnote.\n    For those of us who want our country to be safe but we also \ndon't want to just continually vilifying Russia turning them \ninto the bad guys. If we're going to have the integrity of our \nsystem, I think we have to look at home for some of the real \nthreats to the integrity of our voting system and whether the--\nas we say, the old-fashioned way of stealing elections has been \naround for a long time and we should be insisting that we make \nsure that we don't have people, for example, voting who are not \neligible to vote because they're perhaps not citizens or here \nillegally.\n    We have people who are trying to suggest that we don't even \nhave any real demand to identify someone's self whether they \nare here--whether they are actually who they say they are when \nthey go to vote.\n    So we have a real challenge to make sure our system is, as \nI say, safe from being defrauded because the people of the \nUnited States, their ballots are being negated by every other \nballot that's cast is cast by someone who does not have a right \nto vote here.\n    Now, with that said, we actually did confront this. \nCongress confronted this whole issue back in 2002 with the Help \nAmerica Vote Act. And just very quickly to the panel because my \ntime is running out, that's been around now since 2002. \nCongress passed this act specifically aiming at protecting the \nintegrity of our system. Is our system now more or less at risk \nfrom cyber attacks due to this legislation? And very quickly, \nif we could have the panel answer that.\n    Dr. Romine. I think the legislation has improved our focus \non security issues associated with the voting system. My \norganization has been working in partnership with the Election \nAssistance Commission under HAVA for 14 years to provide the \nbest guidance possible to States and municipalities.\n    Mr. Schedler. I would certainly echo that comment. And if \nyou allow me just to claw back on you previous comment, I mean \nthe whole Russian argument has--they've actually accomplished I \nthink--even if they're not trying, we've done it for them, \nquite frankly.\n    Mr. Becker. Yes, I agree. I think the Help America Vote Act \nhas helped improve security since it was enacted, but even more \nimportantly, what we've learned since it has been enacted has \nhelped improve the security. I think the 2016 election is going \nto be one of the most secure we've seen in recent memory but \nthere's no question that I think based on what we're talking \nabout here and this discussion and the conversations we're \nhaving, the 2018 and 2020 elections will be even more secure.\n    Dr. Wallach. So HAVA helped us get rid of punch cards and \nhelped us get rid of lever voting machines, and that's a good \nthing. HAVA was really two parts. It helped create the EAC, \nwhich could then help improve standards, and it also helped \nfund the purchase of new equipment. The equipment was largely \npurchased before the EAC standards effort was in action, and I \nthink it would be an excellent thing to revisit to get new \nequipment up to new standards.\n    Mr. Rohrabacher. All right. Well, thank you very much and \nthank you, Mr. Chairman.\n    Chairman Smith. Thank you, Mr. Rohrabacher.\n    The gentlewoman from California, Ms. Lofgren, is \nrecognized.\n    Ms. Lofgren. Thank you, Mr. Chairman.\n    It was interesting to listen to my colleague from \nCalifornia inquire about the role of the Russians in this \nelection. And, I think, you know, the focus of this hearing is \non the voting systems, but really the question is about the \nelection and it's not limited to voting systems. And it's \npretty clear that the Russians have attacked--have engaged in a \ncyber attack on the DNC and the DCCC. We've received reports on \nthat. I thought it was unfortunate that the Republican \ncandidate for President either thought it was a good idea or \nwas making a joke about it--we don't know which. But this is a \nserious matter.\n    What we've been told is not just that the material has been \ntaken but that the pattern of the Russians is not just to \nrelease material but to forge material and to alter it in an \neffort to try and impact outcomes of elections. And that's \ncertainly--they have a history of cyber attacks in an attempt \nto discredit Democratic elections in Ukraine, in Bulgaria, \nRomania, the Philippines. So this is something I think we need \nto take very seriously. To my knowledge, this is the first time \nthe Russians have actually so boldly attacked a Western \ndemocracy, in fact the most important democracy in the world.\n    Now, I think the focus of this hearing is unduly limited, \nand I agree that a large-scale attack on distributed voting \nprecincts is unlikely to succeed, although I do think we've \nunderestimated the potential impact of air-gap tabulation \nsystems, and I think that is something to be concerned about.\n    But the question isn't really whether the actual vote \ntabulations could be altered because I don't think that's very \nlikely, but whether chaos could be induced into the system. \nThat is the goal of the attack on the Democratic Party, and I \nthink it may also be the goal of the cyber attacks on the state \nsystems.\n    What could be done with this voter information? Obviously, \nthere are backups on the database so no one can alter who can \nactually vote. But what would happen if emails were sent to all \nof those voters or are just the Democratic voters telling them \nthe date of the election had been changed or their precinct had \nbeen changed? Wouldn't that create chaos in a system if even a \nsmall percentage of those voters believed an email misadvising \nthem?\n    I do think that there's a vulnerability in the overseas in \nsystem. The House Administration Committee has the primary \njurisdiction over election systems, and I remember we had a \nhearing talking about our lack of concern, the lack of concern \nthat electoral systems professionals had about emailing the \nballot to overseas voters provided that the ballot itself was \nmailed in. The more we think about it, with these hackings, if \nyou altered the ballot on the email, you would again create \nchaos in the electoral system.\n    So I think that's really the goal here is not necessarily \nto impact the tabulation, although there may be efforts to do \nit, but to create long lines if people go to the wrong places \nto create chaos and to attack the faith and the confidence that \nthe American people have in their elections systems through \nlong lines and all sorts of mischief.\n    I do think that to downplay the role that the Russians have \nhad in this is a huge mistake when you take a look at what they \ndid to the DNC and the DCCC. And I'll just close with this. I \ndo think that it's been disappointing. The reaction has been \ndisappointing that if you attack one of the major political \nparties, somehow that's okay if it could be to your advantage.\n    I like to think if the Russians had attacked the Republican \nNational Committee the Democrats would be as outraged as \nRepublicans because it's an attack on America. It's not an \nattack on a party. And the fact that there hasn't been outrage \nexpressed at all levels of both parties about the effort of the \nRussians to disrupt this election is--it's sad commentary on \nleaders of that party and it also is very chilling when you \nthink about what could happen come this November.\n    And I see that my time is expired. I yield back, Mr. \nChairman.\n    Chairman Smith. Thank you, Ms. Lofgren.\n    And the gentleman from Louisiana, Mr. Abraham, is \nrecognized for his questions.\n    Mr. Abraham. Thank you, Mr. Chairman. And we'll get back on \ntrack here.\n     Secretary Schedler, let's go to the 30,000 foot view. In \nyour opinion is the integrity and the security of the voting \nsystems in all States--you being the past President of the \nSecretaries of State, you have I think some knowledge of the \nsubject. You think it's good, bad, average?\n    Mr. Schedler. Congressman, I would say it's good. I mean, \nwe did a survey before this hearing and we got a response from, \nI think, 19 of 20 States to try to ascertain that. Aside from \nmy knowledge from serving, and I don't profess to be an expert \non every state system, but there's a lot of similarities, \nthere's a lot of differences in the States and that's what \nmakes it so unique. But I feel very comfortable again--and the \nrepresentative from California who appears stepped out.\n    Keep in mind the Democratic National Convention, the \ncomponent that was hacked was the campaign side of it. Each and \nevery one of us like me is elected. All of you have used a \ncampaign commercial list to determine a mail issue, a walk list \nin a neighborhood, whatever it may be. Those are readily \naccessible. I'd sell you mine. If you know me well enough, I \nmight give it to you.\n    But that is vastly different than the registration \ncomponent and certainly vastly different than the Election Day \ncomponent of equipment. So I think you have to understand that \nforefront to get into this subject. There's no one minimizing \nwhat happened with the Democratic National Convention. I know I \nhave and I know with one of my colleagues, and that makes no \ndifference if you're in a red state, blue state, or purple \nstate.\n    But the bottom line is maybe it's just our knowledge of the \nsystem that gives us this feeling of somewhat--not \noverconfidence because I think this is a good thing that we're \ngoing through, but we all remember the year 2000 when the world \nwas going to end at one second after midnight. I'm still using \nbatteries my wife bought for that event. That does not mean \nthat we did not have reason to believe with studies and we \nshould have been prepared. We went through that gyration. Or \nwhen a ballgame--when the scoreboard goes out on a football \ngame, if you're sitting in the stands, you know what's going \non. And guess what? There's other people taking track of those \nstatistics at that same time.\n    It's the same with election systems. If one component goes \ndown, we have various components that come in and--it may delay \nit some but it doesn't create a nuclear war.\n    And I can't speak to what happens in the Ukraine. I can \nonly speak to what happens in the United States, and I'll tell \nyou, the election system in the United States, just like many \nother things in this country, in spite of maybe what we think, \nis the best system in the world. Is it fool-proof? Absolutely \nnot.\n    And I'd also tell you there's no such thing as a perfect \nelection. Anybody that tells you that don't know what they're \ntalking about because anytime you've got 10,000 machines at \nplay and 15,000 people from 65 to 90 years old, things are \ngoing to happen. It's how you handle that. It's how you \ndocument that and move forward.\n    So I'm very confident in it with caution lights on. And \nthere's no disrespect to anyone who believes otherwise. We're \nlooking at it. It's forced us to do so. But I am deeply \nconcerned, and I can speak to my Democratic colleagues and my \nRepublican colleagues that have been on conference calls over \nthe last several weeks with this issue. We are in unison. This \nis the worst situation we could be talking about as we enter \nthis election. We've been going through a chaotic convention \nprocess. We have voters who are more disgruntled than ever. And \nwe are adding to that participation rate in a very negative \nfashion.\n    And I feel very comforted in saying that I speak for all of \nmy colleagues that we are deeply concerned with the rhetoric \nthat's going on right now from the national press, and we're \nnot trying to minimize it. We're double-checking, but there's \nlittle that could be done in eight weeks, little. We just need \nto stay the course, have confidence in what we're doing. And \nagain, I'm very confident that on November 9, you're going to \nwake up and you're going to have unofficial result of who won \nthe President of the United States because keep in mind it's \nunofficial. We go through that audit in every county, every \nparish, every State postelection before it becomes official and \nyou go to your electoral college.\n    Mr. Abraham. Thank you.\n    Mr. Schedler. Thank you.\n    Mr. Abraham. I'm out of time, Mr. Chairman. Thank you.\n    Chairman Smith. Thank you, Mr. Abraham.\n    And the gentlewoman from Oregon, Ms. Bonamici, is \nrecognized for her questions.\n    Ms. Bonamici. Thank you very much, Mr. Chairman. Thank you \nall for your testimony.\n    Mr. Becker, you said in your testimony you emphasize that \nvoters should feel confident in our voting system, and we \ncertainly have heard a lot of messages about the importance of \nthat confidence here today and how it will lead to greater \nparticipation, and certainly that's good for democracy. I think \njust getting the information out to the public that the voting \nmachines themselves are not connected to the Internet is going \nto help. I think there's a misconception about that.\n    Well, I'm from Oregon, and we all vote by mail in Oregon. \nWe've done that for more than a decade. It's a very secure \nprocess. It also makes it very easy for Oregonians to vote. The \nSecretary of State's office mails paper ballots to each and \nevery registered voter a couple of weeks before the election, \nalong with a voter's pamphlet with all the information about \nthe candidates and the initiatives on the ballot so Oregonians \nhave plenty of time to not only study the issues but then fill \nout their ballots and get them back in to be tallied by the \nlocal election offices.\n    And there are privacy and security measures at each step of \nthe way. I was a trained election observer years ago and it \ngave me a lot of confidence to see each step of the way and to \nwatch that tally happen at the elections office.\n    So I wanted to ask you a little bit about are there lessons \nto be learned from a State like Oregon that does use vote by \nmail with a paper ballot for everyone and really with a focus \non the two different issues, there's the voter records and then \nthere are actually what happens at the--with the ballot and the \ntally, the voting machine, if you want to talk a little bit \nabout the lessons that can be learned from that system.\n    And then I also want to ask, Dr. Romine, I know NIST has \nmostly concentrated its work to date in standards development \nfor the actual voting machines, but you're now, I understand, \nworking to identify systems dealing with the voter registration \nsystems. So--and just before you respond, both of you--I know \nDr. Wallach mentioned something about the possibility of this \nselective disenfranchising of voters by deleting them from the \ndatabase. It's really easy in Oregon for anybody to check \nwhether they're still in the database, and getting the ballot \nearly means that there would be an early notice that, well, \nmaybe there was a problem assuming that somebody did get \nthrough a very secure system.\n    So, Mr. Becker, do you want to start and then Dr. Romine?\n    Mr. Becker. Sure. Thank you. The--you know, of course \nOregon and Washington have had long-time success with mail \nballoting in their States, and there are lessons that other \nStates are learning from that. Not every State is the same, and \nother States have reached different decisions about their \npopulation of that, and that's entirely appropriate.\n    But States like California and Arizona and some other \nWestern States offer the option of becoming a permanent mail \nvoter, which you have to check a box, but after that you'll \nreceive a ballot for every election. And I think very \ninterestingly, Colorado has experimented with a model--actually \nhas put a model in place that--California just passed a similar \nbill that is a hybrid of sorts where every voter gets a mail \nballot, but they can choose to mail that ballot in, drop that \nballot off at a drop site, go in for early voting at a vote \ncenter as Dr. Wallach mentioned, which is they can go to any \none within the county or they can even go on Election Day to a \nvote center and vote anywhere within the county. And they've \nseen some pretty strong initial successes there. So I think \nwe're----\n    Ms. Bonamici. But just to--I don't mean to interrupt, but \njust to clarify, in Oregon if somebody wants to go vote at \nelections--at the elections office on elections day, they can \ndo that. They can stand in the booth there and vote. Anybody \ncan do that.\n    Mr. Becker. Absolutely.\n    Ms. Bonamici. Most people don't because it's much easier to \nmail it.\n    Mr. Becker. Right, and I think like--I think the States are \nlearning from that experience and are trying to figure out \nwhat's best for their State based upon the successes that \nOregon and Washington and Colorado and other States have seen \nwith their particular systems.\n    I think also, importantly, you brought up the note between \nthe voter registration systems and the voting machines and \ntabulation devices themselves. And I think particularly with \nmail voting it's very important because the voter lists are the \nway to deliver a ballot to someone because that's the list that \ngenerates the mailing to the voters. Of course, in States where \nthey don't get ballots it's not that voters don't receive \nsomething else. They're usually receiving a card that's a \nreminder.\n    To the question earlier about chaos, which I think is a \nvery important question, I think there's been a lot of work, \ncontingency plans put in place by States to avoid chaos just in \nthe last 10 to 15 years. One thing that's true now is \nparticularly for Presidential election it's going to be very \nhard to avoid information about when the election is and what's \ngoing on. In fact, I'm guessing a lot of people right now would \nlike to get away from information about the election.\n    So whether it's the work that Facebook is doing pushing \ninformation out about it's Election Day, click here to find \nyour polling place, whether it's the work Google is doing the \nsame way, whether it's the work of many other tech partners and \nStates are doing partnering with those entities to make sure \nthat information gets out, that's all a great protective \nmeasure to ensure that if a voter does experience a problem or \nmight--think they might experience a problem, they can in \nadvance go and make sure that they're getting the right \ninformation.\n    Ms. Bonamici. Thank you. And, Dr. Romine, if you could \nbriefly tell us what NIST is doing with regard to the actual \nvoting machines now.\n    Dr. Romine. I think your question involved the whole \nlifecycle now from registration all the way through guidelines \nfor the voting systems. The voluntary voting system guidelines \nthat we work in collaboration with the EAC on involve the \nvoting systems themselves, but I think we have a decades-long \nhistory of security as a management of risk exercise, and I \nthink the States have taken that very seriously. Our \ninteraction with the EAC and with election officials in the \nStates suggests that they are managing risk to the voting \nsystems and to the registration systems in a way that \nincorporates the best practices that NIST has been promoting \nfor a number of years.\n    Ms. Bonamici. Thank you. I see my time is expired. Thank \nyou, Mr. Chairman.\n    Chairman Smith. Thank you, Ms. Bonamici.\n    And the gentleman from Georgia, Mr. Loudermilk, is \nrecognized for his questions.\n    Mr. Loudermilk. Thank you, Mr. Chairman, and thank all the \nwitnesses for being here today, a very important issue.\n    And rightly, we should be concerned about the integrity of \nour election system because we're only as good as the integrity \nof the selection system. After spending 30 years in the IT \nbusiness, this is something that is very important to me and an \narea that I do understand at least from the technological side.\n    Another area that I think we have to be very conscious of \nis the federal involvement because typically whatever we get \ninvolved with doesn't run as well as if a State is doing it \nthemselves, so I want to be very conscious of whatever role the \nFederal Government plays is very limited to--especially in an \nauthority stance.\n    But I do understand that we do have some things that we can \ndo as far as setting recommended standards, but recently, the \nSecretary of Homeland Security has reported saying that DHS is \nconsidering whether the state electoral apparatus should be \ndesignated as critical infrastructure. Dr. Romine?\n    Dr. Romine. Romine.\n    Mr. Loudermilk. --Romine, is this appropriate that--in your \nopinion?\n    Dr. Romine. Well, that's a policy decision that's way above \nmy pay grade so I don't have any input that I can provide you \nfor that.\n    Mr. Loudermilk. Well, I mean, do you have any idea what the \nbenefits or the disadvantages would be of declaring these as \ncritical infrastructure?\n    Dr. Romine. I can't speak to that. I know that NIST \nprovided a significant benefit in partnership with the private \nsector on the development of a cybersecurity framework for \nimproving the cybersecurity of critical infrastructures that \nhas received a lot of attention and a lot of accolades. But \nthat's not limited to critical infrastructures. Any \norganization of any size in any sector is free to adopt that \nframework.\n    Mr. Loudermilk. So you are working with DHS to help the \nStates understand the critical nature of their electoral \nsystems or----\n    Dr. Romine. Absolutely. We're partnering with DHS and with \nthe Department of Justice on trying to understand how we can \nensure widest dissemination of best practices to the States and \nmunicipalities. And as was mentioned earlier, request to DHS \nfor assistance is not predicated solely on whether you are \ndesignated as a critical infrastructure. That request can be \nmade without that designation.\n    Mr. Loudermilk. This includes cyber hygiene?\n    Dr. Romine. My understanding is it includes request for DHS \nto do scanning of systems, for example, but only upon request.\n    Mr. Loudermilk. So that would be voluntary? It'd be like a \nstress test on their system?\n    Dr. Romine. It would be----\n    Mr. Loudermilk. Are we applying lessons learned from the \nPresidential Commission on Enhancing National Cybersecurity in \nmaking these recommendations for the States?\n    Dr. Romine. So the Presidential Commission on Cyber \nSecurity has not yet reached the stage of finalizing the \nrecommendations, so those are not being incorporated in these \nguidelines. And I would put it sort of in the reverse in the \nsense that the commissioners are actually taking a look at best \npractices out in the field and discussions with the IT industry \nand with stakeholders around the country to try to develop the \nbest possible recommendations for the benefit of this \nAdministration and the next.\n    Mr. Loudermilk. So NIST's stance on this is to work within \nthe framework of the Federal Government to come up with \nrecommendations that the States may or may not implement and \nwith flexibility to where they can be customized to the States' \nindividual networks?\n    Dr. Romine. That is correct.\n    Mr. Loudermilk. Secretary Schedler----\n    Mr. Schedler. Yes?\n    Mr. Loudermilk. --how do you feel about that?\n    Mr. Schedler. Well, I do not think critical infrastructure \nis needed at all. I mean, as was indicated by Dr. Romine and I \ndid a little bit earlier, we can go to Homeland Security now, \nwe can get those tests by FBI. We have a committee--matter of \nfact, your Secretary of State Brian Kemp, who has been very \nactive in this whole process with several of us, is one of the \ncommittee members that we've appointed from NIST to serve on \nthe Homeland Security Committee and to do best practices and \nthe like.\n    So most States are cooperating with their local FBI agents \nwhen needed, and you know, again, I don't mean to be flippant \nbut do we really want to create a new TSA for elections in this \ncountry or a new Postal Service? I just don't think we need \nthat. The Constitution says very vividly that it's up to the \nStates for the time, place, and manner in which we conduct \nelections.\n    It is a constitutional issue, and I understand that from \nthe rhetoric that's not the intent, but to go and put the \nnational elections on par with the banking system and the \nelectrical grid, in my point--in my position is way overreach, \nunnecessary, and we can accomplish the same goals. It's not \nthat we don't want their support and assistance when we need \nit, but we can accomplish that in a far less intrusive way, I \nthink, if we just keep things on pat now.\n    And again, I think the answer is part of new equipment, new \nHAVA dollars, whatever it may be to improve these systems. \nWe're working on trying to get a system where you can vote \nanywhere in the State, just like was represented earlier.\n    So critical infrastructure would be an absolute--and I \nthink I speak again for--I don't know of any Secretary of State \nthat's voiced an opinion that they want to be part of that.\n    Mr. Loudermilk. Do you feel what NIST is doing is \nbeneficial to you?\n    Mr. Schedler. Yes.\n    Mr. Loudermilk. Do you feel in any way that what's \nhappening right now is a camel nose under the tent?\n    Mr. Schedler. No.\n    Mr. Loudermilk. Okay. All right. Thank you. I yield back, \nMr. Chairman.\n    Chairman Smith. Thank you, Mr. Loudermilk.\n    And the gentleman from New York, Mr. Tonko, is recognized.\n    Mr. Tonko. Thank you, Mr. Chair. And welcome to the \npanelists, and thank you for your information.\n    Mr. Becker, the 2014 Presidential Commission on Election \nAdministration recommended that audits of voting equipment be \nconducted after each election as part of a comprehensive audit \nprogram. According to verified voting, approximately 3/4 of \nvoters in November will be using voting machines with a paper \nrecord of their vote. And I'm--just share a concern perhaps \nabout the potential for mishaps or potential hacking for the \nvoting machines with no paper trail. Can you please describe \nthe role auditability plays in elections and the impact \nindividual voters casting their vote?\n    Mr. Becker. Yes, thank you. So in--we--of course, \nauditability is important. If--it's very helpful when there is \na permanent record created that should a count need to be \nreviewed for some reason--and in fact there's a process in \nplace to discover even if you're not sure whether the count \nneeds to be reviewed that you can discover that, and that's \nwhat a good postelection audit does.\n    In 2014, about 32 States offered--had a requirement for \npostelection audits. You know, I'll be honest. Some are better \nthan others. There's very good standard practices where States \npick random precincts across the State and check the paper \ncount against the electronic count. There's even something \ncalled a risk-limiting audit where you escalate the number of \nballots you have to count to ensure the result as the election \ngets closer, and these are practices that are put in place in \nmany States.\n    What we are seeing is that it is easier to audit a system \nwhen you have a permanent record, a paper record that the voter \nhas reviewed, and more voters are going to be voting on paper \nthan we've seen since HAVA was enacted. States like Maryland \nand Florida, which had used paperless direct recording \nelectronic devices, have switched. I believe this is actually--\nI'm a Maryland voter, but I--this is the first Presidential \nelection since the passage of HAVA where Maryland will be using \na paper ballot that's read via optical scan.\n    I've recommended for years--and States along with the \nPresidential Commission--that postelection audits are a good \nidea, and having a system that allows for full and transparent \npostelection audits and paper right now appears to be one of \nthe best systems for that, affords the best opportunity to \nensure that the election results are--do reflect the will of \nthe people.\n    Mr. Tonko. Thank you. And, Secretary Schedler, would you \nplease describe what you have in place in Louisiana in terms of \npostelection auditing, and how would you rate other States \noverall?\n    Mr. Schedler. Well, we do have a post-audit function. Now, \nwe do not have a paper ballot system after we are looking at \nthat when we go out for RFP next year on a new system, but we \ndo--of course, our screen under HAVA does--after you complete \nvoting, it pops up and gives you everything of who you--every \nperson you voted for, position you voted for. They give you one \nmore opportunity to rectify that if you want to change it or \nthere was an error.\n    What we see a lot on highly sensitive machines is an \nelderly person may be dragging their hand and it inadvertently \nhits the button below or a lady with long fingernails, \nsometimes it will have a problem, but you do have the \nopportunity to rectify that. But we do audit after every \nelection. We audit at the end of each day on early voting to \nascertain the correctness of the vote and basically balance the \nbalance sheets so to speak so----\n    Mr. Tonko. Right. And so you--there are the paper ballots \nthat you're devising an audit process for?\n    Mr. Schedler. That is correct.\n    Mr. Tonko. What are some of those factors in that audit \nthat you absolutely see essential? What--have you looked at \nother States and what they might be doing or----\n    Mr. Schedler. Right. We've actually gone out to Denver. The \ncounty of Denver has a very similar situation that is now being \nused in California and other States with the paper ballot where \nthe majority of folks actually want to bring that ballot in and \nput it into a box so to speak at a site. So we've looked at \nthat system.\n    We've looked at the printing of a paper ballot instead of \non the screen that would go into a locked box. I would be \npersonally against that voter taking that ballot out of the \nprecinct. I think there's one State that does that.\n    But overall, to answer your question, I mean I think the \nsystems are sound, but everyone has to remember every State is \ndifferent, and that--I think that's the uniqueness of the \nsystem, a lot of similarities, but each State is very unique in \nthe way they do their elections. Some may have a week of early \nvoting, some may have 30 days. Some States have no early \nvoting, and that is the prerogative of that State.\n    Mr. Tonko. Thank you very much. Mr. Chair, I yield back.\n    Chairman Smith. Thank you, Mr. Tonko.\n    Mr. Davidson is recognized.\n    Mr. Davidson. Thank you, Mr. Chairman.\n    Dr. Wallach, your testimony addresses the possibility of \ninserting malware into voting machines themselves. Can you \nelaborate on how malware could be loaded onto machines that are \nnot connected to the Internet and further explain what it means \nthat each and every single voting machine has to be \nmanipulated? Or is there a different way where you could just \nhack one machine and that would transmit a bug to other \nmachines in the precinct, again, even though they're not \nconnected to an Internet?\n    Dr. Wallach. Sure. So before we had an Internet, we had \ncomputers with floppy drives and there were computer viruses \nthat could spread from one computer to another over floppies. \nElectronic voting machines, some of them use memory cards, some \nof them have these big battery packs, some of them have local \narea networks.\n    Studies conducted in 2007 by the State of California State \nof Ohio, State of Florida found security vulnerabilities that \ncould take advantage of these to engineer viruses where one \ncompromised voting machine could then infect eventually the \nentire fleet of machines for an entire county.\n    Mr. Davidson. Okay. So, you know, it's accurate to say that \njust because something is not connected to the Internet, it \ndoes not have vulnerability to cyber attack?\n    Dr. Wallach. Being disconnected from the Internet helps, \nbut it's not a panacea.\n    Mr. Davidson. Okay. Perhaps as Secretary of State, Mr. \nSchedler, you could talk about--I spoke with our Secretary of \nState Husted about their protocols, but perhaps you could \nelaborate on how do your procedures protect against that risk \nshould something like that occur?\n    Mr. Schedler. Well, I think it's important to remember \nthat, you know, we never link machines together. I know that \nsome new systems that are being touted like a Wi-Fi and if you \nhad a multiple-precinct site where you have a Wi-Fi, now that \nto me is a little scary.\n    But when you consider the concept of each individual \nmachine has a cartridge that's delivered by my office--now, \nwe're a top-down system. We're not by county in Louisiana so we \nare vastly different. But--two or three days before, we \nliterally deliver all the cartridges for all 10,000 machines to \nthe various parishes, counties, to the clerk of court. The \nmorning of the election--and we--when we deliver a secure \nlaptop that is our equipment, it's not used to go shop on \nAmazon or anything else.\n    And the morning of the election the commissioner in charge \nfor that precinct picks up those cartridges and puts that \ncartridge individually into the machine, turns the machine on, \nand at the end of the night that cartridge is retrieved. It is \ndriven back to the clerk of court with a sheriff's escort \nusually, and it's imported into that laptop. And it is on a \nclosed-circuit line sent to my office in Baton Rouge.\n    Mr. Davidson. Okay.\n    Mr. Schedler. So, I mean, it is a little bit different, but \nto my knowledge no State interlocks machines so the concept of \ngetting into one machine with one cartridge and you \nmiraculously change all 10,000 across the State is ridiculous \nbecause you'd have to go into each machine individually and \nyou'd have to have the programming.\n    Mr. Davidson. Right. So in your system you have one card. \nOhio system is similar. You have one card goes to one machine.\n    Dr. Wallach, you mentioned a case study in Ohio. Perhaps \nyou could elaborate on what that real vulnerability is.\n    Dr. Wallach. Right, so the study in Ohio was called \nEverest, I believe. The similar study in California was called \nthe Top-to-Bottom Review. I was part of the Top-to-Bottom \nReview. And each of these studies found ways that regular poll \nworkers and election officials going through their standard \nprocedures and standard operations could unwittingly be used to \ntransmit viruses from one machine to another through the \nmotion--typically, at the end of the Election Day you move a \nmemory card through each of the machines in the precinct, and \nthat's to collect the vote totals. That process can spread a \nvirus. And there are other processes. The details vary from \nmachine to machine.\n    Mr. Davidson. Would a centralized federally controlled \nnational voting infrastructure increase or decrease that risk?\n    Dr. Wallach. That depends how it was built. I've been \nworking with Travis County on trying to design something new \nwhere this wouldn't be a problem. The system that Los Angeles \nCounty is working on, this wouldn't be a problem. The reason \nwhy is because they generate paper backups--or rather paper \nballots, which could then be audited against any electronic \nresults.\n    Mr. Davidson. The machine itself has memory, the card has \nmemory, and it prints a roll tape that stays secure inside the \nmachine and you can audit any one of those, so it's a good \nsystem in Ohio. It's been tested a lot. And Ohio will likely be \nfront and center again in this election.\n    Dr. Romine----\n    Dr. Romine. Romine.\n    Mr. Davidson. Romine, sorry. You stated in your written \ntestimony that the NIST voting programs partnered with the AC \nto develop the science tools and standards necessary to improve \naccuracy, reliability, and usability and security of voting \nequipment used in federal elections for both domestic and \noverseas voters. How do you measure these improvements? How do \nyou quantify them? Are there qualitative, quantitative \nmeasures?\n    Dr. Romine. There are both. I don't have the details today \non exactly the measurement of those improvements. I'd be happy \nto provide those to you. I think the issue, to a large extent, \nhas been listening to the accessibility community. The human \nfactors research that we've been able to do demonstrates \ncertain kinds of changes that can be made to improve the \naccessibility and the usability of electronic voting systems, \nand we've documented those in various reports. I can give you \npointers to those reports for the way in which those systems \nhave been improved.\n    Mr. Davidson. Okay. Aside from identity theft--my \napologies. My time is expired.\n    Chairman Smith. Thank you, Mr. Davidson.\n    And the gentlewoman from Maryland, Ms. Edwards, is \nrecognized.\n    Ms. Edwards. Thank you, Mr. Chairman. And thank you to the \nwitnesses. I apologize I had to step out for a bit, but I came \nback because this is a really important subject to me.\n    I just want to be clear--and a yes or no answer from each \nof the witnesses would really help. Is it your--do you concur \nin the belief from the Department of Homeland Security that it \nwas Russian state actors who hacked into both the Illinois--or \nattempted Arizona and also the party hacking that occurred \nearlier in the year? Dr. Romine?\n    Dr. Romine. I have no information on that other than what's \nin the press.\n    Ms. Edwards. Secretary Schedler?\n    Mr. Schedler. Well, I mean the only thing I know of the \nRussian is the DNC issue. I don't know if they've ever \ndetermined where it came from in Arizona or Illinois.\n    Ms. Edwards. Thank you. Mr. Becker?\n    Mr. Becker. Yes, I don't have any specific information. \nI'll defer to the national security professionals on that.\n    Ms. Edwards. And you believe they're capable of making that \ndetermination based on the signature or whatever?\n    Mr. Becker. I can't answer that without knowing the \ninformation they have. I don't have any information to the \ncontrary to support it.\n    Ms. Edwards. Thank you. Dr. Wallach?\n    Dr. Wallach. I only know what I've read in the press.\n    Ms. Edwards. Thank you. And, Dr. Romine, in fiscal year \n2016, NIST received about $1.5 million in appropriations from \nthe EAC. That is down from your budget of, I think, about $2-3 \nmillion in the previous couple of fiscal years. Do you think \nthat that's sufficient for you to be able to provide the kinds \nof certifications that you need of election systems?\n    Dr. Romine. So let me clarify by saying NIST doesn't do \ncertifications of systems. We do provide support through the \ndevelopment of guidelines in partnership with the EAC, and we \nalso provide assistance to the EAC in the voluntary laboratory \naccreditation program the testing laboratories that do test \nequipment for certain--some States who choose to do that.\n    Obviously, the--you know, the truism you can do more with \nmore, but we believe that the current budget that we're \nreceiving is adequate for us to continue to provide expert \nadvice in security and interoperability for voting systems.\n    Ms. Edwards. Thank you. And, Mr. Becker, in--you--in part \nof your testimony you indicated that the--I think it was your \ntestimony that the technologies that we're using for these \nvoting systems is now about a decade old for an awful lot of \nthese systems. Can you share with us what you believe, if \nyou've analyzed it, what would need to be an updated version of \nHAVA that would enable us to keep--to really keep track with \nthe technology developments?\n    Mr. Becker. Yes, and I think that might have been Dr. \nWallach who said--who made one of those points. The--of course \nthe--there is a rash of bought purchasing new equipment right \nafter HAVA passed with a funding model that came through as a \nresult of that. We've already seen some States like our State \nof Maryland and like Florida go to a second system after using \nthe HAVA dollars.\n    I think in talking with the States there is a great desire \nto be able to leverage new technologies that will improve \naccess, as well as the integrity of the systems, that will also \nbe cheaper to maintain and that--I don't have a specific dollar \nfigure. If we were to replace all these systems nationwide, \nit's definitely in the billions.\n    But, you know, to build--to encourage systems that are more \ncomponent-based that use more off-the-shelf components that are \neasier to swap in and out so that you don't have a system that \nhas a 10-year-old touch screen that you can update the touch \nscreen as--with just the touch screen as it happens, I think \nthat be a huge advantage to election officials. And if they had \nresources to do that, I think you'd find them doing some really \nexciting things.\n    Ms. Edwards. And, Dr. Wallach, because--I apologize. That \nwas your testimony.\n    Dr. Wallach. Sorry. No problem. Part of what--so I've been \nworking with Travis County for four years now on trying to \ndesign a better voting machine, and very much our intent is to \nuse off-the-shelf hardware with custom software to the extent \nthat we can for exactly that reason. When you buy a giant touch \nscreen computer from Hewlett-Packard, Dell, insert your \nfavorite tech company, you can get cheaper warranty support, \nyou can replace the machines whenever you need to, and that \nhelps reduce your maintenance and ongoing support costs.\n    Ms. Edwards. Doesn't it increase your vulnerability though?\n    Dr. Wallach. Not necessarily. The design of these systems, \nfirst and foremost, produces a printed paper ballot. So no \nmatter what goes wrong with the computer, you have these \nprinted paper ballots that the voters can see and verify. And \neverything else on top of that is gravy.\n    Ms. Edwards. Thanks. And then just as a conclusion, I want \nto thank Secretary Schedler because I think in your testimony \nyou indicated that the Secretaries of State across the country \nhave great confidence in this election, and I think that's an \nimportant message to convey to voters so that we can make sure \nthat we don't, with all of this talk, depress voter turnout. \nAnd so thank you very much for your remarks.\n    Mr. Schedler. Yes, ma'am. I appreciate that. And I know I \nspeak for all of them. We're very concerned about the rhetoric \nat this time.\n    And if I could just add on the cost issue, I do have just \non Louisiana, currently, we have roughly 10,000 voting machines \nthat cost roughly or did cost $5,200 each on under HAVA so \nthat--to replace those by today's dollars, if you could get the \nmachine--which you can't--$152 million.\n    If we went to a system similar to what Mr. Becker just \nindicated to you--and I'm overly simplifying an iPad concept, \nwhether it be proprietary or store-bought, less than $300 each. \nNow, you do need two to three per machine so the hardware costs \nfor us in Louisiana, $152 million on the replacement if you \ncould get it, roughly $50-60 million, 1/3 of the cost. And 75 \npercent of it is in the programming cost. The hardware is only \n10 or $11 million.\n    Chairman Smith. Thank you, Ms. Edwards.\n    The gentleman from Illinois, Mr. LaHood, is recognized.\n    Mr. LaHood. Thank you, Mr. Chairman. I want to thank the \nwitnesses for being here today.\n    In my State of Illinois we've had a lot of changes in the \nlast several years. We now have same-day voting registration, \n40 days of early voting, extended grace periods, absentee \nvoting has a lengthy period of time. And couple that with some \nof the issues we've had particularly in Chicago over the years \nwith issues related to voting there, I guess in terms of \neducating poll workers or training poll workers or election \njudges and looking at methods, particularly as it relates to \nthe integrity of voting on Election Day and as we look at \npotential hacking of machines, I mean, is there a good model \nout there that has worked in terms of how we educate folks that \nare there at the polls?\n    I'll also mention in a prior life I was Assistant State's \nAttorney in Cook County in Chicago. On Election Day, we would \ngo out as prosecutors and be there at the voting booth. And a \nlot of times we didn't know what we're looking for or what we \nwere supposed to be doing.\n    And I guess, Secretary Schedler, can you maybe shed a \nlittle light on examples of what we need to be doing in terms \nof educating and working with our folks that are at the polls \non Election Day?\n    Mr. Schedler. Well, training is paramount. That came out in \nthe Presidential Commission to all Commissioners or poll \nworkers, whatever you want to refer to them as. We do a strong \neducation component at the clerk's level. We assist with that. \nWe have a very unified videotape that we use so we have \nconsistency across the State. But we do heavy training and \ncertification, and we require them to get certified annually. I \nthink that's a huge benefit because the better trained, the \nbetter experience you're going to have on voting day.\n    We also use people in voting lines, especially at larger \nprecincts for questions or promoting that GeauxVote app where \nyou could let individuals take a look at a mock ballot and \nactually mock vote that ballot on that phone to use as a guide \nto shorten lines and have a better experience in the voting \nbooth.\n    And the other thing that to me is a strength of poll \nworkers and your voting boards in counties in regards to the \nsubject we're talking about today, we all know our poll \nworkers. They've been there a long time in most cases, great \nAmericans. They do it for love of country, love of the \nexperience. They don't do it for the money, that's for sure. \nAnd if you could just think about the greatest deterrent is \nthat both Democratic, Republican poll workers together, do you \nrealize if someone was going to affect an election, they'd have \nto go against that 80-year-old lady that's been there 30 years? \nI don't think that's going to happen whether they're Democrat \nor Republican.\n    And to me that's one of the hidden jewels in our system, \nwhether you have the best state-of-the-art equipment or \nwhatever we have, you've got people on the ground with two eyes \nand they're looking at the process. They know the process. And \nto me that's the strength of the American system at its core. \nAnd it's really fundamental. It's the same way we did it 240 \nyears ago. And I just think that that's something that we need \nto recognize in this whole debate.\n    Mr. LaHood. And just as a follow up on that, the level of \nwhat you go through in Louisiana, are you confident that that \ntype of education and training is consistent across the \ncountry?\n    Mr. Schedler. That I couldn't speak to. I think it's \ndominant across the country, but I wouldn't say every State \ndoes it that way.\n    Mr. LaHood. And, Dr. Wallach, with all these changes we've \nseen recently with voting and how we vote--and I went to the \nlitany there--what is the future of voting look like?\n    Dr. Wallach. Well, I think what we've learned today is all \nthe 50 States will be voting differently, and it's hard to make \na broad-brush statement. I think that there will be a lot of \nhand-marked paper ballots scanned by machines. There will be a \nlot of computer-assistive technologies available, and there \nwill be some States that are voting by mail and that's okay.\n    Mr. LaHood. Thank you, Mr. Chairman.\n    Mr. Babin. [Presiding] Thank you.\n    I now recognize the gentleman from Virginia, Mr. Beyer.\n    Mr. Beyer. Thank you, Mr. Chairman.\n    Mr. Becker, I think in your comments you stated and wrote \nthat there are 20 States in this Electronic Registration \nInformation Center that you helped found. Why not 30? And then \nhow do we motivate the other 30 to be part of it? And is there \nany suggestion that we'd ever require that?\n    Mr. Becker. I feel like I planted that question with you, \nand just for the record I--we've never talked about this \nbefore.\n    So the Electronic Registration Information Center, ERIC, is \na data center that States voluntarily choose to join, and they \nshare information so that they can identify when a voter record \nis out of date so they can notify that voter, make sure that \nvoter gets the right information at their new address and also \nreach out to all the people who are eligible to vote but aren't \nyet registered and direct them to the easiest way to register. \nIt was founded in 2012 with just seven States, so it's only \nfour years old, and now 20 States plus DC. are in it so I think \nthat's pretty good for a--you know pre-K 4-year-old.\n    But certainly, you know, we are working very hard with the \nStates that are already in it, including Virginia, who was one \nof the founding members, to see more States join. And as the \nword gets out, States like Virginia and Louisiana and many \nother States are spreading the word that this is helping them \nkeep their voter rolls up to date and, in turn, what that's \ndoing is actually reducing costs and increasing integrity \nbecause they're not sending mail out to people who no longer \nare there.\n    The Presidential Commission on Election Administration, of \ncourse, did recommend that States join systems like ERIC, and \nthat has been a tremendously positive influence. And I think by \nthe time we get to the 2020 election I think we will be at more \nthan 30 States, as I've talked to other States around the \ncountry.\n    Mr. Beyer. Great. A parallel question for Dr. Wallach. In \nMr. Becker's testimony, he talked about how the postelection \naudit requirement that mandates States match paper to digital \nis only 32 States doing this right now. And you wrote the mere \npossibility of a recount or audit of the paper ballots acts as \na deterrent, dot, dot, dot. So what do we need to do with the \nother 18 States that don't have this post-audit reconciliation \nof paper and electronic?\n    Mr. Wallach. Well, I'm certainly a big fan of reconciling \npaper and electronic records when you have both. Many of the \nStates, that's not an option because you don't have paper \nrecords like, for example, the entire State of Georgia votes \nentirely on electronic machines without any paper records. So \nthere's no way to do a meaningful audit. I would love to see \nthe sun-setting of those machines and replacing them with the \nnext generation of machines that will have paper.\n    Mr. Beyer. There was the mention that we have $396 million \nof authorized but un-appropriated HAVA money. Is that enough to \nreplace the old machines, the bad machines?\n    Dr. Wallach. I'm not sure. If we could do it on a \nshoestring or if we'd do better to spend more money and do it \nproperly. I don't have a good answer for you today.\n    Mr. Beyer. Thanks. Many of you wrote about how the machines \naren't connected to the Internet. So, Secretary Schedler, if \nthey're not connected to the Internet yet, Dr. Wallach pointed \nout that they are at the time of initialization and tabulation. \nI think someone else pointed out that they're usually connected \nto the voter databases, you know, 365 days a year. So how--is \nthat actually a strength that we can talk about that we're not \nconnected to the Internet, or are those holes at initialization \nand tabulation----\n    Mr. Schedler. I would think it's a strength because, as I \nlook to the--I mean, people--the most common question asked of \nme is, Secretary Schedler, when are we going to be able to vote \non the Internet? And my answer is I hope never because the \nworld is evolving and we see it. I mean, the Department of \nDefense gets hacked into. Everything gets hacked into. And \nthat's why I'm so adamantly--I want to keep it with the States \nto decentralize it, make it much more difficult. But the day we \ngo on the Internet, all bets are off as far as in elections.\n    Now, I want to caveat the comments. There are a couple of \nStates that do allow a return of an overseas military ballot \nvia the Internet. I think four, I believe, Alaska being one and \nI don't know--remember the other three. So I want to clarify \nthat. Now, that's a small percentage of the overall vote. But \nthey do allow a return of--but I will say this in defense of \nthat, although we don't do it, it is a secure--you know, \nmilitary--they have to get a pin, you've got to have access. \nYou just don't just send them an email and here it is. They \nhave to get access and have ability to open that file up and do \nsomething with it. So it is a little bit different. But \ncertainly, under the argument and discussion we're having \ntoday, could be vulnerable.\n    Mr. Beyer. Great. Great. Thank you, Secretary.\n    Dr. Romine, a quick question. On this postelection audit \nrequirement of reconciling paper and digital is--will--is this \na NIST suggestion or a NIST standard or should it be?\n    Dr. Romine. Part of the voluntary voting system guidelines \nthat we worked with in the EAC was a strong recommendation that \nthere be an auditability or audit capability, and certainly \npaper records provide a really robust way to do that, but it \ndoesn't mandate specifically paper records.\n    Mr. Beyer. Okay. Thank you very much. Mr. Chair, I yield \nback.\n    Mr. Babin. Thank you.\n    I now recognize myself for five minutes.\n    Secretary Schedler.\n    Mr. Schedler. Yes?\n    Mr. Babin. By the way, I just spent two days in Baton \nRouge, and my heart goes out to you----\n    Mr. Schedler. I thank you for----\n    Mr. Babin. --and your State.\n    Mr. Schedler. --coming. I came back with Representative \nHoneycutt. I came to Washington yesterday with him----\n    Mr. Babin. Right.\n    Mr. Schedler. --with Garret Graves and Steve Scalise, flew \nwith them, and he had the same expression to me so----\n    Mr. Babin. Unbelievable. I represent the 36th District in \nTexas right across the Sabine so--and we had--in March we had--\n--\n    Mr. Schedler. Well, you all know shares of rain, too.\n    Mr. Babin. Absolutely. But I've never seen anything like \nthat.\n    Mr. Schedler. No, it was pretty--30 inches of rain in some \nspots, 25, 30----\n    Mr. Babin. Absolutely.\n    Mr. Schedler. --inches of rain.\n    Mr. Babin. In a population center like that.\n    But I'd like to ask you a question. You stated in your \ntestimony that ``I'm happy to report there's no evidence that \nballot manipulation has ever occurred in the United States as a \nresult of the cyber attack.'' And, Dr. Wallach on the other \nhand states that ``If our paperless electronic voting systems \nwere attacked, we'd be unlikely to see evidence of it in the \nvoting machines or tally systems.''\n    So I just want to hear both of your opinions on this \nmatter. I'm not trying to start----\n    Mr. Schedler. No, no, no.\n    Mr. Babin. --any problem.\n    Mr. Schedler. I know you're not trying to start a war----\n    Mr. Babin. Yes.\n    Mr. Schedler. --or anything. I'm a pretty simplistic kind \nof guy----\n    Mr. Babin. Okay.\n    Mr. Schedler. --you can see in my delivery. I asked a \nsimple question and I do not profess to be an IT expert, but I \ncome at the derivative of saying if you're not on the Internet \nwith voting, how do you hack into the machines? And I'm just \ncoming at it very simple----\n    Mr. Babin. Yes.\n    Mr. Schedler. --apple pie. I don't know much more than \nthat, but if you're not on the Internet out in the cloud how do \nyou hack it? If they're individual machines with cartridges----\n    Mr. Babin. You bet. Thank you. Thank you. And, Mr.--Dr. \nWallach?\n    Mr. Schedler. If he gets deep on me, I'm not going to be \nable to argue with him.\n    Mr. Babin. Thank you.\n    Dr. Wallach. Right. The example that I think we can look to \nto understand this was the Stuxnet virus, which was apparently \nengineered to damage the Natanz nuclear refinement facility in \nIran. That nuclear refinement facility was also meant to be \nsecure. It also was not connected to the Internet, yet somehow \nthis Stuxnet malware was able to do its job. We don't know many \nof the details, but it's quite clear that where there's a \nwill--and presumably a budget--then there's a way.\n    I don't know whether our nation-state adversaries have \nchosen to make that investment, but I know that it's \ntechnically feasible to mount these sorts of attacks and that's \nwhy it's important to take mitigations and defensive steps \nagainst them.\n    Mr. Babin. I agree with that. I sure do. Thank you. Thank \nyou very much.\n    The next question would be for you, Dr. Wallach. Is it \npossible for someone to conduct a cyber attack in case of \nvoting or election systems while pretending to be Russian, \nChinese, North Korean hackers so as to falsely assign blame for \nthe hack on a foreign nation? And have you ever come across any \ninstance of such in your experience?\n    Mr. Wallach. So the issue of attribution of cyber attacks, \nbroadly speaking, is a well-known problem and nation-state \nactors will pretend to be other nation-state actors for exactly \nthe purpose of trying to throw off attribution.\n    Mr. Babin. Yes.\n    Dr. Wallach. So I am not privy to however we have this \nRussian attribution. I have to assume that the people who said \nthat know what they're doing.\n    Mr. Babin. Okay. And then, Secretary Schedler, one more for \nyou. Considering the range of vulnerabilities--and this follows \nup on what you said just a second ago--the range of \nvulnerabilities that exist for electronic systems, do you think \nthat more States will eventually return to paper ballots? And \nif so, can you explain to us how paper is the more secure \noption?\n    Mr. Schedler. Well, there seems to be a trend if you \nconsider a trend what four States, five States now, but in many \ncases it's done for cost reasons also. I mean, you have to \nfactor that in.\n    Mr. Babin. Right.\n    Mr. Schedler. I'll say this. You have to have some other \nprotections, and I think Oregon and some of the others do, but \nI mean I've always said that the best way and easiest way to \nperfect fraud is right here in my hand.\n    Mr. Babin. Yes.\n    Mr. Schedler. You know, when I mail out a paper ballot, I \nhave no earthly idea who actually votes that ballot. I may be \nable to verify a signature, but I can tell you that we've had a \ncouple of cases in Louisiana on mail ballots with frail and \nelderly in a small jurisdiction where the individual canvassing \nthe area goes to Ms. Suzy and Mr. Joe's house, knocks on the \ndoor, says, oh, can help you fill out your mail ballot? And \nthey do. Need I tell you how they vote? We caught one guy. \nInstead of keeping the addresses of 15 elderly people, he sent \nit from his campaign headquarters.\n    But the point being, you have to have some checks and \nbalances even under that system even if you're verifying the \nsignature with electronic machine or signature, not naked eye. \nSo I always contend that this right here is the easiest way to \nperfect fraud in the system. Now, it doesn't mean that it's \nwrong to do it because I'm very respectful of other States and \nhow we do it.\n    But I will just say this. In the entire subject matter we \nhad HAVA dollars ten years ago, and I think this will set the \nstage with sparse dollars in States and in this country at this \ntime. We have $386 million of un-appropriated HAVA dollars \npurportedly still out there. I gave you an example of what are \nthe costs to replace Louisiana systems. So $394 million may go \na long way, if not completely retool all 50 States with \nassistance from the Federal Government.\n    But we can put layer on top of layer on top of layer of \nwhat ifs and what have you, and as long as you all can write \nthe check, we'll do it. But at some point you've got to use \npracticality here, and I am again--myself, and I think I speak \nfor all 50 of us--we are very confident in the system we have. \nWe have trifecta backups, audits and the like, and even under \nsome of the worst-case scenarios that I've heard here today, I \nam still very confident that you may not have results November \n9 if catastrophe hits, but if you're a little patient with us, \nwe'll get you the results and you'll have a new President of \nthe United States.\n    Mr. Babin. That's a good answer. Thank you. And I know I'm \nout of time, but, Dr. Wallach, just as short as you can, what \ndo you consider the chances with many States going back to the \npaper ballots?\n    Dr. Wallach. Well, if for no other reason than electronic \nvoting systems are very expensive, as the Secretary told us \nearlier----\n    Mr. Babin. Right.\n    Dr. Wallach. --and paper systems are cheaper, and for that \nreason, if nothing else, while these electronic systems are \nwearing out, we're moving to paper sort of by default.\n    Mr. Babin. Okay. All right. Thank you.\n    Let's see. I recognize the gentleman from Illinois, Mr. \nLipinski.\n    Mr. Lipinski. Thank you. And I thank all the witnesses for \nyour testimony. And I have--I'm not sure if I can get to my \nquestions because some other ideas came to mind as you're \ntalking here. So let me ask a couple things here so I better \nunderstand. I know States--everyone does it differently, and \nthe idea of not having our--the machines directly connected to \nthe Internet makes sense.\n    But, for example, if you do have a voting machine, you're \nvoting, usually then at the end of the day when the votes are--\npolls closed, votes are tabulated, how are those votes then \ncommunicated then from the polling place? So--because I would \nexpect that they are done oftentimes over some sort of \nconnection to the 'net.\n    And then the other part of that is I go online election \nnight and I'm looking at the results coming in so I can go \nonline and connect in at least to see the results that they're \ndisplaying. So hopefully, I'm not displaying too much lack of \nunderstanding here, but aren't there some connections there to \nthe Internet that are going on?\n    Mr. Schedler. Not--no. Each machine has a separate \ncartridge and it's independent. They're not--none of those \nmachines are linked together. And to answer your question, what \noccurs at the end of that night is that cartridge is retrieved \nfrom that machine. It is taken to the clerk of court or the \ncentral location in that county--at least in the parish in \nLouisiana--and it is put into a secure laptop and transmitted \non a closed-circuit line, not on the Internet.\n    Now, we do have--I mean, there's other systems. There's a \ntape on all machines that we can replicate. If a court \nchallenge to an election--I can't tell you how you personally \nvoted but I can certainly tell you if you voted and I can \nreconcile that tape. And there's one other method. Even in the \ntransmission of those results on the nightly news that you \nreferred to, there is a delay and there is a reason why we have \nthat delay, to be able to detect any interference in that \nprocess.\n    And again, even it occurred, delaying in getting you \nofficial results--because keep in mind on election night the \nresults are unofficial. We all know that from being elected. \nThe news media is out there declaring winners before the polls \neven close. That's their job. Our job is to make it accurate \nand effective.\n    Mr. Lipinski. Well, that's good to hear. Is this--is that \nthe common way it's done everywhere?\n    Mr. Schedler. Yes, sir, pretty much. That's--to my \nknowledge, it's the way everybody does it.\n    Mr. Becker. Yes, I can't speak for every place, but in the \nplaces I know of, they actually physically transport the \ncartridges or the memory devices with the counts that occurred \nin the precinct to the county office, which is often a \nfrustration for people who are looking for election results \nbecause if they hit traffic or something like that, there's \ngoing to be a delay in getting those results. And only at that \npoint--and most of these devices or many of them at least have \nduplicate cartridges as well, so one of them will go to the \ncentral count to be incorporated and you can check them.\n    This is not completely foolproof and this--but it's--the \nproblem that we often see is that voters get frustrated because \nthere's a little bit of a delay in getting it because there's a \nphysical transportation of the memory cartridges.\n    Mr. Lipinski. And I think that--hopefully, that helps \nalleviate a lot of concerns that people do have that you--it's \nnot being transmitted electronically in the way that can be \nhacked into.\n    One other question that I had, the paper tapes I think \nare--certainly, I agree--a great idea. How often, though, and \nat what point would there be a check of those against the \nelectronic numbers?\n    Mr. Schedler. It usually dictates--I mean, it's usually \ndictatable by the closeness of the election. I mean, usually a \nchallenge or if there was some major malfunction, but typically \nit's triggered by a challenge by a candidate, someone, you \nknow, wins by 10 votes or loses by 10 votes, challenges that \nand requires a recount to be taken.\n    We are also very public with the certification of our \nmachines or you as a candidate or a campaign can watch us \ncertify those beforehand in the warehouse and also when we \nreopen those machines to recertify candidates are allowed to \ncome in or representatives to actually watch that process and \nto watch all that matching go on.\n    I gave an--I testified last week at the EAC on this \nsubject, and if you can bear with me a minute, it probably is a \ngood representation of your question. I watched in utter awe \nwith major networks with an individual that was claiming he had \na handheld device that he could put early voting cards into and \nvote as many times as he wanted. Now, I don't argue the point \nthat you can have a piece of machinery like that. They do it at \ngasoline pumps and the like. But what I did question was in the \nearly stages they never, ever brought in anybody that ever \nconducted an election to dispute that.\n    And you have to allow for an early voting site that someone \nis going to sit there and watch as somebody keep injecting a \ncard--how times are they going to vote? We have time limits in \nmost States. But at the end of the day, even if you have that \npiece of equipment, you still have to have the programming of \nwhat engaged that card. And at the end of the day, if there \nwere 100 people they came in to early vote by signature next to \nyour name and we had 106 votes, we're going to be able to \ndetermine by that number on that card that you don't see of--\nthat you voted six times. We don't know how you voted, but we \nknow you voted six times so we'll catch you.\n    Mr. Lipinski. I am from Chicago, though.\n    Mr. Schedler. I'm from Louisiana. We've got a lot in \ncommon. But we've cleaned that act up.\n    Mr. Lipinski. Similar.\n    Mr. Schedler. We no longer throw ballot boxes in the \nMississippi River. We don't do that anymore.\n    Mr. Lipinski. We have a big lake to do that.\n    Thank you very much. I yield back.\n    Mr. Schedler. Thank you, sir.\n    Mr. Babin. Yes, sir, thank you.\n    I now recognize the gentleman from Illinois, Mr. Hultgren.\n    Mr. Hultgren. Thank you all for being here. This is such an \nimportant subject. I don't know if anything more important than \nmaking sure that our ability to vote is protected and that we \nfeel confident that everything is being done to make it open \nand accessible to everybody and using technology to do that but \nat the same time making sure that we're protecting information \nand protecting that confidence that our voting booths are \naccurate and are being abused in any way. So I really do want \nto thank you for being her. Thank you for your work.\n    It's certainly clear the nature of our increasingly \nconnected world has opened up new vulnerabilities which were \noriginally unforeseen. It's also brought about new great things \nthat we all can agree improve our lives, the functionality of \nour democracy, and it does it in ways in which we can exchange \ngoods and services with each other as well.\n    A little over a year ago, I had a chance to visit Estonia \nwith a group of my colleagues and saw many of the innovative \nways they are integrating technology into their government \nservices. They actually have online voting in many elections \nand most forms and bureaucratic paperwork are submitted online \nin more easily searchable formats.\n    While this is encouraging to me, I also realize that \nEstonia has as many people as New Hampshire or Maine, so there \nare things they can do differently than we as a country of \nalmost 330 million people can do. So our States still need to \nhave the flexibility to innovate and the Federal Government's \nrole should be assisting but not passing down new unfunded \nmandates on them which we hear--I hear so often from my \nconstituents and my local government officials and the \nchallenges they face.\n    Dr. Wallach, if I could address my first question to you. \nRegarding the recent cyber attacks on the voter registration \ndatabases in my State Illinois and also in Arizona, why would \nan individual or an organization want to hack into States' \nvoter registration information? Are they looking for the same \nkind of information other data breaches in the retail sector or \njust personal information or what's the purpose behind these \nattacks?\n    Dr. Wallach. So there's a lot of different motives that we \ncan ascribe. If we're talking about garden-variety, you know, \nidentity theft, they just want to have the information in the \ndatabase. If we're talking about the nation-state actors, their \nmotive could be to get information, but a lot of that \ninformation is available through other channels. It could be to \ntamper with information, and we've talked at length about the \nsort of chaos that you could potentially cause.\n    Mr. Hultgren. Specifically with tampering, once a hacker \nhas gained access to a database, would it be possible to add \nfictitious voters or delete legally registered voters?\n    Dr. Wallach. If it's a database on a computer, it's \npossible to do all of those things.\n    Mr. Hultgren. Yes. Okay. Dr. Romine, I wonder if I could \naddress a couple questions to you. Is the walling off and \nprotection of voter registration databases part of the \ntechnical guidelines for NIST?\n    Dr. Romine. The voluntary voting systems guidelines are \nprincipally for the voting systems themselves. However, we do \nhave other guidance that my organization has developed over the \nyears to protect information systems broadly, and this would \nfall under that category. And I think, yes, separation there is \na legitimate way of trying to prevent certain kinds of \ninteractions.\n    Mr. Hultgren. So that separation is happening or is it----\n    Dr. Romine. What's actually happening in the States is \nsomething that I'm not privy to.\n    Mr. Hultgren. Also, Dr. Romine, from what is known, what \nkind of guidance for protecting voter registration databases \nwere in place in the two affected States that I mentioned \nearlier, Illinois and Arizona, and will NIST be considering \nupdates to its technical guidelines to include voter \nregistration databases?\n    Dr. Romine. I think we will be considering that with regard \nto our partnership with the EAC to provide guidance to the \nStates and municipalities for protecting voting systems with a \nbroader remit perhaps as one way to look at it. The guidelines \nthat we have in place for IT systems have been developed over a \nnumber of years and involve integrity checks, identity \nmanagement issues, and other things that can protect \ninformation and information systems. And so the cybersecurity \nframework that I alluded to earlier helps to--helps \norganizations to craft a way to manage risk in this space.\n    Mr. Hultgren. Well, again, my time is almost up. Thank you \nfor your work. Please let us know how we can be helpful going \nforward. And with that, I yield back to the Chairman. Thank \nyou.\n    Mr. Babin. Yes, sir. Thank you.\n    I now recognize the gentleman from Texas, Mr. Weber.\n    Mr. Weber. I thank the gentleman.\n    I want to do something before we get into the election \ndiscussion today regarding the earlier comment from one of the \nmembers on the other side of the aisle that she was appalled \nthat there was no Republican outrage over the Russians' \napparent hacking of the DCCC. I would note that there's \nprobably about the same amount of outrage from the Democrats \nover Hillary Clinton's dumping of a bunch of emails and \ndestroying evidence in a federal investigation.\n    Having said that, in full disclosure I was an election \nclerk and election judge and a precinct chair for about 16 \nyears in Texas in Brazoria County when we had good old-\nfashioned paper ballots. I was one of the few who raised my \nhand when they said, look, we want to pass a resolution \nencouraging electronic voting. I said I don't. I like the paper \nsystem. I don't trust the Internet. That was back in the '90s. \nIt seems as if we've come full circle now that you all are \nsaying that there are some States who are literally considering \ngoing back to paper ballots.\n    So here's a question for, I guess, all of you one at a \ntime. We'll start with you, Dr. Romine. Well, first of all, \nlet's do it this way. How many States have paper?\n    Dr. Romine. I think there's only five States that are \ncompletely without paper. There are some States in the middle \nthat have a mix, depending on the county, of paper and on paper \nsystems.\n    Mr. Weber. Okay. What States in your opinion has the best \nsystem, Dr. Romine?\n    Dr. Romine. I don't have insight into the systems that are \nbeing used State by State.\n    Mr. Weber. So you really haven't formulated an opinion in \nthat regard?\n    Dr. Romine. I don't have the data.\n    Mr. Weber. Okay. Fair enough.\n    Now, if you say Louisiana, Secretary Schedler, I'm just \nsaying.\n    Mr. Schedler. My response to that would be the best system \nfor which the people of that State feel comfortable in voting.\n    Mr. Weber. Touche.\n    Mr. Schedler. Okay. Because New Hampshire, I mean, if you \ncan just think of the variety that we have across the board \nfrom the East Coast to the West Coast in Oregon, I mean, just \ntotally different constituencies, totally different comfort \nzones, and, you know, if some people still like going to vote \nin their neighbor's garage and if that's what they want to do \nand then that's good for that State.\n    So, I mean, I guess that's the best answer I could give \nyou. No, I wouldn't say that we're the best, although a few \nyears ago Pew had us at number 18, which would surprise you I \nbet because I used to always say if you interview people on the \nstreets of New York on the late-night television show, they'd \nnever mention Louisiana in the top 20, but we're there. We've \ndone a lot of----\n    Mr. Weber. And they usually don't know what they're talking \nabout anyway.\n    Mr. Schedler. That's correct. That's correct. But I think \nthat's probably--I know that's kind of a politically correct \nanswer, but out of respect for all my colleagues and all the \nStates, I think you have to make that decision.\n    Mr. Weber. Okay. Mr. Becker?\n    Mr. Becker. I'll also be diplomatic here. I think if you \nask most election officials around the country at the state or \nlocal level, most of them will say that the technology they're \nusing, none of them have found the ideal system yet, that \nthey're looking for something new to come around.\n    Mr. Weber. So you don't have an opinion about that?\n    Mr. Becker. I don't have an opinion about a particular \nState. I think the work that's being done in places like Los \nAngeles County to come up with a system that's based on off-\nthe-shelf components----\n    Mr. Weber. Okay.\n    Mr. Becker. --that is largely accessible is going to be \nvery instructive to the entire field.\n    Mr. Weber. Dr. Wallach?\n    Dr. Wallach. Well, I'm going to toot the horn of three \ndifferent States where I enjoy what they're doing.\n    Mr. Weber. Okay.\n    Dr. Wallach. I like California's use of risk-limiting \naudits where you can audit paper and compare it to electronic \nresults. I like what Florida has done where they got rid of the \npaperless electronic voting machines. My parents live in Fort \nLauderdale and they now vote on a laser printer will print out \na ballot on demand so they can have early voting in vote \ncenters. So Florida is now doing remarkably good stuff.\n    And, of course, I have to say something good about Texas. I \nthink in Travis County we're building a really great system and \nit could potentially be applied in a lot of other places.\n    Mr. Weber. Are you from Travis County?\n    Dr. Wallach. No, I live in Houston. I grew up in Dallas.\n    Mr. Weber. Okay. So let me just also say here, having been \nthe recipient of--when a lot of those ballot boxes were \ncarried--Brazoria County is a big area. Apparently, where I \ngrew up is like 40 miles north of the county seat. And as an \nelection judge, in the general election I was, of course, in \nthe primary in the general election, too--we would always take \nour Democratic counterpart in the general election, take the \nballot boxes down, turn them into the county. I've been on the \nreceiving end of when it took, you know, 45 minutes to an hour \njust for the drive time and people were wanting those results.\n    One quick question because I'm the last one, is that right, \nMr. Chairman?\n    Mr. Babin. [No audible response.]\n    Mr. Weber. Okay. What is the most critical time of a cyber \nattack?\n    Dr. Wallach. I would say that a cyber actor who knows what \nthey're doing is acting months to years in advance and--because \nthey don't necessarily have access to----\n    Mr. Weber. But I'm talking about if they were going to \naffect a November election coming up, is that something done \nthe night of, the week before? You're saying years--are you \nsaying they get into the system----\n    Dr. Wallach. Yes. You get in way in advance and then you \nhave whatever effect you're trying to have. If your goal is to \ncreate chaos, then you want to have your effect very late. It \nall depends what you're trying to do.\n    Mr. Weber. Okay. All right, Mr. Chairman. I yield back. \nThank you.\n    Mr. Babin. Thank you. I appreciate that.\n    I want to thank the witnesses for their testimony and the \nmembers for your questions. And the record will remain open for \ntwo weeks for additional written comments and written questions \nfrom members.\n    And with that, this hearing is adjourned. Thank you.\n    [Whereupon, at 12:25 p.m., the Committee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre></body></html>\n"