b"<html>\n<title> - DEFENDING OUR DEMOCRACY: BUILDING PARTNERSHIPS TO PROTECT AMERICA'S ELECTIONS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n  DEFENDING OUR DEMOCRACY: BUILDING PARTNERSHIPS TO PROTECT AMERICA'S \n                               ELECTIONS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n                               __________\n\n                           FEBRUARY 13, 2019\n                               __________\n\n                            Serial No. 116-1\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n                 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                                    \n        Available via the World Wide Web: http://www.govinfo.gov\n        \n                              ___________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE\n                    \n35-094 PDF                 WASHINGTON : 2019         \n        \n        \n        \n        \n        \n        \n\n                               __________\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           John Ratcliffe, Texas\nJ. Luis Correa, California           Mark Walker, North Carolina\nXochitl Torres Small, New Mexico     Clay Higgins, Louisiana\nMax Rose, New York                   Debbie Lesko, Arizona\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             Van Taylor, Texas\nEmanuel Cleaver, Missouri            John Joyce, Pennsylvania\nAl Green, Texas                      Dan Crenshaw, Texas\nYvette D. Clarke, New York           Michael Guest, Mississippi\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                            \n                            \n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Prepared Statement.............................................     5\n\n                               WITNESSES\n                                Panel I\n\nMr. Christopher C. Krebs, Director, Cybersecurity and \n  Infrastructure Security Agency, U.S. Department of Homeland \n  Security:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    10\nMr. Thomas Hicks, Commissioner, U.S. Election Assistance \n  Commission:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    16\n\n                                Panel II\n\nMr. Alex Padilla, Secretary of State, California:\n  Oral Statement.................................................    61\n  Prepared Statement.............................................    62\nMr. Noah Praetz, Former Director of Elections, Cook County, \n  Illinois:\n  Oral Statement.................................................    65\n  Prepared Statement.............................................    66\nMr. Jake Braun, Executive Director, Cyber Policy Initiative:\n  Oral Statement.................................................    75\n  Prepared Statement.............................................    77\nMr. John H. Merrill, Secretary of State, Alabama:\n  Oral Statement.................................................    78\n  Prepared Statement.............................................    80\n\n                             FOR THE RECORD\n\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Letter, Brennan Center for Justice.............................    48\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Article........................................................    93\n\n                                APPENDIX\n\nQuestions From Chairman Bennie G. Thompson for Christopher C. \n  Krebs..........................................................    95\nQuestions From Honorable Sheila Jackson Lee for Christopher C. \n  Krebs..........................................................    95\nQuestions From Honorable James R. Langevin for Christopher C. \n  Krebs..........................................................    96\nQuestions From Honorable Dina Titus for Christopher C. Krebs.....    96\nQuestions From Honorable Yvette D. Clarke for Christopher C. \n  Krebs..........................................................    96\nQuestions From Honorable Michael T. McCaul for Christopher C. \n  Krebs..........................................................    97\nQuestions From Chairman Bennie G. Thompson for Thomas Hicks......    97\nQuestions From Honorable Sheila Jackson Lee for Thomas Hicks.....    99\nQuestions From Honorable Dina Titus for Thomas Hicks.............   101\nQuestion From Honorable Yvette D. Clarke for Thomas Hicks........   102\nQuestions From Honorable Michael T. McCaul for Thomas Hicks......   102\nQuestions From Honorable Sheila Jackson Lee for Alex Padilla.....   103\nQuestion From Honorable James R. Langevin for Alex Padilla.......   104\nQuestion From Honorable Dina Titus for Alex Padilla..............   104\nQuestions From Honorable Yvette D. Clarke for Alex Padilla.......   104\nQuestion From Honorable Michael T. McCaul for Alex Padilla.......   104\nQuestions From Honorable Sheila Jackson Lee for Noah Praetz......   105\nQuestion From Honorable James R. Langevin for Noah Praetz........   107\nQuestion From Honorable Dina Titus for Noah Praetz...............   108\nQuestions From Honorable Michael T. McCaul for Noah Praetz.......   108\nQuestions from Honorable Sheila Jackson Lee for Jake Braun.......   109\nQuestions from Honorable James R. Langevin for Jake Braun........   110\nQuestion From Honorable Dina Titus for Jake Braun................   112\nQuestions From Honorable Sheila Jackson Lee for John H. Merrill..   112\nQuestions From Honorable James R. Langevin for John H. Merrill...   114\nQuestion From Honorable Dina Titus for John H. Merrill...........   114\nQuestions From Honorable Yvette D. Clarke for John H. Merrill....   114\nQuestion From Honorable Michael T. McCaul for John H. Merrill....   115\n\n \n  DEFENDING OUR DEMOCRACY: BUILDING PARTNERSHIPS TO PROTECT AMERICA'S \n                               ELECTIONS\n\n                              ----------                              \n\n\n                      Wednesday, February 13, 2019\n\n                     U.S. House of Representatives,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 10:03 a.m., in \nroom 310, Cannon House Office Building, Hon. Bennie G. Thompson \n(Chairman of the committee) presiding.\n    Present: Representatives Thompson, Jackson Lee, Langevin, \nPayne, Rice, Correa, Torres Small, Rose, Underwood, Slotkin, \nCleaver, Green of Texas, Clarke, Titus, Watson Coleman, \nBarragan, Demings, Rogers, King, Katko, Ratcliffe, Walker, \nHiggins, Lesko, Green of Tennessee, Taylor, Joyce, Crenshaw, \nand Guest.\n    Chairman Thompson. The Committee on Homeland Security will \ncome to order. I welcome the Members to the first hearing of \nthe Committee on Homeland Security of the 116th Congress. I \nappreciate your flexibility and that of our witnesses after we \nrescheduled the hearing due to the services of late Chairman \nJohn Dingell. Our thoughts and prayers are with his wife.\n    Today the committee will hold a hearing on defending our \ndemocracy, building partnerships to protect America's \nelections. Election security is a National security issue and \nit must transcend party politics because it requires a unified \neffort to protect America's elections. Unfortunately, this \nhearing is long overdue. During the 115th Congress, the \nRepublican Majority spent much of its time ignoring the \nintelligence and refusing to acknowledge the threat to our \ndemocracy.\n    Frustrated by the lack of action on this critical issue, \nDemocrats on this committee and the Committee on House \nAdministration launched the Congressional Task Force on \nElection Security in July 2017. The task force met with dozens \nof elections experts, secretaries of State elections, and \nNational security experts to assess vulnerabilities in election \ninfrastructure and determine how to address them.\n    In February 2018, the task force produced a report that \nincluded 10 recommendations and introduced legislation to \nimplement them. That legislation is now part of H.R. 1, the For \nthe People Act, which the House is expected to consider in the \ncoming weeks.\n    Fortunately, since 2016, progress has been made toward more \nsecure elections. The Department of Homeland Security and \nElection Assistance Commission have built stronger, more \neffective partnerships with State and local election officials. \nBut it is unclear whether each agency has the resources \nnecessary to meet the increasing demand for their resources.\n    Will EAC's $10 million budget provide sufficient resources \nfor it to administer additional election security grants to \nStates? Does DHS have the resources to provide its services to \nevery State and county that requests them?\n    Congress needs to understand the existing capability of \neach agency. Now, existing capabilities can be leveraged, \ngrown, and augmented. Local election officials are on the front \nlines of securing our elections, and their success depends on \nthe support they receive from Federal and State governments.\n    Although some dispute that has--the election infrastructure \nlocal election officials oversee is vulnerable to hacking, \ncybersecurity experts have made a credible case. The Federal \nGovernment, especially Congress, must understand the resource \nconstraints of local election officials and partner with them \nto address vulnerabilities to election infrastructure through \ngrants and services.\n    The intelligence community has made clear the threats to \nour elections persist, so more work remains to be done. Just \nlast month, Director of National Intelligence Dan Coats, \nwarned, Russia in 2016 and unidentified actors as recently as \n2018 have already conducted cyber activity that has targeted \nU.S. election infrastructure.\n    He went on to say, we should expect adversaries and \nstrategic competitors to refine their capabilities and add new \ntactics as they learn from each other's experiences in advance \nof the 2020 elections.\n    I look forward to hearing from our panel of witnesses today \nabout how Congress and Federal agencies can support efforts to \nfurther strengthen our elections and protect them from attack.\n    I welcome our Republican colleagues' support in these \nefforts and I look forward to working with all those whose goal \nis to protect America's elections and defend our democracy.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                           February 13, 2019\n    Election security is a National security issue that must transcend \nparty politics, because it requires a unified effort to protect \nAmerica's elections. Unfortunately, this hearing is long overdue. \nDuring the 115th Congress, the Republican Majority spent much of its \ntime ignoring the intelligence and refusing to acknowledge the threat \nto our democracy.\n    Frustrated by the lack of action on this critical issue, Democrats \non this committee and the Committee on House Administration launched \nthe Congressional Task Force on Election Security in July 2017. The \nTask Force met with dozens of elections experts, State election \nofficials, and National security experts to assess vulnerabilities in \nelection infrastructure and determine how to address them. In February \n2018, the Task Force produced a report that included 10 recommendations \nand introduced legislation to implement them.\n    That legislation is now part of H.R. 1, the For the People Act, \nwhich the House is expected to consider in the coming weeks. \nFortunately, since 2016, progress has been made toward more secure \nelections.\n    The Department of Homeland Security and Election Assistance \nCommission (EAC) have built stronger, more effective partnerships with \nState and local election officials. But it is unclear whether either \nagency has the resources necessary to meet the increasing demand for \ntheir resources.\n    Will EAC's $10 million budget provide sufficient resources for it \nto administer additional election security grants to States? Does DHS \nhave the resources to provide its services to every State and county \nthat requests them?\n    Congress needs to understand the existing capability of each agency \nand how existing capabilities can be leveraged, grown, and augmented. \nLocal election officials are on the front lines of securing our \nelections, and their success depends on the support they receive from \nFederal and State governments.\n    Although some dispute that the election infrastructure local \nelection officials oversee is vulnerable to hacking, cybersecurity \nexperts have made a credible case it is. The Federal Government--\nespecially Congress--must understand the resource constraints of local \nelection officials and partner with them to address vulnerabilities to \nelection infrastructure though grants and services.\n    The intelligence community has made clear the threats to our \nelections persist, so more work remains to be done. Just last month, \nDirector of National Intelligence Dan Coats warned, ``Russia in 2016 \nand unidentified actors as recently as 2018 have already conducted \ncyber activity that has targeted U.S. election infrastructure.'' He \nwent on to say we should expect ``adversaries and strategic competitors \nto refine their capabilities and add new tactics as they learn from \neach other's experiences'' in advance of the 2020 elections.\n    I look forward to hearing from our panel of witnesses today about \nhow Congress and Federal agencies can support efforts to further \nstrengthen our elections and protect them from attack. I welcome my \nRepublican colleagues' support in these efforts, and I look forward to \nworking with all those whose goal is to protect America's elections and \ndefend our democracy.\n\n    Chairman Thompson. I now recognize the Ranking Member of \nthe full committee, the gentleman from Alabama, Mr. Rogers, for \nan opening statement.\n    Mr. Rogers. Thank you, Mr. Chairman.\n    I look forward to the opportunity to hear from our \nwitnesses today regarding election security. The integrity of \nour elections is foundational to our democracy. All Americans \nshould have confidence that voting equipment and systems are \nsecure and your vote counts as they intended and that election \nresults are accurately reported.\n    Last week DHS and DOJ released their findings that there \nwas no evidence of any foreign interference in the 2018 \nelection. I believe that the tremendous work done by DHS, our \nintelligence community and State and local leaders made that \nhappen but there is certainly more work that can be done.\n    Much of our focus today will be on the work we still need \nto do to secure the technology and systems behind our elections \nbut we can't lose sight of a simple lesson: Foreign \nintelligence services, domestic partisans, and on-line vandals \ndo not care what our laws say. They are happy to use our public \nforums against us. My home State saw liberal activists \ndeliberately mislead Alabamians regarding public endorsements \nand political issues in the 2017 U.S. Senate Special Election.\n    They bragged to liberal donors behind closed doors about \ntheir success in manipulating Alabama voters. H.R. 1 attempts \nto address these pressing issues but the bill's provisions are \ndeeply naive. As it stands, H.R. 1 is an exercise in regulating \neverything that moves near a ballot box. The problems facing \nour election systems are more complex than that. Election \nsecurity has long been a bipartisan priority for Members of \nthis committee. It is my hope that this bipartisan tradition on \nthis issue will continue in this Congress.\n    We need a deliberative, bipartisan process to solve these \nissues. Unfortunately it appears our committee will not have an \nopportunity to mark up the election security provisions in our \njurisdiction. That is unfortunate because the election security \nprovisions in this bill could be improved and I know Members on \nboth sides of this committee have some good ideas on how to \nmake those improvements. As it stands now, much of H.R. 1's 570 \npages appear to be a political exercise.\n    That is why I am very disappointed that election security, \nan issue where we have an opportunity to work together to move \nbipartisan legislation has gotten caught up--getting caught up \nin a partisan political grab.\n    I hope that H.R. 1--when H.R. 1 stalls in the Senate, as it \nwill, we will revisit the issue of election security in a \nbipartisan manner. I thank our witnesses for taking the time to \nspeak to our committee about the work you are doing on the \nfront lines of elections.\n    I yield back, Mr. Chairman.\n    [The statement of Ranking Member Rogers follows:]\n                Statement of Ranking Member Mike Rogers\n    I look forward to the opportunity to hear from our witnesses today \nregarding election security. The integrity of our elections is \nfoundational to our democracy.\n    All Americans should have confidence that voting equipment and \nsystems are secure, their vote counts as they intended, and that \nelection results are accurately reported.\n    Last week, DHS and DOJ released their findings that there was no \nevidence of any foreign interference in the 2018 election. I believe \nthe tremendous work done by DHS, our intelligence community, and State \nand local leaders made that happen. But there is certainly more work to \nbe done.\n    Much of our focus today will be on the work we still need to do to \nsecure the technology and systems behind our elections. But we can't \nlose sight of a simple lesson: Foreign intelligence services, domestic \npartisans, and on-line vandals do not care what our laws say. They are \nhappy to use our public forums against us.\n    My home State saw liberal activists deliberately mislead Alabamians \nregarding public endorsements and political issues in the 2017 U.S. \nSenate special election. They bragged to liberal donors behind closed \ndoors about their success in manipulating Alabama voters.\n    H.R. 1 attempts to address these pressing issues, but the bill's \nprovisions are deeply naive. As it stands, H.R. 1 is an exercise in \nregulating everything that moves near a ballot box.\n    The problems facing our election system are more complex than that. \nElection security has long been a bipartisan priority for Members of \nthis committee.\n    It is my hope that this bipartisan tradition on this issue will \ncontinue in this Congress. We need a deliberative, bipartisan process \nto solve these issues.\n    Unfortunately, it appears our committee will not have an \nopportunity to mark up the election security provisions in our \njurisdiction. That is unfortunate because the election security \nprovisions of this bill could be improved.\n    And I know Members on both sides of this committee have some good \nideas on how make improvements. As it stands, much of H.R. 1's 570 \npages appear to be a political exercise.\n    That is why I am very disappointed that election security, an issue \nwhere we had an opportunity to work together to move bipartisan \nlegislation, has gotten caught up in this partisan political power \ngrab.\n    I hope when H.R. 1 does not advance in the Senate, we can revisit \nthe issue of election security in a bipartisan manner.\n    I thank our witnesses for taking to the time to speak to our \ncommittee about the work you are doing on the front lines of elections.\n\n    Chairman Thompson. I thank the gentleman for his comments.\n    Other Members of the committee are reminded that under the \ncommittee rules opening statements may be submitted for the \nrecord.\n    [The statement of Hon. Jackson Lee follows:]\n               Statement of Honorable Sheila Jackson Lee\n    Chairman Bennie G. Thompson thank you for holding today's hearing \nso that the committee may learn more about how the Department of \nHomeland Security is ``Defending Our Democracy: Building Partnerships \nto Protect America's Elections.''\n    At the outset, let me congratulate you Mr. Chairman on your \nelection to lead this august committee, and Mr. Rogers on his election \nas Ranking Member.\n    Chairman Thompson, your participation in the House Administration \nCommittee's Subcommittee on Elections Field Hearing held in \nBrownsville, Texas last week was substantive and impactful.\n    Also, your skillful leadership in co-chairing the 115th Congress' \nTask Force on Election Security, which resulted in a report last year \nwhich informs our hearing this morning.\n    I look forward to continuing working with the returning Members of \nthe committee and welcome an outstanding cohort of new Members on both \nsides of the aisle, who I trust will find the important work advanced \nby this committee as fulfilling and rewarding as I have since joining \nits inception.\n    I thank today's witnesses:\nPanel 1\n  <bullet> The Hon. Christopher C. Krebs, director, Cybersecurity and \n        Infrastructure Security Agency, U.S. Department of Homeland \n        Security; and\n  <bullet> The Hon. Thomas Hicks, chairman, Election Assistance \n        Commission.\nPanel 2\n  <bullet> The Hon. Alex Padilla, secretary of state, California;\n  <bullet> Mr. Noah Praetz, former director of elections, Cook County, \n        Illinois;\n  <bullet> Mr. Jake Braun, executive director, Cyber Policy Initiative, \n        University of Chicago; and\n  <bullet> The Hon. John Merrill, secretary of state, Alabama (Minority \n        witness).\n    I thank each of today's witnesses for bringing their expert view on \nthe partnerships among Federal, State, and local agencies responsible \nfor ensuring the integrity of elections have matured since 2016 and \nabout the resources and support necessary to prepare for the 2020 \nPresidential elections.\n    The efforts to ensure that every eligible person can register to \nvote, and cast a vote in a public election have spanned generations.\n    I have been persistent in my efforts to protect the rights of \ndisenfranchised communities in my district of inner-city Houston and \nacross the Nation.\n    Throughout my tenure in Congress, I have cosponsored dozens of \nbills, amendments, and resolutions seeking to improve voters' rights at \nall stages and levels of the election process.\n    This includes legislation aimed at:\n    1. Increasing voter outreach and turnout;\n    2. Ensuring both early and same-day registration;\n    3. Standardizing physical and language accessibility at polling \n        places;\n    4. Expanding early voting periods;\n    5. Decreasing voter wait times;\n    6. Guaranteeing absentee ballots, especially for displaced \n        citizens;\n    7. Modernizing voting technologies and strengthening our voter \n        record systems;\n    8. Establishing the Federal Election Day as a National holiday; and\n    9. Condemning and criminalizing deceptive practices, voter \n        intimidation, and other suppression tactics.\n    Along with many of my colleagues in the CBC, I was an original \ncosponsor of H.R. 9, the Fannie Lou Hamer, Rosa Parks, and Coretta \nScott King Voting Rights Act Reauthorization and Amendments Act, which \nbecame public law on July 27, 2006.\n    I also authored H.R. 745 in the 110th Congress, which added the \nlegendary Barbara Jordan to the list of civil rights trailblazers whose \nnames honor the Voting Rights Act Reauthorization and Amendments Act.\n    This bill strengthened the original Voting Rights Act by replacing \nFederal voting examiners with Federal voting observers--a significant \ndistinction that made it easier to safeguard against racially-biased \nvoter suppression tactics.\n    In the 114th Congress, I introduced H.R. 75, the Coretta Scott King \nMid-Decade Redistricting Prohibition Act of 2015, which would prohibit \nStates whose Congressional districts have been redistricted after a \ndecennial census from redrawing their district lines until the next \ncensus.\n    The voting rights struggles of the 20th Century are now joined by \nvoting rights threats posed by the 21st Century.\n    Russia an adversary of the United States engaged in repeated \nattempts to interfere in the 2016 Presidential election, which prompted \nan unprecedented all-of-Government effort to alert local and State \nelection administrators to be aware of the threat.\n    Russia targeted our Presidential election according to the report, \n``Background to Assessing Russian Activities and Intentions in Recent \nU.S. Elections: The Analytic Process and Cyber Incident Attribution,'' \nprovided by the Office of the Director of National Intelligence's \nNational Intelligence Council.\n    Russia used every cyber espionage tool available to influence the \noutcome of the Presidential election by using a multifaceted campaign \nthat included theft of data; strategically-timed release of stolen \ninformation; production of fake news; and manipulation of facts to \navoid blame.\n    The Russian General Staff Main Intelligence Directorate (GRU) is \nsuspected by our intelligence agencies of having begun cyber operations \ntargeting the United States election as early as March 2016.\n    They took on the persona of ``Guccifer 2.0,'' ``DCLeaks.com,'' and \nWikileaks as the identities that would be reported as having \ninvolvement in the work they had under taken to undermine our Nation's \nPresidential election.\n    Russia is blamed for breaching 21 local and State election systems, \nwhich they studied extensively.\n    In February 2018, special counsel Robert Mueller released \nindictments of 13 Russians, at least one of whom has direct ties to \nRussian President Vladimir Putin.\n    The 37-page indictment details the actions taken to interfere with \nthe U.S. political system, including the 2016 U.S. Presidential \nelection.\n    Among the charges, which include charges for obstruction of \njustice, are several especially notable details.\n    The indictment states that 13 defendants posed as U.S. persons and \ncreated false U.S. personas and operated social media pages and groups \ndesigned to attract U.S. audiences.\n    The social media profiles ``addressed divisive U.S. political and \nsocial issues'' and falsely claimed to be controlled by U.S. activists.\n    The defendants are also accused of using ``the stolen identities of \nreal U.S. persons to post on social media accounts'' which, over time, \nbecame the chosen ``means to reach significant numbers of Americans for \npurposes of interfering with the U.S. political system, including the \nPresidential election of 2016.''\n    The goal of the effort was to sow discord in the U.S. political \nsystem, including the 2016 US. Presidential election.\n    The internet does not sleep--and nor do our Nation's on-line \nadversaries.\n    That Russia used cyber intrusions to attack United States political \ninstitutions to collect data to manipulate the media and the public \nwith the purpose of influencing the outcome of the 2016 Presidential \nelections is now an undisputed fact.\n    The United States has enemies in other corners of the globe who \nwould not hesitate to attack our election system if given the chance.\n    These foreign adversaries do not share our commitment to democracy, \nliberty, and human rights, or the precious freedoms we hold dear.\n    On January 6, 2017, Homeland Security Secretary Johnson, as one of \nhis last official acts under the Obama administration, designated \nelection systems as critical infrastructure, and created a new \nsubsector under the existing Government Facilities Sector designation.\n    On that same day, President Elect-Trump was briefed by the \nintelligence community that Vladimir Putin had directed the cyber \nattack on the United States of America.\n    Since then, intelligence officials have continued to warn that \nforeign governments--including Russia, Iran, and China--could attempt \nto interfere in U.S. elections.\n    In March 2017, then-Federal Bureau of Investigation (FBI) Director \nJames Comey testified before the House Permanent Select Committee on \nIntelligence that the Russians are not finished and that they will be \nback.\n    In February 2018, six intelligence agency chiefs issued a dire \nwarning about the Kremlin's on-going efforts to influence the U.S. \nelections.\n    On January 29, 2019, the director of national intelligence \ntestified before the Senate Select Committee on Intelligence that our \nadversaries ``probably already are looking to the 2020 U.S. elections \nas an opportunity to advance their interests.''\n    The House Committee on Homeland Security has the responsibility of \nproviding for the cybersecurity of Federal civilian agencies as well as \nthe security of the Nation's 16 critical infrastructure sectors from \ncyber and other threats.\n    The Election Infrastructure Subsector covers a wide range of \nphysical and electronic assets such as storage facilities, polling \nplaces, and centralized vote tabulation locations used to support the \nelection process, and information and communications technology to \ninclude voter registration databases, voting machines, and other \nsystems to manage the election process and report and display results \non behalf of State and local governments.\n    The work to secure our Nation's election system from cyber threats \nis on-going, which is why this hearing is relevant.\n    I look forward to the committee's markup of H.R. 1, the ``For The \nPeople Act,'' critical legislation to repair and strengthen our \ndemocracy.\n    While this bill's language brings much-needed improvements to \nelection administration by providing a funding stream to support the \nreplacement of outdated voting systems, and support for the \nadministration of Federal elections there is still more that must be \ndone.\n    Specifically, that we should be mindful of the provision of voting \nsystems for in-person voting and allow for sufficient machines to serve \nthe population that will cast ballots at each polling location during \nearly voting and on election day.\n    The U.S. Department of Homeland Security's (DHS) mission in \ncybersecurity and infrastructure protection is focused on enhancing \ngreater collaboration on cybersecurity across the 16 critical \ninfrastructure sectors and the sharing of cyber threat information \nbetween the private sector and Federal, State, and local partners.\n    This committee will work hand-and-glove with the House Judiciary \nand House Administration Committees as well as the Senate Committees to \nensure that the tools applied to the current threat to our elections is \neffectively and adequately addressed.\n    We know the threats that computing devices and systems face, which \nare almost too numerous to count:\n  <bullet> Bot-nets;\n  <bullet> Ransom-ware;\n  <bullet> Zero Day Events;\n  <bullet> Mal-ware;\n  <bullet> Denial-of-Service Attacks;\n  <bullet> Distributed Denial-of-Service Attacks;\n  <bullet> Pharming;\n  <bullet> Phishing;\n  <bullet> Data Theft;\n  <bullet> Data Breaches;\n  <bullet> SQL Injection;\n  <bullet> Man-in-the-middle attack.\n    The list goes on, but suffice it to say that as hard as one person \nin our Government is working to stop cyber attacks there are likely \nanother thousand attempting to breach a system or device owned by a \nUnited States citizen.\n    During the 2016 election we learned of new threats from cyber space \nthat go far beyond any that would have been considered in previous \nelections.\n    This Congress is poised to do the hard work of delving into the \nissue of Russian involvement in our national election and providing \nsolutions.\n    The work today must focus on election recovery should a serious \ncyber incident occur during an election.\n    Vulnerabilities of computing systems are not limited to intentional \nattacks, but can include acts of nature, human error, or technology \nfailing to perform as intended.\n    I am particularly concerned that so many jurisdictions rely on \nelectronic poll books, to check-in voters before issuing them ballots, \nwith no paper back-ups.\n    Finally, the use of untrustworthy paperless electronic voting \nmachines without sufficient paper ballot options will come to an end \nwhen H.R. 1 becomes law.\n    The right and better approach to election cybersecurity is to be \nprepared and not need options for voters to cast ballots should voting \nsystems fail, rather than being unprepared and needing options for \nvoters to cast ballots during an election that are not available.\n    We must be steadfast in our resolve to have a strong shield to \ndefend civilian and critical infrastructure networks for all threats \nforeign and domestic.\n    I look forward to the testimony of today's witnesses.\n    Thank you.\n\n    Chairman Thompson. I would like to extend a welcome to our \nfirst panel of witnesses. First I would like to welcome Chris \nKrebs, the director of DHS's Cybersecurity and Infrastructure \nSecurity Agency back to testify before this panel. Director \nKrebs has been at the helm of DHS's cybersecurity activities \nsince 2017 and he has been an integral player in shaping and \ndeveloping the Department's election security capabilities.\n    Next I am pleased to welcome Mr. Tom Hicks, the current \nchairman of the U.S. Election Assistance Commission, and also \ncongratulate him on swearing in a new batch of election \nassistance commissioners.\n    We had the opportunity to hear from the chairman in 2017, \nwhen he came to speak before the Congressional Task Force on \nElection Security. I look forward to hearing about his work \nsince that time. Without objection, the witnesses' full \nstatements will be inserted in the record. I now ask each \nwitness to summarize his statement for 5 minutes, beginning \nwith Mr. Krebs.\n\nSTATEMENT OF CHRISTOPHER C. KREBS, DIRECTOR, CYBERSECURITY AND \n  INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Krebs. Thank you. Chairman Thompson, Ranking Member \nRogers, and Members of the committee. Good morning and thank \nyou for the opportunity to testify regarding the Department of \nHomeland Security's efforts to secure the vote. First, however, \nI would like to, once again, thank this committee for its \nleadership in establishing the Cybersecurity and Infrastructure \nSecurity Agency, or CISA.\n    By creating our new agency and law, Congress formally \nrecognized DHS's role as the leader of the National effort to \nsafeguard Federal networks and critical infrastructure from \ncyber and physical threats. On behalf of the agency, once \nagain, thank you. This morning, I want to update this committee \non the progress made over the last 2 years working with the \nelection community.\n    CISA's election security mission is clear, to support the \nefforts of election officials and their private-sector partners \nconsistent with the Constitution, existing law, and electoral \ntradition. Since 2016 we have learned quite a bit through \npartners like the Election Assistance Commission, and thousands \nof election officials across the country, like you will hear in \nthe next panel, that know elections.\n    They know their systems. They know what they need to \nconduct a successful election. Over the last 2 years, in \nfocused, oftentimes humbling engagements, we have become \npartners with the election community. For the 2018 election, we \nworked with all 50 States, over 1,400 local and territorial \nelection offices, 6 election associations, and 12 election \nvendors.\n    Our approach is threefold: Making sure the community has--\nthe election community has the information they need to defend \ntheir systems, making sure the election community has the \ntechnical support and tools they need to defend their systems, \nand building enduring partnering--partnerships to enhance \nresilience, and advance security efforts together.\n    In 2018 we focused on building scalable, repeatable \nmechanisms to dramatically grow our information-sharing \ncapabilities. The Elections Infrastructure Information Sharing \nand Analysis Center, or EI-ISAC was established. By Election \nDay, EI-ISAC had over 1,400 members, the fastest-growing ISAC \nof any critical infrastructure sector.\n    We share contextualized threat information and actionable--\nthreat intelligence and actionable information that was \nenriched through our close partnership with the intelligence \ncommunity and law enforcement.\n    More importantly, State and local election officials were \nsharing what they were seeing on their own networks. We also \ndeployed intrusion detection capabilities, or Albert Sensors, \nto provide real-time detection capabilities on election \nnetworks.\n    As of Election Day in 2018, these sensors offered \nprotections to election infrastructure and voter registration \ndatabases for more than 90 percent of registered voters. For \nreference, during the 2000 election, we were below 30 percent \nof coverage.\n    Second, we provide technical support and services to \nelection officials and vendors. Initially, we offered our \nstandard services, including cyber hygiene, scans, and risk \ninvulnerability assessments that we offer Federal agencies and \nother infrastructure sectors.\n    As we refined our understanding of election officials' \nrequirements, we shifted to capabilities that are quicker, less \nintrusive, and can scale to more jurisdictions. This \nscalability is critical because while our initial efforts in \n2016 were primarily targeted in State--State election \nofficials, we recognize the need to increase our support to \ncounties and municipalities who operate elections as well.\n    Our Last Mile Initiative sought to provide information \ncustomized to the local county level. This initiative provided \nno-cost tailored information on cyber safeguards, threats and \nrisks, and a checklist of cybersecurity action items.\n    The final area of focus has been building enduring \npartnerships toward a collective defense. While it may seem \nmundane, governance, communications, coordination, training, \nand planning are the critical foundational elements of our \nNation's efforts to secure our elections.\n    These efforts, and others, contributed to a secure 2018 \nelection. The Department of Homeland Security and the \nDepartment of Justice recently concluded there is no evidence \nthat any identified activities of a foreign government or a \nforeign agent had a material impact on the integrity or \nsecurity of election infrastructure or political campaign \ninfrastructure used in the 2018 midterm elections.\n    While 2018 is behind us, the 2020 election season is \nalready under way. We are clear-eyed that the threat to our \ndemocratic institutions remain, and we must continue to press \nfor increased security and resilience of our election systems. \nOver the next 2 years, CISA will focus on expanding engagement \nto the local level.\n    We will continue to work with election officials to improve \nboth, there and our understanding of risk. With that better \nunderstanding of risk, we can support efforts by election \nofficials and Congress to obtain the resources they need to \nsecure their election systems. Once again, thank you for the \nopportunity to appear before the committee today. I look \nforward to your questions.\n    [The prepared statement of Mr. Krebs follows:]\n               Prepared Statement of Christopher C. Krebs\n                           February 13, 2019\n    Chairman Thompson, Ranking Member Rogers, and Members of the \ncommittee, thank you for the opportunity to testify regarding the U.S. \nDepartment of Homeland Security's (DHS) progress in reducing and \nmitigating risks to our Nation's election infrastructure. DHS has \nworked to establish trust-based partnerships with State and local \nofficials who administer our elections, and I look forward to sharing \nwith you an update on our work during the 2018 midterm election cycle.\n    Leading up to the 2018 midterms, DHS worked hand-in-hand with \nFederal partners, State and local election officials, and private-\nsector vendors to provide them with information and capabilities to \nenable them to better defend their infrastructure. This partnership led \nto a successful model that we aim to continue and improve upon in the \n2020 election cycle.\n    Since 2016, DHS's Cybersecurity and Infrastructure Security Agency \n(CISA) has led a voluntary partnership of Federal Government and \nelection officials who regularly share cybersecurity risk information. \nCISA has engaged directly with election officials--coordinating \nrequests for assistance, risk mitigation, information sharing, and \nincident response. To ensure a coordinated approach, CISA convened \nstakeholders from across the Federal Government through the Election \nTask Force.\n    The Department and the Election Assistance Commission (EAC) have \nconvened Federal Government and election officials regularly to share \ncybersecurity risk information and to determine an effective means of \nassistance. Since 2016, the Election Infrastructure Subsector (EIS) \nGovernment Coordinating Council (GCC) has worked to establish goals and \nobjectives, to develop plans for the EIS partnership, and to lay the \ngroundwork for developing an EIS Sector-Specific Plan. Participation in \nthe council is voluntary and does not change the fundamental role of \nState and local jurisdictions in overseeing elections.\n    DHS and the EAC have also worked with election vendors to launch an \nindustry-led Sector Coordinating Council (SCC), a self-organized, self-\nrun, and self-governed council with leadership designated by sector \nmembership. The SCC serves as the industry's principal entity for \ncoordinating with the Federal Government on critical infrastructure \nsecurity activities related to sector-specific strategies. This \ncollaboration is conducted under DHS's authority to provide a forum in \nwhich Federal and private-sector entities can jointly engage in a broad \nspectrum of activities to coordinate critical infrastructure security \nand resilience efforts, which is used in each of the critical \ninfrastructure sectors established under Presidential Policy Directive \n21, Critical Infrastructure Security and Resilience. The SCC has helped \nDHS further its understanding of the systems, processes, and \nrelationships particular to operation of the EIS.\n    Within the context of today's hearing, I will address our efforts \nin 2018 to help enhance the security of elections that are administered \nby jurisdictions around the country, along with our election-related \npriorities through 2020. While there was activity targeting our \nelection infrastructure leading up to the midterms, this activity is \nsimilar to what we have seen previously and occurs on the internet \nevery day. This activity has not been attributed to nation-state actors \nand along with the Department of Justice (DOJ), we concluded that there \nis no evidence to date that any identified activities of a foreign \ngovernment or foreign agent had a material impact on the integrity or \nsecurity of election infrastructure or political or campaign \ninfrastructure used in the 2018 midterm elections.\n                          assessing the threat\n    The Department regularly coordinates with the intelligence \ncommunity and law enforcement partners on potential threats to the \nhomeland. Among non-Federal partners, DHS has engaged with State and \nlocal officials, as well as relevant private-sector entities, to assess \nthe scale and scope of malicious cyber activity potentially targeting \nthe U.S. election infrastructure. Election infrastructure includes the \ninformation and communications technology, capabilities, physical \nassets, and technologies that enable the registration and validation of \nvoters; the casting, transmission, tabulation, and reporting of votes; \nand the certification, auditing, and verification of elections.\n    In addition to working directly with State and local officials over \nthe past 2 years, we have partnered with trusted third parties to \nanalyze relevant cyber data, including the Elections Infrastructure \nInformation Sharing and Analysis Center (EI-ISAC), the National \nAssociation of Secretaries of State, and the National Association of \nState Election Directors. DHS field personnel deployed around the \ncountry furthered information sharing and enhanced outreach.\n                           enhancing security\n    During the 2018 midterms, CISA provided a coordinated response from \nDHS and its Federal partners to plan for, prepare for, and mitigate \nrisk to election infrastructure. Working with election infrastructure \nstakeholders was essential to ensuring a more secure election. CISA and \nour stakeholders increased awareness of potential vulnerabilities and \nprovided capabilities to enhance the security of U.S. election \ninfrastructure as well as that of our democratic allies.\n    Election officials across the country have a long-standing history \nof working both individually and collectively to reduce risks and \nensure the integrity of their elections. In partnering with these \nofficials through both new and on-going engagements, CISA will continue \nto work to provide value-added--yet voluntary--services to support \ntheir efforts to secure elections in the 2020 election cycle.\n  improving coordination with state, local, tribal, territorial, and \n                        private-sector partners\n    Increasingly, the Nation's election infrastructure leverages \ninformation technology for efficiency and convenience, but also exposes \nsystems to cybersecurity risks, just like in any other enterprise \nenvironment. Just like with other sectors, CISA helps stakeholders in \nFederal departments and agencies, State, local, Tribal, and territorial \n(SLTT) governments, and the private sector to manage these \ncybersecurity risks. Consistent with our long-standing partnerships \nwith State and local governments, we have been working with election \nofficials to share information about cybersecurity risks, and to \nprovide voluntary resources and technical assistance.\n    CISA works with the EI-ISAC to provide threat and vulnerability \ninformation to State and local officials. Through funding by CISA, the \nCenter for Internet Security created and continues to operate the EI-\nISAC. The EI-ISAC has representatives co-located with CISA's National \nCybersecurity and Communications Integration Center (NCCIC) to enable \nregular collaboration and access to information and services for \nelection officials.\n         providing technical assistance and sharing information\n    Knowing what to do when a security incident happens--whether \nphysical or cyber--before it happens is critical. CISA supports \nelection officials with incident response planning including \nparticipating in exercises and reviewing incident response playbooks. \nCrisis communications is a core component of these efforts, ensuring \nofficials are able to communicate transparently and authoritatively \nwhen an incident unfolds. In some cases, we do this directly with State \nand local jurisdictions. In others, we partner with outside \norganizations. We recognize that securing our Nation's systems is a \nshared responsibility, and we are leveraging partnerships to advance \nthat mission. CISA actively promotes a range of services including:\n    Cyber hygiene service for internet-facing systems.--Through this \nautomated, remote scan, CISA provides a report identifying \nvulnerabilities and mitigation recommendations to improve the \ncybersecurity of systems connected to the internet, such as on-line \nvoter registration systems, election night reporting systems, and other \ninternet-connected election management systems.\n    Risk and vulnerability assessments.--We have prioritized State and \nlocal election systems upon request, and increased the availability of \nrisk and vulnerability assessments. These in-depth, on-site evaluations \ninclude a system-wide understanding of vulnerabilities, focused on both \ninternal and external systems. We provide a full report of \nvulnerabilities and recommended mitigations following the testing.\n    Incident response assistance.--We encourage election officials to \nreport suspected malicious cyber activity to NCCIC. Upon request, the \nNCCIC can provide assistance in identifying and remediating a cyber \nincident. Information reported to the NCCIC is also critical to the \nFederal Government's ability to broadly assess malicious attempts to \ninfiltrate election systems. This technical information will also be \nshared with other State officials so they have the ability to defend \ntheir own systems from similar malicious activity.\n    Information sharing.--CISA maintains numerous platforms and \nservices to share relevant information on cyber incidents. Election \nofficials may also receive information directly from the NCCIC. The \nNCCIC also works with the EI-ISAC, allowing election officials to \nconnect with the EI-ISAC or their State chief information officer to \nrapidly receive information they can use to protect their systems. Best \npractices, cyber threat information, and technical indicators, some of \nwhich had been previously classified, have been shared with election \nofficials in thousands of State and local jurisdictions. In all cases, \nthe information sharing and use of such cybersecurity threat \nindicators, or information related to cybersecurity risks and incidents \ncomplies with applicable lawful restrictions on its collection and use \nand with DHS policies protective of privacy and civil liberties.\n    Classified information sharing.--To most effectively share \ninformation with all of our partners--not just those with security \nclearances--DHS works with the intelligence community to rapidly \ndeclassify relevant intelligence or provide as much intelligence as \npossible at the lowest classification level possible. While DHS \nprioritizes declassifying information to the extent possible, DHS also \nprovides Classified information to cleared stakeholders, as \nappropriate. DHS has been working with State chief election officials \nand additional election staff in each State to provide them with \nsecurity clearances.\n    Field-based cybersecurity advisors and protective security \nadvisors.--CISA has more than 130 cybersecurity and protective security \npersonnel available to provide actionable information and connect \nelection officials to a range of tools and resources to improve the \ncybersecurity preparedness of election systems, and to secure the \nphysical site security of voting machine storage and polling places. \nThese advisors are also available to assist with planning and incident \nmanagement for both cyber and physical incidents.\n    Physical and protective security tools, training, and resources.--\nCISA provides guidance and tools to improve the security of polling \nsites and other physical election infrastructure. This guidance can be \nfound at www.dhs.gov/hometown-security. This guidance helps to train \nadministrative and volunteer staff on identifying and reporting \nsuspicious activities, active-shooter scenarios, and what to do if they \nsuspect an improvised explosive device.\n       election security efforts leading up to the 2018 midterms\n    In the weeks leading up to the 2018 midterm elections, DHS \nofficials supported a high degree of preparedness Nation-wide. DHS \nprovided free technical cybersecurity assistance, continuous \ninformation sharing, and expertise to election offices and campaigns. \nEI-ISAC threat alerts were shared with all 50 States, over 1,400 local \nand territorial election offices, 6 election associations, and 12 \nelection vendors.\n    In August 2018, DHS hosted a ``Tabletop the Vote'' exercise, a 3-\nday, first-of-its-kind exercise to assist our Federal partners, State \nand local election officials, and private-sector vendors in identifying \nbest practices and areas for improvement in cyber incident planning, \npreparedness, identification, response, and recovery. Through tabletop \nsimulation of a realistic incident scenario, exercise participants \ndiscussed and explored potential impacts to voter confidence, voting \noperations, and the integrity of elections. Partners for this exercise \nincluded 44 States and the District of Columbia; EAC; Department of \nDefense, including the Office of the Secretary of Defense, U.S. Cyber \nCommand, and the National Security Agency; DOJ; Federal Bureau of \nInvestigation; Office of the Director of National Intelligence; and \nNational Institute of Standards and Technology (NIST).\n    Through the ``Last Mile Initiative,'' DHS worked closely with State \nand local governments to outline critical cybersecurity actions that \nshould be implemented at the county level. For political campaigns, DHS \ndisseminated a cybersecurity best practices checklist to help \ncandidates and their teams better secure their devices and systems.\n    On Election Day, DHS deployed field staff across the country to \nmaintain situational awareness and connect election officials to \nappropriate incident response professionals, if needed. In many cases, \nthese field staff were co-located with election officials in their own \nsecurity operations centers. DHS also hosted the National Cybersecurity \nSituational Awareness Room, an on-line portal for State and local \nelection officials and vendors that facilitates rapid sharing of \ninformation. It gives election officials virtual access to the 24/7 \noperational watch floor of the CISA NCCIC. This setup allowed DHS to \nmonitor potential threats across multiple States at once and respond in \na rapid fashion.\n    Our goal has been for the American people to enter the voting booth \nwith the confidence that their vote counts and is counted correctly. I \nam proud to say that our efforts over the past 2 years have resulted in \nthe most secure election in modern history.\n                  no evidence of election interference\n    The Secretary of Homeland Security and the Acting Attorney General \nhave concluded that there is no evidence to date that any identified \nactivities of a foreign government or foreign agent had a material \nimpact on the integrity or security of election infrastructure or \npolitical or campaign infrastructure used in the 2018 midterm elections \nfor the U.S. Congress. The activity we did see was consistent with what \nwe shared in the weeks leading up to the election. Russia, and other \nforeign countries, including China and Iran, conducted influence \nactivities and messaging campaigns targeted at the United States to \npromote their strategic interests.\n                election security efforts moving forward\n    Ensuring the security of our electoral process remains a vital \nNational interest and one of our highest priorities at DHS. In the run-\nup to the 2020 election season, DHS will continue to prioritize \nelections by broadening the reach and depth of information sharing and \nassistance that we are providing to State and local election officials, \nand continuing to share information on threats and mitigation tactics.\n    DHS goals for the 2020 election cycle include improving the \nefficiency and effectiveness of election audits, continued \nincentivizing the patching of election systems, and working with the \nNational Institute of Standards and Technology (NIST) and the States to \ndevelop cybersecurity profiles utilizing the NIST Cybersecurity \nFramework for Improving Critical Infrastructure. We will also continue \nto engage any political entity that wants our help. DHS offers these \nentities the same tools and resources that we offer to State and local \nelection officials, including trainings, cyber hygiene support, \ninformation sharing, and other resources.\n    DHS has made tremendous strides and has been committed to working \ncollaboratively with those on the front lines of administering our \nelections to secure election infrastructure from risks. Just last week, \nDHS officials provided updates to the secretaries of state, State \nelection directors, and members of the GCC and SCC on the full package \nof election security resources that are available from the Federal \nGovernment, along with a roadmap on how to improve coordination across \nthese entities. DHS also worked with our intelligence community \npartners to provide a Classified 1-day read-in for these individuals \nregarding the current threats facing our election infrastructure.\n    We will remain transparent as well as agile in combating and \nsecuring our physical and cyber infrastructure. However, we recognize \nthat there is a significant technology deficit across SLTT governments, \nand State and local election systems, in particular. It will take \nsignificant and continual investment to ensure that election systems \nacross the Nation are upgraded and secure, with vulnerable systems \nretired. These efforts require a whole-of-Government approach. The \nPresident and this administration are committed to addressing these \nrisks.\n    Our voting infrastructure is diverse, subject to local control, and \nhas many checks and balances. As the threat environment evolves, DHS \nwill continue to work with Federal agencies, State and local partners, \nand private-sector entities to enhance our understanding of the threat; \nand to make essential physical and cybersecurity tools and resources \navailable to the public and private sectors to increase security and \nresiliency.\n    Thank you for the opportunity to appear before the committee today, \nand I look forward to your questions.\n\n    Chairman Thompson. Thank you for your testimony. I now \nrecognize Mr. Hicks to summarize his statement for 5 minutes.\n\n    STATEMENT OF THOMAS HICKS, COMMISSIONER, U.S. ELECTION \n                     ASSISTANCE COMMISSION\n\n    Mr. Hicks. Good morning, Chairman Thompson and Ranking \nMember Rogers and Member of the committee. I am pleased to \nappear you today to offer testimony on the pressing issue of \nhow to build partnerships to better protect American elections.\n    Today's hearing comes 3 months after the 2018 midterm \nelections. Early estimates indicate that a record number of \neligible Americans cast their vote in November. I congratulate \nthe Nation's election administrators and their teams for a job \nwell done, inspiring work that the staff and I saw, first-hand, \nas we travel across the Nation in the weeks surrounding the \nelection.\n    This work, coupled with improved lines of communications \nbetween Federal, State, and local officials and Federal \nagencies that serve them resulted in no indication of foreign \nattacks on our Nation's election infrastructure.\n    The EAC is the only Federal agency focused solely on \nelections. This focus is of great value to election \nadministrators and the voters they serve. The commission's \nmission and other mandates established under the Help America \nVote Act, HAVA, are as relevant today as at any time since the \nwatershed bipartisan legislation was signed into law.\n    We commissioners and the EAC staff stand ready to roll up \nour sleeves to address the unique needs of those we serve. Just \nlast week, two new commissioners, Benjamin Hovland and Ben \nPalmer--Donald Palmer were sworn in, joining Vice Chair \nMcCormick and myself to make up a full slate of commissioners \nthe agency has had in nearly a decade.\n    Today's hearing and many of the commission's own efforts \nfocus on election security, which is only one key component of \nelection administration. I have attached to my written \nstatement, a diagram that demonstrates the many different \ncompetencies that require election administrator's awareness \nand attention, knowledge of election law and election \ntechnology, to vote tabulation and post-election audits.\n    Election officials must operate in each of these areas with \nno room for error. That is why the EAC works to provide its \nresources to each of our competencies. That is why we partner \nwith other Federal agencies to leverage their subject-matter \nexpertise.\n    Some of the EAC's Federal partners include DOD, DHS, \nDepartment of Justice, National Institute of Standards and \nTechnology, and the United States Postal Service. This morning \nI will briefly address the EAC's work to help States secure \ntheir elections, including efforts to swiftly and responsibly \ndistribute $380 million in newly appropriated HAVA to States \nand the on-going work to test and certify voting systems.\n    In the Consolidated Appropriations Act of 2018, Congress \nappropriated $380 million in HAVA to the States, in eligible \nterritories for projects and programs to improve the \nadministration of Federal elections. Within 3 months of the \nappropriation, the EAC received distributed requests for 100 \npercent of the funds from all 55 eligible jurisdictions and \nStates.\n    One hundred percent of the funds were quickly distributed \nto eligible States and territories to draw down. The EAC staff \nis currently exam the--examining the Federal financial reports \nregarding how States spent funds last year, the recent Federal \nfurlough has slightly delayed this process.\n    But from our early assessments, we believe that about 58 \npercent of the funds went toward shoring up election security \nand about 33 percent of the funds was used to purchase voting \nequipment.\n    After we complete our 2018 spending analysis, we will \nprovide more specific details about the expenditures and the \nState's future plans for using HAVA funds. The distribution of \nHAVA funds is only one example of the EAC's work to strengthen \nelection security. The EAC serves as a central partner with DHS \nin ensuring that--the success of our National security efforts.\n    DHS has stated that the election security for Government \nCoordinating Council, the GCC, was formed faster than any other \nsimilar critical infrastructure sector council today. The EAC \ntook a needed early leadership role in working toward this \naccomplishment.\n    Building on that success, the EAC convened discussions \nbetween election system vendors and DHS for the formulation of \nthe Sector Coordinating Council, the SCC. Both the SCC and the \nGCC were formulated before the 2018 election year, less than 1 \nyear from the critical infrastructure designation by DHS.\n    In addition, ahead of the 2018 mid-term elections, the EAC \nfocused on steps our commission could take to further serve \nelection officials operating in a new threat environment.\n    On multiple occasions, the EAC brought together election \nofficials, lawmakers, security experts, academics, and \nGovernment partners, for discussion and events to tackle this \nvital issue. While taking--talking about election security at \nforums is important, so is hands-on training.\n    The EAC staff was involved in the establishment of Harvard \nUniversity's Belfer Center tabletop exercise, which have since \nbeen conducted across the country. In addition, since 2015, the \nEAC has presented its election official as I.T. manager, \ntraining to officials representing hundreds of elections \njurisdictions across the country and we will increase our \nefforts following the 2016 election.\n    This training is available on-line through FVAP program, \nthat many more election officials can easily access to complete \nthese efforts. The EAC has also produced a video and supporting \nmaterials to help local election officials explain the many \nlevels of election security for their jurisdictions.\n    The final area I will highlight today during my testimony \nis the EAC's testing and certification program. The EAC--the \nHelp America Vote Act charges the EAC with administrating a \nFederal program for setting voluntary voting system guidelines \nand testing for vendors may choose to have EAC accredited and \nmonitored labs test their voting systems against those \nguidelines for certification.\n    The guidelines contain requirements for security as well as \nother important components such as accessibility, usability, \nand interoperability. These components and functions of the \nsame are deliberated and developed in public working groups \nunder the direction of the EAC's Technical Guidelines \nCommittee, which is chaired by the director and under secretary \nof commerce for standard and technology.\n    After development and approval by the TGDC, the voluntary \nguidelines are submitted to the EAC's executive director, \nprovided for the EAC's Standards Board and Board of Advisors, \npublished for public comment and presented to the EAC's \ncommissioners for consideration and approval.\n    Last spring, the EAC conveyed its advisory boards to review \nand comment on the adoptions of the newest versions of the \nguidelines VVSG 2.0. Both boards recommended that the EAC adopt \nVVSG 2.0. Now that a quorum--I ask for 1 additional minute or \n30 seconds.\n    [Laughter.]\n    Chairman Thompson. Granted.\n    Mr. Hicks. Thank you, sir.\n    Quorum has restored to the EAC. We anticipate that the VVSG \n2.0 will soon be posted for public comment and we will hold \npublic hearings on the proposed guidelines.\n    Members of the committee, the EAC's mission includes \nsupporting election officials across the country as they \nadminister Federal elections and the EAC is committed to that \nwork, to always seeking better ways to do it. I welcome your \nfeedback and I look forward to answering questions you may \nhave.\n    [The prepared statement of Mr. Hicks follows:]\n                   Prepared Statement of Thomas Hicks\n                           February 12, 2019\n    Good morning Chairman Thompson, Ranking Member Rogers, and Members \nof the committee. I am pleased to appear before you today to offer \ntestimony on the pressing issue of how to build partnerships to better \nprotect American elections. As the 2020 Presidential Election \napproaches and jurisdictions across the Nation prepare to host a number \nof State and local elections in the months ahead, I assure you that \nsupporting election officials in their work--including providing \nelection security tools and resources--is one of the most important \nresponsibilities of the U.S. Election Assistance Commission, better \nknown as the EAC.\n    Today's hearing comes 3 months after the 2018 midterm election. \nVoter confidence in our election system is an issue the EAC often \npublicly addressed ahead of last year's election and it is \nintrinsically tied to the topics I will discuss today. With early \nestimates indicating that a record number of all eligible Americans \nparticipated in the 2018 midterms, it is important to recognize the \nincredible ingenuity and care that election officials and those with \nwhom they work demonstrated ahead of the midterms and continue to \nexhibit today. It is this work that shores up the very foundation of \nour democracy and instills voter confidence. EAC Commissioners and the \nCommission's staff saw this first-hand in the weeks surrounding the \nmidterm election as we traveled the Nation to observe everything from \npre-election preparations to post-election audits. In 2018, the work of \nour Nation's election administrators and their teams, coupled with a \ndramatically improved line of communication between Federal, State, and \nlocal election officials and the Federal agencies that serve them, \nresulted in no indication of foreign attacks on our Nation's election \ninfrastructure. I am proud of the role the EAC played in that \ncoordinated effort.\n    The EAC is the only Federal agency that focuses solely on \nelections, and this focus is of great value to election administrators \nand the voters they serve. The EAC's mission and other mandates \nestablished under the Help America Vote Act (HAVA) are as relevant \ntoday as at any other time since that watershed, bipartisan legislation \nwas signed into law. When HAVA passed HAVA in 2002, Congress set out to \nmake sweeping and much-needed reforms to the Nation's voting process. \nCongress established the EAC to serve as the Federal leader in helping \nStates carry out that vision, and the Commission has done so \nsuccessfully. The EAC has helped election officials in each State and \nU.S. territory identify and implement legally-required changes to the \nway America votes. The Commission has a strong relationship with State \nand local election leaders and the voters they serve, which makes \nprogress possible and remains of great value as lawmakers consider \nadditional ways to support the administration of Federal elections.\n    We Commissioners and the exemplary EAC staff stand ready to roll up \nour sleeves to address the unique needs of those we serve. Just this \nweek, two new EAC commissioners, Benjamin Hovland and Donald Palmer, \nwere sworn in, joining Vice Chair Christy McCormick and me to make up \nthe first full quorum of Commissioners the agency has had in nearly a \ndecade. While the EAC has made great strides over the years, we always \nseek to do better and to do more.\n    Certainly one of the primary focuses of our efforts, election \nsecurity is only one component of election administration. I have \nattached a diagram to this testimony that demonstrates the many \ndifferent competencies that require election administrator awareness \nand attention. Election officials must operate in each of these areas, \nso the EAC works on each of them. Knowledge of election law, finance, \naccessibility standards, security considerations, election technology, \npublic relations and human resources are all core on-going election \nofficial responsibilities. As officials prepare to administer an \nelection, they must be experts on mail, street file maintenance, voter \nregistration, military and overseas voting, local candidates and \ncampaign finance laws, project management, polling places and real \nestate, advance voting, and logistics. On Election Day and beyond, \nelection officials must also direct activities such as voting and \ntabulation, canvassing, auditing, administering recounts, and carrying \nout list maintenance. Many of these topics are covered in the EAC's \nElection Administration and Voting Survey report to Congress, including \nthe 2018 report that is under way now and will be delivered to you this \nsummer.\n    It is worth noting that in addition to this work, the EAC provides \nvoters with vital resources and assistance needed to register to vote \nand to cast ballots, and it includes administering the National \nclearinghouse of election administration information to continually \nequip our partners in Congress, State and local government, private \nindustry, advocacy organizations, other Federal agencies, academia, and \nothers in the elections industry with the information they require and \nrely on.\n    The EAC also works alongside Federal partners to leverage their \nsubject-matter expertise to augment the EAC's whole-of-elections \nperspective with specialized products. The EAC works with these \npartners to produce EAC products, help other agencies better develop \nproducts for election stakeholders, and help our stakeholders \nunderstand and integrate these products into the context of their array \nof responsibilities. These partners include the Department of Defense, \nthe Department of Justice, the Department of Homeland Security, the \nNational Institute of Standards and Technology (NIST), and the United \nStates Postal Service.\n    Today I will focus my remarks on election security, one of the most \nintegral components of the EAC's work. The EAC has worked diligently to \nhelp States secure their elections, especially in months leading up to \nlast year's election. The EAC expeditiously distributed newly-\nappropriated HAVA funds to the States, assisted our Federal partners in \nestablishing and managing the critical infrastructure operational \nframework, continued to test and certify voting systems, and \nhighlighted and distributed important best practices in election \nadministration. This work yielded substantial benefits in 2018 and \ncontinues as we look ahead to 2020.\n               distributing newly-appropriated hava funds\n    In the Consolidated Appropriations Act of 2018, Congress \nappropriated $380 million in HAVA funds to the States and eligible \nterritories for projects and programs to improve the administration of \nFederal elections. Within 3 months of the appropriation, the EAC \nreceived disbursement requests for 100 percent of the funds from all 55 \neligible States and territories, a remarkable percentage, and 100 \npercent of the funds were quickly made available for the eligible \nStates and territories to draw down.\n    Less than 2 weeks after these new funds were signed into law by \nPresident Trump, the EAC issued Notice of Grant Award letters to each \nState. Within 3 weeks of the signing, Missouri became the first State \nto request its funds. In the subsequent 10 weeks, the EAC conducted a \nwebcast public forum to explain how the funding would proceed, worked \ndirectly with the National Association of Secretaries of State (NASS) \nand the National Association of State Election Directors (NASED) to \nshare information, conducted multiple webinars to further discuss how \nthe funds may be used, consulted with members of the disability \ncommunity to hear their views on use of the funds, and had frequent \ncontact with each State in an effort to move the funds quickly.\n    The EAC website also provides access to a set of Frequently Asked \nQuestions regarding the funds. The attached map, also on the EAC \nwebsite (www.eac.gov), shows the amount of funds appropriated to each \nState. The EAC fulfilled its promise to get the funds to the States as \nquickly as possible, and the Commission continues to consult with \nStates and territories regarding the proper use of the funds, which \nwere disbursed after the States provided a short narrative describing \nplans for how the funds will be used.\n    The EAC has used the new HAVA funds not just as an opportunity to \nprovide much-needed financial support to the States, but also as a \nmechanism to promote best-practice information sharing among election \nadministrators. Details from the State plan documents have been shared \nwith the entire election community and on the EAC website. It is \nessential that the States and territories have access to the wealth of \nideas and innovative approaches contained in other States' \nindividualized planned activities as they plan their own use of the \nfunds. As we continue to work closely with the State and local leaders \ncharged with spending these funds, the EAC's staff will continue to \ncompile the information we receive so that the election community and \nothers will have access to particulars of how the States and \nterritories are expending their funds to further update and secure \ntheir election systems.\n    The EAC's staff is currently examining Federal Financial Reports \nregarding how States spent funds last year. The recent Federal furlough \nhas slightly delayed this process, but from our early assessment, we \nbelieve that about 58 percent of funds spent went toward shoring up \nelection security and about 33 percent were used to purchase voting \nequipment. After we complete our 2018 spending analysis, we will \nprovide more specific details about those expenditures and about \nStates' future plans for using new HAVA funds. I've attached to this \ntestimony two charts detailing how States initially indicated they \nplanned to spend funds and the percentage of total funds allotted for \nactivities such as election security and updating election equipment.\n                   critical infrastructure activities\n    The distribution of HAVA funds is only one example of the EAC's \nwork related to election security. The EAC has been serving as a \ncentral partner with the Department of Homeland Security (DHS) in \nensuring the success of this National security effort well before the \n2017 Critical Infrastructure designation by former Secretary Jeh \nJohnson. The DHS has stated that the election sector's Government \nCoordinating Council (GCC) was formed faster than any other similar \ncritical infrastructure sector council to date. The EAC took an early \nleadership role in working toward this accomplishment, and we recognize \nit as an exemplary proof-point of how local, State, and Federal \nGovernments can effectively work together toward the shared goal of \nprotecting our Nation's election infrastructure.\n    Building on that success, the EAC also convened discussions between \nelection system vendors and the DHS for the formation of the Sector \nCoordinating Council (SCC). Thanks to the swift establishment of the \nGCC and the well-established relationships between the EAC and election \nequipment vendors, work on the SCC began in the summer of 2017, and its \nofficial formation meeting took place before the end of last year. Both \ncouncils were functioning before the 2018 election year, less than 1 \nyear from the Critical Infrastructure designation by the DHS.\n    The EAC Chair serves on the GCC Executive Committee, and all EAC \nCommissioners are chartered members of the GCC. Like many members of \nthe GCC, the EAC is seeking security clearances through the DHS and has \nbeen assured that the Department will be addressing those security \nrequests soon.\n    During the last Presidential Election cycle, the EAC was a key \nplayer in Federal efforts to share vital security information with the \nStates and educate our Federal partners about ways to best serve the \nneeds of election administrators. For example, the EAC:\n  <bullet> Distributed urgent security alerts and threat indicators \n        from the DHS and the Federal Bureau of Investigation (FBI) to \n        States and territories to help protect election systems from \n        specific cybersecurity threats.\n  <bullet> Met on multiple occasions with staff from the DHS, the FBI, \n        and the White House to discuss specific and nonspecific \n        threats, State and local election system security and \n        protocols, and the dynamics of the election system and its \n        8,000-plus jurisdictions Nation-wide.\n  <bullet> Served as the Federal Government's primary communication \n        channel to provide real-time cybersecurity information to \n        election officials around the country. This information \n        included current data on cyber threats, tactics for protecting \n        election systems against these threats, and the availability \n        and value of DHS resources for protecting cyber assets.\n  <bullet> Participated in and convened conference calls with Federal \n        officials, secretaries of state, and other State chief election \n        officials, local election administration officials, Federal law \n        enforcement, and Federal agency personnel to discuss the \n        prospect of designating elections as part of the Nation's \n        critical infrastructure. These discussions focused on topics \n        such as coordinating security flashes from the FBI, the \n        implications of a critical infrastructure designation, \n        education on the Nation's election system, and the dynamics of \n        successfully communicating information to every level of \n        election officials responsible for running the Nation's \n        election system.\n  <bullet> Provided DHS with perspective, information, and data related \n        to the election system, introductions to officials in the \n        election community, and information that assisted the agency \n        with shaping communications in a manner that would be useful to \n        the States and local election officials.\n  <bullet> Published a white paper entitled ``U.S. Election Systems as \n        Critical Infrastructure'' that provided a basic understanding \n        of critical infrastructure for election officials.\n  <bullet> Contributed to multiple foundational DHS documents used to \n        structure the Elections Systems Critical Infrastructure \n        designation and sector.\n    Ahead of the 2018 Midterm Election, the EAC focused on steps our \ncommission could take to further serve election officials operating in \nthe new threat environment. The EAC brought together election \nofficials, security officials, academics, and Federal Government \npartners for an Election 2018 kick-off summit at the National Press \nClub in January 2018. Just 1 month ahead of the mid-term election in \nOctober 2018, we gathered a similar audience here in the Capitol \nVisitors Center for an election readiness summit that featured, among \nothers, Senators Blunt and Klobuchar, as well as high-level officials \nfrom DHS and the National Counterintelligence and Security Center. \nThese events and others like them throughout 2018 raised awareness of \nthe security preparations election officials had under way and the \nresources available to the States and localities to help with this \ncritical work.\n    While talking about election security at forums is important, the \nEAC also knows the importance of training. EAC staff was intricately \ninvolved in the establishment of Harvard University's Belfer Center \nTable-Top Exercises, which have since been conducted across the \ncountry. During the past year, the EAC has also developed and presented \nits ``Election Official as IT Manager'' training to officials \nrepresenting hundreds of election jurisdictions across the country, and \nwe are working with the DHS to put this training on-line through the \nFedVTE platform so that many more election officials can easily access \nit.\n    The EAC also produced a video and supporting meeting materials to \nhelp local election officials explain the many levels of election \nsecurity at their jurisdiction. The video was designed to be viewed at \ncivic group meetings and election worker trainings. It can also be \ncustomized by jurisdictions, and some States are tailoring the video to \ntheir voters and processes. We plan further work in this regard. In \naddition, the EAC Commissioners continuously meet with State and local \nelection officials at regional conferences across the country. These \nvisits allow the Commissioners to apprise officials of best practices, \npromote resources available from the EAC and our Federal partners in \nagencies such as the United States Postal Service, the Federal Voting \nAssistance Program (FVAP) within the Department of Defense, the \nDepartment of Justice, and the DHS, and discuss current concerns and \ntopics in election administration, such as contingency planning, \naccessibility, voter registration, and technology management.\n    On Election Day 2018, we were pleased to have our newly-hired chief \ninformation officer and the head of our Testing and Certification \nProgram on-site with other Federal agencies and key election \nstakeholders who gathered at the National Cybersecurity & \nCommunications Integration Center (NCCIC). We are proud of the role we \nplayed last year, and we continue to seek new ways to provide election \nsecurity support to State and local election leaders.\n      testing and certification/voluntary voting system guidelines\n    The Help America Vote Act charges the EAC with administering a \nFederal program for setting a voluntary National standard for testing \nand certificating voting systems. This testing standard is the EAC's \nVoluntary Voting System Guidelines (VVSG), and vendors may choose to \nhave EAC-accredited and monitored labs test their voting systems \nagainst these guidelines for certification. The guidelines contain \nrequirements for security, as well as other important components--such \nas accessibility, usability, and interoperability. In fact, while \nsecurity is a guiding consideration of certification, so is \naccessibility for voters with disabilities and voters with limited \nEnglish proficiency.\n    These considerations are deliberated and developed in public \nworking groups under the direction of the EAC's Technical Guidelines \nDevelopment Committee (TGDC), which is chaired by the director and \nunder secretary of commerce for standards and technology. This TGDC's \nmembership is made up of technical and scientific experts from fields \nsuch as security, accessibility, voting machine production, and voting \nmachine use. After development and approval by the TGDC, the voluntary \nguidelines are submitted to the EAC's executive director, provided to \nthe EAC's Standards Board and the Board of Advisors, published for \npublic comment, and presented to the EAC's commissioners for \nconsideration and approval. Last Spring, the EAC convened its advisory \nboards to review and comment on the adoption of the newest version of \nthe voluntary guidelines, VVSG 2.0. Both boards recommended that the \nEAC adopt VVSG 2.0. Now that a quorum has been restored at the EAC, we \nanticipate that the VVSG 2.0 will soon be posted for public comment, we \nwill hold public hearings on the proposed guidelines, and the agency \nhas the pieces in place for final consideration.\n    While the EAC has been hard at work on the newest version of the \nVVSG, the EAC has not stopped its on-going work to rigorously review, \ntest, and certify voting systems. These reviews are referred to as test \ncampaigns, and in these campaigns EAC accredited laboratories test \nvendor-submitted voting systems against the standards contained in the \nVVSG. Once a system successfully completes a test campaign, the results \nof the campaign are transmitted to the EAC's executive director for \ncertification of the voting system to the standard against which it was \ntested. If the EAC's executive director agrees that the voting system \nhas conformed with the standard, it is certified as such and assigned a \ncertification number. It takes the EAC approximately 8 to 12 months to \ncertify a newly-submitted voting system. If the system has already been \ncertified and the vendor is making an upgrade or revising a component, \nit may take as little as a few weeks or as much as 6 months to upgrade \nor change.\n    In addition to the actual certification of the voting systems, the \nEAC's Testing and Certification Program continually conducts quality \nmonitoring of all EAC-certified systems and audits the quality of the \nEAC-accredited test labs. Monitoring of the voting systems occurs \nthroughout the entire span of manufacturing and life of service, \nincluding manufacturing facility audits, field system review and \ntesting, and field anomaly reporting from manufacturers and election \nofficials.\n                               conclusion\n    Members of the committee, the EAC's mission includes supporting \nelection officials across the country as they administer Federal \nelections, and we are committed to that work and to always seeking \nbetter ways to do it. The importance of election security and how the \nnewly-appropriated HAVA Funds will assist States remain a primary focus \nand top priority for the commission. I am honored to support the \nimportant work carried out by our Nation's election administrators each \nand every day, and I congratulate them on a job well done in 2018. The \nEAC looks forward to working closely with them ahead of the 2020 \nPresidential Election. I welcome your feedback, and we look forward to \nanswering questions you may have.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Thompson. Thank you very much. I thank the \nwitnesses for their testimony. I remind each Member that he or \nshe will have 5 minutes to question the panel. I now recognize \nmyself for questions.\n    Director Krebs, given the 2019 World-wide Threat Assessment \nthat warned that the U.S. adversaries and strategic competitors \nprobably are already looking at the 2020 U.S. elections, how \nconfident are you that our election infrastructure, as it is at \nthis moment, is secure against cyber attacks?\n    Mr. Krebs. Chairman, thank you for the question. I \ncertainly think that, just like any other I.T. system, the \nelection infrastructure bears additional securing and \nresilience measures. But I will say that compared to where we \nwere in 2016, not just from a fundamental I.T. security \nperspective, but from a collaboration working across the \ndifferent stakeholder groups, we are light-years ahead of where \nwe were. Most importantly, we have greater visibility both of \nthe threats that are incoming, but also how they would work \nacross the ecosystem and across the infrastructure.\n    I mentioned earlier, the Albert sensor coverage that we \nhave, less than 30 percent in 2016, over 90 percent in 2018, \nthat gives us near-real-time visibility in what is happening \nacross the networks.\n    The last thing I will add here, the area that I think we \nneed to invest the most as a Nation, is ensuring auditability \nacross infrastructure. It is a key tenant of I.T. security. If \nyou don't know what is happening and if you can't check back \nacross the system, what is happening in the system, then you \ndon't really have security. So, to the extent that we can focus \non an outcome of auditability throughout the process end-to-\nend, that is the greatest area of need in my view.\n    Chairman Thompson. So, is that a matter of software or \ntraining or what?\n    Mr. Krebs. Yes, sir, everything. One area that we can focus \non, and the good news is from my understanding and I would \ndefer to Chairman Hicks, every State is--that is not already on \na paper-type ballot, whether it is hand-marked or whatever--\nevery State, including the 5 that are on electronic machines \nright now, are moving toward paper.\n    Paper helps that auditability process. Then you have after-\nelection audits on the backend, but it is not just about the \nvoting day, it is also all the way through the voter \nregistration process, making sure that you have visibility and \nunderstanding of what is happening in those databases.\n    Chairman Thompson. Right. So, Mr. Hicks, are you concerned \nthat so much of what we use is from international sources and \nthe potential for supply chain compromise is there or has that \nissue come up in your review?\n    Mr. Hicks. It has come up in our reviews but I would like \nto say that it is difficult to function in a world economy and \nnot have some form of components coming from overseas. I \nbelieve that that is being looked at but I believe that we can \nstill move forward with a secure election process because the \nEAC certifies voting systems and that is all components within \nthose systems for the voluntary voting system guidelines and \nstandards and we certify the labs that do that as well. So I \nhave very little concern in foreign components overall because \nI have great faith in our labs and the overall structure of our \nvoluntary voting system guidelines to ensure that those systems \nare functioning the way that the American people want them to.\n    Chairman Thompson. Mr. Krebs do you want to comment on \nthat?\n    Mr. Krebs. Yes, sir. So I mentioned in my opening remarks \nthat we have three primary areas of focus for 2020. One is \nextending to locals but the second piece is better \nunderstanding the risk across the election infrastructure. As \nChairman Hicks mentioned, supply chain concerns are certainly \nin that register of risk that we are looking at but I am \nactually at this point more concerned or focusing in on basic \ncyber hygiene practices.\n    When we looked across a range of sectors and segments what \nwe saw was the election community still has challenges with \nbasic cyber hygiene and so what our area of focus is helping \nwith patching, helping implement multifactor authentication, \nhelping on phishing campaign assessments, things of that \nnature.\n    Chairman Thompson. So before I run out of time, your \ntestimony indicated that all the secretaries of state had \nparticipated in some aspect of your resources?\n    Mr. Krebs. Yes, sir. All 50 States have engaged with the \nDepartment in one way, shape or form. The election \ninfrastructure ISAC for instance has all 50 States as members.\n    Chairman Thompson. Thank you, I yield to the----\n    Mr. Hicks. Congressman, there is one other aspect of that \nthat I wanted to jump on, with--Under Secretary Krebs was \nspeaking about, and one way to ensure that the systems are \nfunctioning the way that they are intended is through \nauditability. So once we move away from those 5 States that \ndon't have paper trails associated with them, I believe that \nall States should be able to audit using some form of paper but \nalso to ensure that we continue on with the Help America Vote \nAct of ensuring that those who have disabilities might not be \nable to use that paper can still vote independently and \nprivately.\n    Chairman Thompson. Thank you. I yield to the Ranking Member \nfor 5 minutes.\n    Mr. Rogers. Thank you, Mr. Chairman. Commissioner Hicks in \nyour opening statement you made reference to the fact that last \nspring the EAC had distributed $380 million in fiscal year 2018 \nfunds to the States to improve their elections. To date, how \nmany States and territories have been able to spend their \nallocation? I know you said 100 percent of it had been \ndistributed but have they been able to spend it?\n    Mr. Hicks. All the States are spending that money now. They \nhave up to 5 years to spend the money for--for additional \nthings. It is basically an infrastructure grant. So if we look \ntoward--and continuing on with infrastructure, it won't be \nbuilt within 3 months but it would be carried on for the 5 \nyears the Congress appropriated that money for.\n    Mr. Rogers. You are just starting to spend it?\n    Mr. Hicks. Yes.\n    Mr. Rogers. OK.\n    H.R. 1 authorizes, and this is also for Mr. Hicks, H.R. 1 \nauthorizes--nearly $1.2 billion over the next 2 years to local \nelection security improvements. Is it feasible for States to \nbuy equipment, implement new security measures and poll \nworkers, trained in time for the primaries 2 years from now?\n    Mr. Hicks. I missed part of your question, sir.\n    Mr. Rogers. Given that $1.2 billion is to be spent, can the \nStates take that money and buy equipment, train poll workers, \nand implement security measures in time for the primaries for \nthe 2020 elections?\n    Mr. Hicks. I believe States can do most of that. But again \nwe can't just--the States can't go to Best Buy and get that off \nthe shelf so most of the States are moving toward not only \npurchasing new voting equipment but also other aspects of the \nelection process in terms of voter registration, election \naudits, security overall so it is not just purchasing new \nvoting equipment, they are going from registration to election \nnight reporting.\n    Mr. Rogers. My point is I just don't see how they are going \nto be able to get that done by the 2020 primaries and they are \nright--you are talking about next March is Alabama's primary; \nsome of them are early as February or January of next year. \nFinally, you--for Mr. Hicks, you talked about certifying that \nthe EAC certifies election security systems. Can you tell me \nmore about that certification process?\n    Mr. Hicks. It is voting systems overall. So basically for \nvoting systems, once the State decides they want to fall under \nthat process of our voluntary voting system guidelines, those \nsystems are sent by the vendors to those--to our test labs and \nthen certified to those sorts of standards. It is the same as \nif computers or iPhones or other aspects of that, they are \ntested to a certain standard.\n    Mr. Rogers. Can you have your staff to submit to my staff--\nfor the full committee staff, what those standards are, \ncertification standards? I would really be interested in \nreviewing those.\n    Mr. Hicks. Well there is several of them so we just \ncertified 1.1 in 2015 but for the last 4 years since I have \nbeen at the commission, we have been working on the 2.0 \nvoluntary voting system guidelines and there is a healthy \ndebate going on right now between myself and the other \ncommissioners when ensuring that those get out for public \ncomment relatively soon.\n    Mr. Rogers. Good. Mr. Krebs, can DHS and EAC complete \nsupply chain security and other qualification mandates on \nvendors required by H.R. 1 fast enough for States to know that \nwhat they are buying is acceptable machines in time for the \n2020 primaries?\n    Mr. Krebs. I am not sure. I have to think about the number \nof systems, the research, the requirements that would have to \ngo into that. I may need to get back to you on the timeliness \nof that.\n    Mr. Rogers. My final question is these 5 States that \ncurrently have audit concerns, you both made reference to the \nfact they are moving toward paper. Can you tell me more about \nwhat they are doing?\n    Mr. Hicks. So those States are purchasing--some States are \nalready in line to purchase new voting equipment, like Georgia \noverall. But some States are putting bids out to other \nmanufacturers to get some sort of paper. So it is basically \nlittle things like buying anything. There is different models \nout there and what works best for those States is what those \nStates are going to purchase. But there are other aspects of \nvoting systems that are out there--optical scan machines or \njust paper-based systems overall where States are looking \ntoward getting those so that they can audit those at night--\nafter election night and so forth.\n    Mr. Rogers. Do you have a time line of when they expect to \nbe able to get that auditability?\n    Mr. Hicks. It is an on-going thing. So the first purchase \nof voting equipment under the Help America Vote Act was more \nthan 15 years ago and as I--when I say how much confidence \nfolks have on computer systems that they purchase 15 years ago \nbut the EAC gives guidance on maintaining aging voting \nequipment to ensure that those systems function the way they \nwere designed to.\n    So I would say that it is an on-going process so it might \nnot be, you know, fully completed in 2020. By 2022, 2024 as \nelections continue on, more systems will be mothballed.\n    Mr. Rogers. Thank you. I yield back.\n    Chairman Thompson. Thank you. The Chair recognizes the \ngentlelady from New York, Ms. Rice.\n    Miss Rice. Thank you Mr. Chairman. Mr. Krebs, I would like \nto start with you if I could. I applaud the progress that you \nhave made protecting the machinery of our elections but what I \nwant to address now is another part of election protection, and \nthat is protecting the campaigns and the political party \ncommittees from attack. Everyone is well aware of what happened \nin 2016. There was the hacking of the DNC, the DCCC, and the \nClinton campaign, all hacked by Russia.\n    We know the subsequent use of the stolen materials have a \nprofound effect on the election. We also know that in 2018 the \nNRCC was hacked, that being in the midterm cycle. Now I know \nthat on our side the DCCC launched unprecedented cybersecurity \nand disinformation prevention operations. But all of that work \nwas done by themselves. It was not done in coordination with \nany Federal agency--with the Federal Government at all even \nthough these are Federal campaigns.\n    So I want to ask you, do you think that we should rethink \nhow we are doing all this?\n    Mr. Krebs. Yes, ma'am. Thank you for the question. So \nduring the 2018 cycle and even to today, we have worked with \nthe major parties. RNC, we have conducted training--conducted \ntraining. DNC, we have a very good relationship with the CIO. \nWe continue to work with the other committees so it is in our \narea of engagement. I take your point though that we need to \nexpand and deepen and broaden that engagement. We continue to \nthink about the various offerings that we have whether its \ncapabilities, technical support information sharing, training, \nthose are all the areas that we are continuing to push out.\n    I would encourage each of you, as you are coming up on \nanother cycle, you know, please work with us, your own \ncampaigns. We have capabilities that we can offer and it is \ndefinitely within our--it is an area of priority engagement for \nus going forward.\n    Miss Rice. So I am glad to hear you say that. I want to ask \nyour opinion about whether you think using the Information \nSharing Analysis Center, the ISAC model that you use for \nworking with sectors like the energy and financial fields. Do \nyou think that that would be of help here?\n    Mr. Krebs. In terms of political infrastructure and \npolitical campaigns?\n    Miss Rice. Yes.\n    Mr. Krebs. I don't have any reason to believe why it \nwouldn't work.\n    Miss Rice. I think that that is something that we have to \nlook into because all of this is about sharing information when \nyou are being hacked and what you do about getting down \ndisinformation and all that kind of stuff. There were 3 States \nthat did not use any part of the election assistance commission \nso this could be either to Mr. Hicks or to you, Mr. Krebs. \nThree States--Florida, Oklahoma, and Oregon chose not to use \nany part of the EAC's testing or certification program and they \nwere all targeted by Russian hackers in 2016.\n    I guess my question is are we encouraging States to \nparticipate in the programs and I understand the tension \nbetween, you know, the State's rights over how their elections \nare run but there is--I guess I would ask you, do you think \nthere is a role for the Federal Government to play and did the \nGovernment--Federal Government do enough to participate \nStates--to encourage States to participate in the program \nbefore the 2018 cycle and how many States will be participating \nin this--in the 2020 cycle?\n    Mr. Krebs. So I wouldn't use 2016 as the baseline for how--\nwhat States engage, what local communities engage. I would \ninstead recommend that we look at 2018. All 50 States worked \nwith the Department of Homeland Security, and it is also \nimportant to keep laser-focused on what the Department's \nmission is; that is cybersecurity technical assistance. The \nelection capabilities, that resides with the EAC and NIST and \nthe others. We are very focused on cybersecurity capabilities. \nWe had all 50 States, 1,400 jurisdictions, a number of election \nequipment vendors all playing ball with us.\n    The difference between 2018 and 2016 and I hope that you \nwill hear this in the next panel was trust. In 2016 there was \nno relationship between the Department and EAC. There was no \nrelationship between Secretary Padilla or Secretary Merrill. \nRight now, those relationships are strong and growing stronger. \nSo I am very confident that going forward that we have the \nbaseline of engagement and partnership in place to only \ncontinue to improve the security and resilience in the voting \nsystem.\n    Mr. Hicks. Thank you for the question, Congresswoman. There \nare two aspects that I would like to point out with--for two \nStates that I went to last year. I went to Oregon and I did go \nto Florida as well. In Oregon I saw the wildfires that were \ngoing on and they were looking toward the EAC to get some sort \nof guidance in terms of overall aspects of running their \nelections. They're an all-paper State so they do everything by \nvote by mail. So they were--they were I think on top of things \nin terms of moving forward.\n    Florida, I had the honor of going down to visit with Bay \nCounty which was devastated by Hurricane Michael and to see \ntheir election folks basically in tears but being happy that \nthe EAC was there to document their--their concerns and get \nothers to see that and I hope that our staff will be able to \nhave the videos that we took up relatively soon so folks can \npay attention to that and not forget those folks as well.\n    I think that there are different aspects that the States \nhave gone to, to use our services, so we do touch all 55 \njurisdictions--the 50 States and the 5 territories and the \nDistrict of Columbia. So I believe that, as Under Secretary \nKrebs talked about, there was a lack of cooperation--not \ncooperation but communication with Federal partners before that \nbut I think since the EAC's founding in 2003 that we have \nhelped States improve the process. So I think that as each \nelection goes on that we will continually improve that process.\n    Miss Rice. Thank you. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from New York, Mr. Katko.\n    Mr. Katko. Thank you, Mr. Chairman, and I want to \ncongratulate you on becoming Chair of this committee and I am \nlooking forward to working with you and Mr. Rogers and I know \nbased on past experience with you that we will continue the \nfine bipartisan work on this committee that I wish the rest of \nCongress would engage in.\n    Mr. Krebs, it is nice to meet you. I am now the Ranking \nMember of the Cybersecurity Subcommittee and in that capacity I \nthink we will become well-acquainted with each other going \nforward.\n    I was heartened, Mr. Krebs, about what you said in your \ntestimony today and what you said in your written testimony, \nthat there has been no evidence to date that any identified \nactivities of a foreign government or a foreign agent had a \nmaterial impact on the integrity or security of election \ninfrastructure or political or campaign infrastructure in the \n2018 midterms. That is a great thing.\n    But, I also kind-of took pause by what you said that \nelection security has come a long way, but it bears additional \nmeasures. One of the things that you mentioned was \nauditability.\n    I want to make sure I understand a little bit more in \ndepth, what are some of the additional measures you think we \nshould be taking to makes sure that we do the best we can to \nsecure our elections?\n    Mr. Krebs. So, I continue to believe and that--and \nSecretary Neilson has been consistent with this as well, but \nvoter verifiable paper trails are critical elements of \nauditability. In that--after-election audit processes, and I \ndon't want to stipulate to any specific type of audit, there \nare a number and variety of audits that could be implemented \nbased on the systems that are in place, but those are two \nelements.\n    Mr. Katko. Mr. Hicks, is there anything you want to add to \nthat?\n    Mr. Hicks. I believe that the States in 2018, when they \nsubmitted their request for funds to us, allocated over $20 \nmillion to go toward the auditability of elections. There are \nmany different ways to audit elections, and then as we move \nforward, the EAC has done a paper on 6 ways to do audits and I \nhope that States take advantage of those resources.\n    Mr. Katko. Now, Mr. Hicks, you also mentioned that as part \nof the process of review, you wanted to look all the way \nthrough the voter registration process. Could you explain the \ndifferent steps you would like to look at as far as doing your \naudits of the election security?\n    Mr. Hicks. So, it is basically to go, and it is not just \ndepending on audits, it is basically to go from voter \nregistration and list maintenance to ensure that the folks who \nare on the rolls are the people who are assigned to that.\n    Many States have gone toward on-line voter registration \nthrough the DMVs and other aspects. Some States have gone to \nautomatic voter registration, and then you go toward polling \nplaces to ensure that people have access to the polls to make \nsure that the ramps for those who have disabilities and \nwheelchairs and so forth can still get in there and the height \nof the machines and so forth, to the poll worker training, I \nthink that is a vital part. They are the front line of defense \nthat we have in terms of Federal elections.\n    There is over a million requests for poll workers in each \nPresidential year that is always coming up short and I would \nlike to see for--for more people to actually volunteer to be \npoll workers.\n    Then, toward election night reporting with the Associated \nPress, and other aspects as well. So, it goes from A to Z in \nterms of ensuring that our election process remains strong and \nthat voters' confidence remains high.\n    Mr. Katko. Is there anything you might add to that Mr. \nKrebs?\n    Mr. Krebs. No, sir.\n    Mr. Katko. OK, another question I have is, what--do you--\ndoes the size of the State matter at all, as far as compliance \nwith these issues and being active participants in them, No. 1?\n    No. 2, the nation-state actors, obviously we are concerned \nabout them, the Iraqs--I mean the Irans and the Russians of the \nworld and others. Is there other actors outside of that arena \nthat you have potential--that have potential to disrupt around \nminor elections, Mr. Krebs?\n    Mr. Krebs. So, to your first question, we have the smallest \nState and the largest State engaging with us. So, I wouldn't \ncharacterize any sort of participation based on the size of the \nState.\n    In terms of the landscape of threat actors, certainly the \nbig four or primarily, in this case, China, Russia, Iran have \nbeen active in foreign interference and influence operations.\n    But, generally speaking, in terms of cybersecurity issues \nwrit large, we do see more blended operations, proxies, \ncutouts, things like that, so that is on the international \nlandscape. It is just getting more complex, more of a blended \nenvironment.\n    Mr. Katko. Mr. Hicks, want to add to that?\n    Mr. Hicks. Thank you, sir. The--I believe that it is a \nmisnomer that think that it is the States, but it is mostly the \nlocal election officials who are running the elections and it \nis usually one or two individuals. It is not the large counties \nthat are basically targeted. It is usually the person who is \nnot only handling the election, but they are driving the school \nbus, they are doing payroll, they are doing nine other \ndifferent things, and so they are targeted.\n    So, we try to offer--we try to go out to the States and \noffer training as I.T. managers for election officials to their \nState conferences, because they are not always able to come to \nthe District of Columbia to get that sort of training.\n    Mr. Katko. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from California, Mr. Correa, for 5 \nminutes.\n    Mr. Correa. Mr. Chairman--thank you Mr. Chairman. First of \nall, let me congratulate you on your chairmanship, sir. Wanted \nto also thank you for holding this most important hearing on \nour Democratic institutions, our voting system, the integrity \nof our votes goes to the heart of our Democratic system in this \ncountry. Thank you very much, sir.\n    First question I have is for Mr. Hicks. That is, during the \nrecent Government shutdown, secretaries of state across the \ncountry were notified that conversations with the Department of \nHomeland Security would be suspended.\n    Can you tell me what the effects, negative, of the \nGovernment shutdown were, in terms of harming the security of \nour election system, given these next elections are just around \nthe corner?\n    Mr. Hicks. I think that is more appropriate question for \nUnder Secretary Krebs, with his discussions with Homeland \nSecurity.\n    Mr. Correa. Mr. Krebs.\n    Mr. Hicks. I would add that with the Government shutdown, \nwe were furloughed. I was still working myself and then we have \nhired a CIO to ensure that our infrastructure in our office \nwould remain high. We still had conversations with States and \nlocals.\n    As I stated in my testimony, some of our delay, in terms of \nreporting out issues, have occurred because of the Government \nshutdown and our election voting administration survey, we are \ncollecting that data to hopefully have that out to Congress by \nthe end of June, but I am hoping that none of that will be \ndelayed because of the shutdown.\n    Mr. Correa. Thank you. Mr. Krebs.\n    Mr. Krebs. Sir, so during the shut--there was no question \nthere was an impact from the shutdown. During that 35-day \nperiod we continued to share intelligence, threat intelligence, \nas it came in. We continued to send indicators out to those \nAlbert Sensors I mentioned earlier on. We continue to conduct \nanalysis based on the information we had and the intelligence \nthat we had.\n    In terms of the things that we had to pause, for one, \nmeeting with new secretaries of state that were sworn in \nearlier in January; that was probably my biggest regret in \nterms of missed opportunities. We also had to pause some of the \nvulnerability assessments. We have since rescheduled those, and \nthose are back on the books.\n    Then just general planning, in terms of the recent National \nAssociation of Secretaries of State and the State Election \nDirector annual conference, content development for that \nengagement did have to slow. My sense of things, though, was we \nramped back up, I placed election security as one of the top \npriorities for CISA as we restarted after the shutdown.\n    My sense of things is that we will be back on track, if not \nalready back on track, for instance, we are already in the \nplanning process for another National-level tabletop exercise \nthis June. Last year we had 44 States in the District of \nColumbia. This year we hope to outdo even that.\n    Mr. Correa. Very quickly, cybersecurity, as it pertains to \nthe census that exercise we do every 10 years, redistricting is \nbased on the census, how secure do you think that data, \nredistricting data, census data is when it comes to cyber \nthreats?\n    Mr. Krebs. We do work directly with the Census Bureau on \nprotecting the system, particularly the 2020. So, happy to come \nback and provide you a little bit information and the \ncommittee----\n    Mr. Correa. That is a critical issue.\n    Mr. Krebs. Yes, sir.\n    Mr. Correa. Mr. Hicks.\n    Mr. Hicks. That is not one that the EAC focuses on. But I \ntalk to our staff and get a clear answer for you sir.\n    Mr. Correa. But I presume that it is something on--on your \nplates--something on your radar that you are looking at, again, \nsecurity of our census data?\n    Mr. Krebs. Absolutely. Yes sir. Like I said, we do work \nclosely with the Census Bureau on this--the 2020 census.\n    Mr. Correa. Quickly, post-election audits, what would such \naudits look like? Would they be the same across the country?\n    Mr. Hicks. Those would not be the same across the country. \nWhat works in Rhode Island might not necessarily work in \nWashington State.\n    Mr. Correa. Is that because of the paper versus no-paper \nsituation?\n    Mr. Hicks. No. It is just that there is different factors \nto it; the number of people, the way that they run elections. \nSome are townships. Some are counties, and so forth. It would \nbe more of the type of machines that they use, and other \naspects of it. But I believe that it is--that all States should \nbe doing some sort of audits to ensure that the confidence of \nelections remain high.\n    Mr. Correa. Thank you. Just different machines, different \noutcomes, different standards, do you see us giving States \nrights here? The ability of States to choose whatever they want \nto purchase. Are we looking at moving toward more \nstandardization?\n    Mr. Hicks. No. I think that States should purchase the \nmachines that work best for them. I would equate it a little \nbit to purchasing a car. You might want a different type of \ncar, but all of those cars should still have some sort of \nstandards associated with it.\n    Mr. Correa. Thank you. Mr. Chairman, I yield.\n    Chairman Thompson. Thank you very much. I now recognize the \ngentleman from Texas, Mr. Ratcliffe.\n    Mr. Ratcliffe. Thank you, Mr. Chairman. Thanks for holding \nthis hearing. Securing election infrastructure is and \nrightfully should be one of the central priorities of this \nCongress, and certainly a priority for the American people.\n    I will say that I don't think that Title III of H.R. 1 \nadequately brings forth solutions that effectively and \nefficiently addresses the issue of hardening election security, \nmuch less do so in a bipartisan manner.\n    I do want to start with you, Director Krebs. Good to see \nyou again. One of the things that CISA is in a unique position \nto do now is it sits between the resources, and capabilities, \nand intelligence of the Federal Government, and the innovation \nthat is happening in the private sector.\n    But one of the things that I have heard often over the last \n4 years, as the Chairman of the Cybersecurity Subcommittee, is \nthat the amount of actionable intelligence, or information \ncoming from the intelligence community, being provided to the \nprivate sector through DHS is not enough, or is not good \nenough, or is not timely enough, or is, in some respects, stale \ninformation. You and I have talked about that. I would be \ncurious in your perspective, now as the director of CISA. \nAddress, for me, the progress, with respect to that issue.\n    Mr. Krebs. Sir, thank you for the question. It is for sure, \na continuous improvement process. We are better than--today \nthan we were a couple of years ago. I do want to say that--that \nthis election cycle, 2018, the time between 2016 and 2018 \nreally was a--for us, and the intelligence community and law \nenforcement, a forcing function to improve the way we go about \ndoing business both, on intelligence, analysis, sharing, \npartnering on incident response, and other surge capabilities.\n    That we are going to be able to spin that out so the \nelection community is supported, but so is every other sector; \nthe grid, the financial sector. Every other critical \ninfrastructure sector will benefit from the progress we have \nmade, specific to the election community, over the last 2 \nyears. So net-net, we--there is progress there.\n    In terms of the specific information sharing, the--I \nmentioned those Albert Sensors. One of the things that we \nreally worked closely with the intelligence community on was \nhelping the I.C. understand what the information--the network \ndefense requirements were of the community--of the election \ncommunity so that they could refine their collection and \nanalysis, and then push their refinements back out into the \nnetwork defender space.\n    We have also conducted some studies, in terms of the \nindicators that we share through our automated indicator \nsharing program. Based on those studies, 30 percent of the \nindicators that are shared are unique and they have a unique \nshelf life, about 120 days.\n    That is one of my areas of focus for the agency, finding \nwhere we are unique. Finding where we have value-add, and we \nare not competing or supplanting a private-sector capability, \nbut really action--taking action using those intelligence \ncommunity capabilities.\n    Mr. Ratcliffe. So when we talk about the election \ninfrastructure threat landscape, we talk about needing to \nprovide our Federal partners, but also our State and local \nofficials and private-sector vendors with the information and \ncapabilities they need to better defend that infrastructure.\n    I noticed in your testimony you talked about DHS host--\nhosting a tabletop vote exercise, really for that purpose, in \nterms of identifying some of the best practices and areas for \nimprovement on cyber incident planning, preparedness, \nidentification, response, recovery, all of those things. What \nis your overall takeaway from that exercise? Was it impactful, \nand how so?\n    Mr. Krebs. So my sense of things is yes, it was impactful. \nI suggest you ask the next panel whether they found that \nuseful--that exercise useful. But I think the numbers prove \nthat it was at least a coordinating moment. That we got 44 \nStates and the District of Columbia participating over 3 days, \nin the middle of primary season, that in and of itself shows \nthat the community is participating.\n    We also had social media companies. We had political \nparties. We had the defense--the Department of Defense, the \nintelligence community. We believe we can do better. So, we are \ngoing to do the tabletop to vote exercise again, as I \nmentioned, once again this summer.\n    But again, it really reinforced, for us, that any small \npiece of information that an election official finds they \nshould share because that--a bunch of small things can add up \nto a big thing. That was, kind-of, along the see something, say \nsomething line, really trying to reinforce that information \nsharing, both ways, can lead to better defense across the \nsystems.\n    Mr. Ratcliffe. Thank you, Director. I see my time is \nexpired. I yield back.\n    Chairman Thompson. Thank you very much. The Chair \nrecognizes the gentlelady from Michigan, Ms. Slotkin.\n    Ms. Slotkin. Good afternoon, and good morning. Thanks for \nbeing here, to both of you. I agree with my colleagues. I think \nelection security has got to be one of the most bipartisan \nissues. We can all agree that threats to our democracy and the \nintegrity of our democracy is a threat to our National \nsecurity.\n    If we, as a people, do not believe in our system, all \nforward progress is lost. So I think it is an extremely \nimportant issue. I think that there are two pieces to it that I \nam worried about. One is actual election security, right? So \nthe integrity of the actual systems and you have spoken to \nthat.\n    But then, there is the perception that the elections, \nparticularly in 2020, may not be fair and free, right? On both \nsides, regardless of what side you are on.\n    You have talked about good work that you are doing and I \nappreciate that but if you can just give us your sense on both \nissues, what is the one issue on both issues that keeps you up \nat night? What are you most worried about on election security \nactual integrity of our system and then on the perception, \nright, because I think for all the good work you have done, \nthere is a huge group of people who are just ready to say, on \nboth sides, that 2020 isn't going to be free and fair which is \na deep--deeply concerning to me. So on election security and \nthe perception that they are not secure, what keeps you up at \nnight for both of you?\n    Mr. Krebs. So this question lasers right in on I think the \nbiggest area of discussion that we need to have in the country \nright now. So first and foremost on the security of the \nsystems, we have both mentioned it several times, the committee \nMembers have mentioned it, we have got to get to auditability. \nThat is--that is the key, understanding what is happening \nacross the process is critically important.\n    On the perception, we did a lot of work throughout the 2018 \ncycle on education and awareness not just in the voting public. \nWorking with the EAC and some of the election associations, we \nissued guidance, awareness materials, reinforcing that go to \ntrusted sources for information on elections. Those trusted \nsources are the elected officials at the State and local level. \nGo look at the State secretary's website for information on \nwhen you vote, how to register, what the deadlines are. Go to \nthe source. Don't listen to whatever third party, fourth party, \nwhatever you have--whatever have you which plays into the \nbigger part of we have to do more awareness building in this \ncountry and introduce critical thinking and reinforce critical \nthinking as we are just deluged with information. It is too \neasy to just click like and forward on. We have got to have \npeople thinking, where is this information coming from? Why is \nit being served up to me? That continue--will continue to be \none of our priorities going into 2020.\n    Mr. Hicks. Thank you for the question, Congresswoman. I \nagree with Secretary Krebs but I also wanted to add a couple of \nother things. One, election interference is nothing new. It was \nmostly done, you know, since--it has been done since we have \nhad elections. Whether or not that is pamphlets saying \nDemocrats vote on Wednesday, Republicans vote on Thursday or \nother access to the polls, but the things that I would want to \nfocus in on for our--our agency is to ensure that all aspects \nare taken care of. One being access and also access for three \ndifferent groups. One, our military and overseas voters who--\nwho don't always have access to ballot boxes and so forth. Two, \nour disabled voters who might not be able to get access inside \nthe polls themselves and the third would be language \nminorities.\n    Ms. Slotkin. So I know I have a very short time and thank \nyou as a military spouse for ensuring that our military can \nvote. That is a big issue for our military community. So you \nboth mentioned this--and the perception--the concern that the \nperception that these aren't free and fair elections, the role \nof social media, of news, of third sources passing along the \nwrong information. Can we--can you do your jobs without the \nsocial media companies doing more--particularly social media \ncompanies doing more to identify and disclose who is actually \npaying for some of the ads that are coming through? Who are \nactually, you know, originating and spreading this information? \nCan you help me understand their role in making your jobs \nharder or easier?\n    Mr. Krebs. So transparency for certain is key. I will say \nthat the social media companies deserve some credit for what \nthey did, how they stepped up in the 2018 cycle. On Election \nDay we had a National situational awareness, more room, both a \nvirtual presence where all States and local jurisdictions were \nplugged in but we also had a physical presence at our facility \nin Virginia and the social media companies participated.\n    Now what that allowed us to do is win election officials, \nidentified disinformation, misinformation, or just flat-out \nfalse information that was being passed around, videos that \nhave been edited but saying, look this machine is changing my \nvote. It was immediately flagged for the social media \ncompanies. Social media companies were able to get the ground \ntruth with the election official, they were able to pull down \nthat false information because it was in violation of their \nterms of service and then the election official was out and \nable to say, here is what really happened. Don't believe that. \nSo they--they played a part.\n    There is always much more to do here and keep in mind that \nthe adversary will continue to pivot, pivot, pivot as we raise \ndefenses and block off avenues.\n    Ms. Slotkin. Thank you gentlemen. I am almost immediately \nout of time so I appreciate it.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from North Carolina, Mr. Walker.\n    Mr. Walker. Thank you Mr. Chairman. Director Krebs, is \nthere any evidence of foreign interference in the 2018 \nelections?\n    Mr. Krebs. So as I indicated in opening and my written, the \nstatement issued by the DOJ and DHS last week indicated that \nthere was no attributable--there was no evidence of \nattributable activity to a nation-state actor of material \nimpact on the election.\n    Mr. Walker. Thanks for covering that again. I just want to \nmake sure that we are on the record with that. Is there any \nevidence of domestic interference in the 2018 elections?\n    Mr. Krebs. I would have to defer you to the Department of \nJustice on that.\n    Mr. Walker. OK. How should we or how do we define \ninterference? Is it just hacking and abusing voting systems or \ndoes it also include false or misleading political statements?\n    Mr. Krebs. Well I believe the way the 2016 intelligence \ncommunity assessment broke things down, at least the way I look \nat foreign interference, it is consistent with that report, \nthere is hack and lead campaigns that was targeting for \ninstance in 2016 the DNC releasing sensitive e-mails. There is \nthe social media campaign that disinformation trying to sow \ndivisiveness across the community and then third is the actual \ntechnical cybersecurity operations focusing on election \ninfrastructure.\n    It is important to note that anyone, any actor, could do \nany of those three things. It is just a matter of capability \nand then effectiveness.\n    Mr. Walker. I want to go to Commissioner Hicks before I ask \nmy question. I do want to say Commissioner Hicks, I think that \nis the best baritone voice I have heard since Lou Rawls.\n    [Laughter.]\n    Mr. Walker. I don't know, maybe you could slow jam the \nelection news with Jimmy Fallon sometimes, I don't know. But my \nquestion is, what separates interference from political free \nspeech? Can you give us a line or describe the parameters \nthere?\n    Mr. Hicks. That is a difficult question but thank you for \nthe compliment by the way. The election assistance commission \nfocused mostly in on the administration--the administration of \nelections. So we work with the States and local officials to \nhelp them administer the election in a way that ensures that \nconfidence remains high, that there is no interference with the \nFirst Amendment rights of individuals or groups but to ensure \nthat our role and we stay in our lane with that.\n    Mr. Walker. So from what I am understanding, it is a hard \nline to call or it is hard to interpret. Who ultimately does \nmake that decision where it crosses over in being more just \nsomebody's right or somebody's free speech rights versus \nsomeone else who would call that interference? How do we \ndescribe that--how do--how do--in moving forward how do you \ninterpret that?\n    Mr. Hicks. Domestically, that would be the Department of \nJustice to make that determination.\n    Mr. Walker. All right, let me get a couple more--time for a \ncouple more. Going to go back to Director Krebs, director, \nthere were multiple reports of campaigns being hacked in 2018. \nWhat did the DHS provide in assistance in these instances?\n    Mr. Krebs. So, would have to defer to the Department of \nJustice and the FBI on any specifics of their engagements, \nwhether they engaged in the campaigns. We provide our resources \nas a technical cybersecurity capability to anyone that is \ninterested.\n    Any information that we had or picked up through press or \nthrough referrals from the Department of Justice, we would \noffer our services, that would be a vulnerability assessment, \nthat would be an incidence response assessment and those sorts \nof things. Those relationships, as they come about, are \nsensitive, confidential, trusted relationships. But, generally \nspeaking, we continue to provide information, incidence \nresponse capabilities.\n    Mr. Walker. Sure. I am sure they appreciate the support, \nbut this--maybe just as a yes or no, are you aware that there \nwere campaigns in 2018 that were hacked?\n    Mr. Krebs. I am aware of reports of campaigns having, for \ninstance, spear phishing and things like that----\n    Mr. Walker. When you say you were aware of it, did you guys \ntake a look at it? I know DOJ is lead on that, but from your \norganization, were you contacted to look into this any further \nor offer support on a campaign that was hacked?\n    Mr. Krebs. I would have to go back and look at the \nspecifics of any campaign. We are aware of spear phishing \nevents and things like that.\n    Mr. Walker. Help me understand, when you say got to go back \nand look. You are not aware or you were aware of some? You just \ndon't remember?\n    Mr. Krebs. What I am unclear on right now is our actual \nengagements with any specific campaigns. Typically on things of \nthat nature that the FBI has direct lead on engagement. We come \nback--we kind-of put out the fire so to speak.\n    Mr. Walker. If we provided maybe 2 to 3 weeks, is that \npossible? I would love to have----\n    Mr. Krebs. Certainly, I would follow up, yes, sir.\n    Mr. Walker. I would appreciate that. Last question, to your \nknowledge does H.R. 1 addresses campaign security?\n    Mr. Krebs. I would have to go and dig into H.R. 1. I have \nbeen focusing on the election infrastructure piece. We always \nprovide assistance to political campaigns, political \ninfrastructure. So, whether it is included in H.R. 1 or not, we \nwill always provide assistance.\n    Mr. Walker. OK, thank you so much. Thank you, Mr. Chairman, \nI yield back.\n    Chairman Thompson. Thank you. The Chair now recognizes the \ngentlelady from New Jersey, Mrs. Watson Coleman.\n    Mrs. Watson Coleman. Thank you Mr. Chairman. I am concerned \nabout reports that election vendors don't fix vulnerabilities \nonce they have been made aware of them, and then, in fact, it \nis not just recognizing a vulnerability and then reporting it \nand not having it dealt with, but even years have been \ninvolved. What role does the EAC have in making sure vendors \nare taking steps to remedy vulnerabilities when they find them?\n    Mr. Hicks. If a vendor is--thank you, Congresswoman, for \nthe question. If a vendor is a registered vendor with the EAC, \nthey have a certain amount of time to report errors with their \nmachines to us and fix those vulnerabilities.\n    Mrs. Watson Coleman. If they don't? If they don't fix them?\n    Mr. Hicks. Then we don't have enforcement authority, in \nterms of fining and so forth, but we can go toward the \ndecertification of their voting equipment.\n    Mrs. Watson Coleman. Does that mean that then no one can \npurchase their voting equipment?\n    Mr. Hicks. Then it would not be certified under EAC \nstandards.\n    Mrs. Watson Coleman. So, no one could purchase and use \ntheir voting equipment?\n    Mr. Hicks. If someone--since it is a voluntary system, \nfolks could still purchase that equipment and use it.\n    Mrs. Watson Coleman. To what extent have we knowledge of \nthat kind of a problem?\n    Mr. Hicks. If they are--voting machines are basically \ncomputers. So if there are patches that need to be made, then \nthose are acknowledged and then fixed.\n    Mrs. Watson Coleman. But, to what extent do we know of it \nbeing a problem where a vendor has been given sufficient notice \nand still has neglected to fix these things?\n    Mr. Hicks. I have----\n    Mrs. Watson Coleman. Is that a pervasive problem? Is that a \nrare problem?\n    Mr. Hicks. I am not aware of any issues to that degree.\n    Mrs. Watson Coleman. Do you think that we need some kind of \nenforcement authority in some entity, I don't know which one it \nwould be, that would compel those types of vendors to correct \nthe situation?\n    Mr. Hicks. If Congress gave us that authority, then we \nwould, like we have with all of the issues with the Help \nAmerica Vote Act, we would act accordingly.\n    Mrs. Watson Coleman. I know that--I know that a lot of work \nis being done with States and secretaries of state, I am \nwondering--in my State there are 21 counties and the counties \nare basically the entities that run the elections and the \nmunicipalities carry out.\n    To what extent is there this guarantee that the information \nsharing, the training, the cybersecurity guidance gets down to \nthose levels? What is the mechanism to do that? Or do you deal \ndirectly with the local and county officials that deal with the \nelections?\n    Mr. Krebs. So, specific to the cybersecurity information-\nsharing piece and the technical assistance piece, you have \nhighlighted an area that we recognize needs additional \nattention. Last year the Elections Infrastructure ISAC, the \nInformation Sharing Analysis Center, had 1,400 local \njurisdictions.\n    My understanding, and the number seems to change regularly, \nbut somewhere in between 8,800 and 10,000 voting jurisdictions \nacross the country. Some--and that is below the county, \nprecincts, voting spots, so we are looking at scalable, \nrepeatable ways that we can engage each and every one of them. \nFor instance, deploying or providing information, I.T. manager \ntraining for election officials.\n    As Commissioner Hicks mentioned, these devices, these \nvoting--this voting equipment, the process, the databases, they \nare computers. So, election officials sometimes, sole officials \nend up having to be I.T. managers as well.\n    So, it is important that we provide them the support, the \ntraining, what to look for in terms of phishing e-mails and \nthings like that, how to apply patches, how to work with \nvendors and ask the right questions. But, for us, one of our \ntop priorities in the run up to 2020 is extending out from that \n1,400 and the rest of the----\n    Mrs. Watson Coleman. So the--thank you. I am sorry. The \nHAVA money that was already allocated, that is allocated, it is \nin the hands in of the various States and jurisdictions, right?\n    Mr. Hicks. There were two rounds of HAVA money. One that \nwere submitted in 2003 and then the 2018 HAVA funds. The 2018 \nHAVA funds have all been distributed to all the 55 \njurisdictions.\n    Mrs. Watson Coleman. So, we do we have an understanding \nabout how much more money we need in order to ensure that the \nright voting machines, the appropriate voting machines that \nhave the verifiability in them, would cost?\n    Mr. Hicks. The--from my travels around the country, from \nwhat I have heard from individual States in terms of replacing \nall the voting equipment, can run from between half a billion \nto $1 billion.\n    Mrs. Watson Coleman. Thank you. I yield back.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Louisiana, Mr. Higgins.\n    Mr. Higgins. Thank you, Mr. Chairman. I am honored to serve \non this committee again with you, sir. You are a solid patriot. \nWith your leadership, and that of Ranking Member Rogers, I \nbelieve our committee will always move forward. Contentious, \nthough, at times, we may be. We will be focused on the security \nof our homeland and we will get things done.\n    Mr. Krebs, the voting systems that we are discussing today, \nexplain to America--my research says that there is somewhere \nover 174,000 voting precincts in America. Is that true?\n    Mr. Krebs. I would have to defer to Commissioner Hicks on--\n--\n    Mr. Higgins. Is that true sir?\n    Mr. Hicks. Yes, sir.\n    Mr. Higgins. So you have got a lot of voting precincts. \nArticle I Section 4 of our Constitution gives a station--States \nand local jurisdictions State legislature authority, \nspecifically to the time, place, and manner of holding \nelections for Senators and Representatives shall be prescribed \nby each State by the legislature thereof.\n    So you are dealing with over 174,000 small communities. The \nvoting systems we are discussing and the integrity thereof \nregarding cyber threat, is it true that most of these systems \nare--are independent? They are electronic. They are analog. \nThey are not connected to the internet at all. They are--they \nare--they are in high schools and in gymnasiums across America, \nand cafeterias at elementary schools. They are rolled out, \nsecured, and plugged in. They are not connected to the internet \nat all.\n    Mr. Krebs. So there is, obviously, a range of equipment out \nthere from various vendors. The general best practice is yes, \nthey should be air-gapped. They should not be----\n    Mr. Higgins. There you go.\n    Mr. Krebs. I use that term----\n    Mr. Higgins. I just wanted to clarify that. We are dealing \nwith scores of thousands of individual voting systems, most of \nwhich are--are not actually connected to the internet. Now, the \nthreat is real and should be--should be addressed, certainly. \nThis committee will do our job regarding election security.\n    In the densely populated areas there is--obviously, a \nthreat to a single precinct would be more significant, \nregarding numbers, as opposed to more rural areas. Is that \ncorrect?\n    Mr. Krebs. I think the threats can vary. There are \ncertainly situations where a more densely populated--could pose \na higher risk.\n    Mr. Higgins. In other words, a small percentage of error \ninterference would have a greater affect on numbers in more a \ndensely populated area, and a more heavily voted precinct.\n    Mr. Krebs. It is possible.\n    Mr. Higgins. So it is a landscape across our Nation that we \nmust serve. In my opinion, and those of my colleagues, I \nbelieve on both sides of the aisle, we need to move forward \ncarefully. The--the cyber threats themselves--now that we have, \nsort-of, categorized what we have got. Nation-states, rogue \nstates, bad actors like Russia, Iran, China, North Korea versus \na criminal element; organized crime.\n    How would you differentiate between the cyber attempt to \ninterfere with an election by a nation-state versus a cyber \nattempt to interfere with an election by a criminal element \nwithin a nation-state?\n    Mr. Krebs. So at this point, I think given the way the \nthreat environment has blended, and you have hybrid threat \nactors. I am not sure that there is much of a distinction \nbetween nation-states and criminal elements.\n    Mr. Higgins. Exactly. It--and in times past during the Cold \nWar--are you familiar if you are a student of history, \ngentlemen? That rogue states, some of our enemies across the \nworld attempted to influence public opinion and policy with \npamphlets, and flyers, and illegal radio broadcasts into \nterritories. Is that correct?\n    Mr. Krebs. Yes, sir.\n    Mr. Higgins. So wouldn't that take--wouldn't that reflect, \nin the modern era, using social media, and the attempt to \ninfluence public opinion, and perhaps elections in that way?\n    Mr. Krebs. As--as we saw----\n    Mr. Higgins. So this is nothing new, is it?\n    Mr. Krebs. Well, as we saw in 2016, there were technical \nlone network operations, as well as influence campaigns. Those \nactivities--the influence campaigns, in particular, continue \ntoday.\n    Mr. Higgins. Right.\n    Mr. Krebs. It is not just Russia.\n    Mr. Higgins. It continues today, and we need to adapt to \nthe changing time. I thank you gentlemen for doing both.\n    Mr. Hicks, as an American should--in your opinion sir, do \nyou think that a voting precinct, again, of over 174,000 in our \ncountry that has never had an issue and have never had a \ncomplaint; they have the Constitutional rights to run their own \nelections. These--this would include local and State elections, \nas well as Federal, of course. Do you think a voting precinct \nthat has never had an issue or a problem with their system \nshould be forced by the Federal Government to spend money and \ninvest in manpower, and change, and--and receive interference \nfrom the Federal Government? I will leave you to answer, sir.\n    Mr. Hicks. Thank you for the question. I wanted to clarify \none quick thing, it is 8,000 jurisdictions across the country, \nand then the voting precincts are what you are referring to.\n    I wouldn't necessarily say that there has never been any \nissues with any of those voting precincts. There are issues \nwith every election, as we go--move forward. That is just the \nnature of elections. But we need to address and adapt to each \nissue as they arise.\n    Mr. Higgins. Well stated, sir. I yield back, Mr. Chairman. \nThank you for your indulgence.\n    Chairman Thompson. The Chair now recognizes the gentlelady \nfrom New York, Ms. Clarke.\n    Ms. Clarke. I thank you, Mr. Chairman, and I thank our \nRanking Member, and I thank you gentlemen for appearing before \nus today. As a follow-up to a question my colleague, Ms. Bonnie \nWatson Coleman of New Jersey, asked: How is DHS and EAC \nprioritizing outreach to the local governments--local level?\n    Mr. Hicks. Well, the former president of the National \nAssociation of State Election Directors was actually from New \nJersey. We worked really closely with him, and all other \nStates, to ensure that the process was moving forward. So it is \na high priority for us. It is one we take seriously, but it is \nnot our only priority.\n    Mr. Krebs. DHS's No. 1 priority; more State--more local \nengagement.\n    Ms. Clarke. Very well. There seem to be areas where State \nand local election officials have not yet resolved low-hanging \nfruit issues of their election security; for instance, the use \nof wireless modems to transmit election results. These \npractices needlessly introduce vulnerabilities into the \nprocess.\n    What do you perceive as some of the low-hanging fruit in \nsecuring election operations? Might stronger, more vocal \nleadership from Federal partners like DHS, or EAC, or even the \nWhite House, move the needle on those issues?\n    Mr. Krebs. So over the last couple of years we have \nconducted a number of vulnerability assessments, 26 plus \njurisdictions, State and local. We have also conducted remote \npenetration testing.\n    The interesting thing that we found was that, of all of \nthose assessments, the findings were generally similar; \nunpatched systems, misconfigured systems, lack of multi-factor \nauthentication.\n    So what happened is we took a lot of that learning across \nthose assessments, worked with the Government Coordinating \nCouncil, which is State, local, EAC, the intelligence \ncommunity, law enforcement, and put together when Congress \nappropriated that $300 million to the last HAVA tranche of \nmoney, and provided some expenditure guidance.\n    So our sense of things is that we have been pushing out \nthose best practices. But there is certainly more to do. On the \npoint of the modems and I used air quotes when I said air gap \non a lot of the equipment.\n    Yes, there is equipment still out there that has modems. It \nis only used in very discrete circumstances. Nonetheless, \nabsolutely that is why I used my air quotes there. It is a best \npractice to disable or remove that capability.\n    In some cases there was simply no other alternative for \njurisdictions in the 2018. So that capability was limited but \nleft in place. Auditability can also help identify and spot any \nirregularities.\n    But my sense and understanding is going forward that \ncontinues to be one of those priority actions. Low-hanging \nfruit as you mentioned.\n    Mr. Hicks. Thank you again. I think that it goes from A to \nZ, from voter registration all the way to election night \nreporting. That all aspects of election should have some sort \nof security to it.\n    We have talked a lot about cybersecurity but I also think \nthat physical should also remain high. Also we should continue \nwith our quest to have all elections being audited because then \nit remains--the confidence of the election remains high.\n    The way that those audits are conducted can be done by each \nindividual State. But I believe that, in my own personal \nopinion, that we need to ensure that we do all we can to afford \nconfidence of the--the system. Because what I have said in 2016 \nand 2018, if you don't vote then your vote definitely will not \ncount.\n    Ms. Clarke. Well, I think part of the challenge too is at \nthe local level, just the level of proficiency of the use of \nthe technologies of the individuals who were employed to \nadminister these elections.\n    I don't know whether you are getting a true sense of that \nacross the length and breadth and depth of our Nation. But I \ncan tell you that there have been a lot of senior citizens that \nhave this as a preferred profession.\n    Not to disparage anyone but they tend to be a little bit \nless concerned about cyber hygiene. So I think that there just \nneeds to be a consistent outreach to these local jurisdictions \nin helping folks to really be trained and vigilant around the \nwork that they do.\n    Just one more question. I know that we had talked about \nfive jurisdictions that have paperless voting. I wanted to be \ncorrected if I am wrong, but the only record that the votes \ncast on these machines is a digital record stored on the voting \nmachines themselves, which means if the machine is hacked, \nelection officials have no paper ballot they can count on by \nhand to determine how the voter really voted. Is that correct?\n    Mr. Hicks. It is a lot more detailed than that because all \nthese systems have more than one redundancy for back up in \ntheir--in their systems. So----\n    Ms. Clarke. But if it is hacked how would you know?\n    Mr. Hicks. Well, it could be stolen as well. So there is \nall aspects of machines could be--you do a forensic scan of \nthose machines to ensure that the ballots are counted \ncorrectly.\n    Ms. Clarke. So to the best of your knowledge, were any of \nthese paperless voting machines used by States in 2018 \nelections running software that was out of date with known \nexploitable cybersecurity flaws?\n    Mr. Hicks. I would have to go to my staff to see what the \nactual scanning of those districts were because it is not just \nthose 5 individual States. There are other jurisdictions around \nthe country as well.\n    Ms. Clarke. It would be good if you could get back to us \nwith that. It is very important as you talk about auditability \nthat we are exact in what--how these machines can be exploited.\n    Mr. Hicks. I would also point to the fact that a lot of \nthese States are moving away from machines that don't have a \npaper component to them.\n    Ms. Clarke. We want to expedite that right? Thank you. I \nyield back. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. Chair now \nrecognizes the gentlelady from Arizona, Mrs. Lesko.\n    Mrs. Lesko. Thank you, Mr. Chair. Thanks for calling me a \nyoung lady. I really like that.\n    [Laughter.]\n    Mrs. Lesko. I got to hang around here more often. My first \nquestion is for Mr. Krebs and thank you both for being here.\n    You know we have talked--hit on this a little bit with Mr. \nWalker but there was a lot of media--there still is a lot of \nmedia out there about how the Russians allegedly interfered in \nthe 2016 election and I think we found out that a lot of it had \nto do with social media misinformation.\n    To Ms. Slotkin's points that a lot has to do with \nperception, if voters believe that their votes count and they \nare not being compromised. To your knowledge, was there any \nevidence or is there any evidence that the Russians or anybody \nelse hacked into the actual election system and changed the \noutcome of the election on Election Day?\n    Mr. Krebs. Ma'am, I am not aware of any evidence that they \nhad access or ability to influence the casting, counting \ntabulation.\n    Mrs. Lesko. Thank you. The reason I think that is important \nis because there is a lot of confusion out there and--so we \nneed to make sure that when we talk to people that we are not \ntalking about actual hacking into the election system is what \nthe media is talking about.\n    However, we want to prevent it in the future of course. My \nnext question is actually for Mr. Hicks and this was touched on \nbriefly by the Ranking Member Rogers. That was about the money \nin this bill that is going toward certain things.\n    So the Democrat's Congressional Task Force on Election \nSecurity recommended $300 million for States to acquire these \npaper ballot systems, conduct audits, address cyber \nvulnerabilities, provide cybersecurity training to local and \nState election officials, institute cybersecurity best \npractices, and to make other improvements to effect Federal \nelection security. Through the Help America Vote Act Congress \nappropriated $380 million in grants for fiscal year 2018 for \nthese purposes.\n    This bill, H.R. 1, which we are talking about today, \nauthorizes $1.77 billion in grants. So why do we need to give \nStates an extra $1.77 billion to do the same thing that in this \ntask force they said they could achieve with $300 million?\n    Mr. Hicks. The States--from the States that I have--I have \ntraveled to all 50 States in the last 4 years or so and the \nStates have all indicated that elections--Federal elections \noccur every 2 years and that the replacement of voting \nequipment from the 2002, 2003 initial HAVA funds need to be \ndone.\n    The money that was put into the Help America Vote Act funds \nfor 2018 did not just go toward machines. They went toward \nTitle I, which gave States a lot of leeway into improving the \nvote--the voting process.\n    Whether or not that was voter registration, audits, \ncommunications, just to--and other aspects as well.\n    Mrs. Lesko. So, Mr. Chair, and Mr. Hicks, so I don't know \nif you answered do you--why--why if it--in one report it said \nyou need only $300 million but this one is $1.77 billion. Do \nyou know why?\n    Mr. Hicks. I don't know why, but I believe that they were \ngoing toward one aspect of the process in terms of--and I have \nto read back through the report, but I would--I am assuming \nthat it was one aspect of what they were looking at as opposed \nto overall with H.R. 1. Because I believe that they were just \nlooking toward certain machines, but I believe that maybe H.R. \n1 covers a lot more than just the one aspect of it.\n    Mrs. Lesko. Thank you, sir. Thank you, Mr. Chair, I yield \nback my time.\n    Chairman Thompson. Thank you very much, as a point of \nclarification the $1.8 billion was for over 10 year's period of \ntime, so it was not just 380--a one-shot deal. So it is in \nanticipation that upgrading will be a constant rather than just \nstanding for one time.\n    Chair recognizes the gentleman from Rhode Island, former \nSecretary of State, Mr. Langevin.\n    Mr. Langevin. Thank you Mr. Chairman. Director and Mr. \nHicks thank you very much for being here and for your testimony \nand Mr. Krebs I want to thank you also--thank you for the work \nyou are doing at CISA, I am glad that agency has been \nreorganized and properly tasked, and I look forward to work \nwith you, and supporting you in your work.\n    Obviously this is one of the most important issues that we \nare facing as a country, has been securing our elections from \nforeign adversaries that want to try to undermine and sow \ndiscord. They have got a pretty effective, well-coordinated \ncampaign that we have to obviously have to get even better \norganized and I know that we will.\n    So I want to thank you and Assistant Director Manfra for \nyour support, particularly in my home State of Rhode Island. I \nhad attended one of the final planning meetings before the \nelection with our Secretary of State Nellie Gorbea, who \ntestified before this committee, along with you.\n    Also the DHS personnel in the room made vital contributions \nto that discussion, and as someone who has overhauled an entire \nState election system, I understand the challenges of having \nthe best equipment and making sure that it works well. When I \nreorganized and overhauled our election system we didn't have \nto deal with the issue of course of cybersecurity and threats \nfrom foreign adversaries trying to undermine us.\n    So let me just say, one of the topics that came out of that \nmeeting was coordination with media. We have seen how \neffectively the Russians, for example in targeting Ukraine \nelections, went right to the media and trying to sow discord \nand confusion in election processes. How have you engaged with \nlocal, State, and National media outlets to ensure that \nunofficial voting--vote reporting is protected from malicious \ninterference?\n    Mr. Krebs. So a couple examples I think that are \ninstructive of the progress we have made, particularly with the \nNational media, but also local and State-level media. Two \nthings, one in advance--2 weeks in advance of the election we \nheld a media tabletop exercise, just like what we did with the \nState, and local election officials we brought in a couple \ndozen media representatives, sat in a room, 4 hours, walked \nthrough a scenario that included both technical on-network \neffects as well as social media influence operations.\n    We walked through here is what you would see, here is what \nyou would hear from a State or a local election official, here \nis what you would hear from the Federal Government and what the \nFederal Government would be doing whether it was DHS, the FBI, \nthe intelligence community--and help them understand what was \ngoing on in the background.\n    So that, if something did happen, they would have the basis \nof understanding, they would know A, who to call, but also \nrather than say, oh there was a denial-of-service attack \nagainst an election night reporting website. We would be able \nto have a conversation and say, actually it is not that--\ninstead it is simply a configuration issue and that website \ndropped.\n    The second thing we did is on Election Day every 3 hours \nover the course of the election we had a conference call with \nNational media. The same thing, we would walk through issues as \nthey popped up over the course of the day.\n    Oftentimes we referred them to the local or State election \nofficial to address the questions, but where we could chip in \nand provide some clarification. Really the important thing was \ngetting ahead of issues and dispelling any sort of doubt, or \nquestions about what may be happening in the background. We \nfound it to be very beneficial in terms of getting ahead of \nproblems before they really started.\n    Mr. Langevin. OK, thank you. Is--another topic, as \nCommissioner Hicks mentioned on this testimony, I know that \nRepresentative Slotkin has touched upon this as well.\n    Obviously public confidence and the integrity of our \nelections is a vital component of our democracy and following \nthe 2016 elections, American voters reported a decrease in \nconfidence in the election systems, and outcomes and it is \nexactly playing to the hands of what our adversaries want to \ntry to accomplish here. But election security, particularly \ncybersecurity, is certain an important aspect of increasing \nconfidence, but it is not sufficient.\n    So who right now in the interagency has the role of \ncoordinating protection of election integrity, and its \nperception thereof, and who--which cybersecurity is just a \npart?\n    Mr. Krebs. So in terms of the interagency process, the FBI \nand the Department of Justice have the responsibility to lead \non countering foreign influence, and that is the social media \ncampaigns, that is the direct response--the threat response \npiece. So as things bubble up, or pop up they work with \npartners to address and--immediately address head-on.\n    The Department of Homeland Security's role here is in terms \nof--is more on the lines of educating awareness, building--\ntaking case studies that we saw in 2016--or even before that \nthat we have seen the Russians do, that we have seen the \nChinese do. Then pushing awareness and information out on--\nthese are the sorts of things that you need to look for. Here \nare the things that you can do to ensure you are getting ground \ntruth and you are getting the right information.\n    Again, going back to the elections, just as Chairman Hicks \nmentioned, it is--you need to listen to your State and local \nelection official, they are the ones that have the official \ninformation. They are the ones that are going to tell you where \nto go, what day to vote. Don't listen to the text messages, \ndon't listen to the tweets, or posts or whatever.\n    Mr. Langevin. So do you believe that--and you talk about \nwho the lead is, but you believe that there should be a whole-\nof-Government approach, or should it be silos based on \nexperience?\n    Mr. Krebs. So it is certainly cliche but this is a whole-\nof-Nation approach. There is a specific role for a number of \nagencies, including the intelligence community using their \nspecific authorities, whether it is the Bureau and their law \nenforcement capabilities, whether it is the Department of \nHomeland Security and our unique convening capabilities.\n    One thing I will note is that when some of the social media \ncompanies over the course of the election took action and took \ndown, whether it was Iranian activity or whatever, we were able \nto work with the FBI, work with the social media companies, \nconvene the State and local election officials in a call or \neven a Classified briefing and get--and have them walk through, \nhere is what happened, here is what you need to be on the \nlookout for.\n    So there is a role in this for everyone. There is a role in \nthis for every American, and--and it is upon us, particularly \nthe Department, to give them the awareness, the tools to be \nsmarter consumers of information.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Tennessee, Mr. Green.\n    Mr. Green of Tennessee. Thank you, Mr. Chairman and Ranking \nMember. I extensively reviewed H.R. 1 in my previous committee \nhearing on Oversight and Government Reform. I certainly believe \nthat election security is critical. Ms. Slotkin did a very nice \njob of saying--speaking about it, and I am impressed. I have to \ntell you, I am very impressed with what you have done in the \n2018 cycle--essentially flawless.\n    There were no penetrations that we are aware of--and we \nhave to be able to do that. We--our democracy rests on one \nperson, one vote. But with regards to this H.R. 1, I am going \nto be completely upfront and say that I am disappointed by the \nMajority party because it seems to have disregarded our \nConstitution.\n    They claim the purpose of the bill is to protect our \ninstitutions, but they are promoting a bill that fails to \nimprove security, all while thumbing the nose--or its nose to \nFederalism. Our country was not made for a few hundred people \nin Washington, DC to dictate to my State in Tennessee how we \nare going to do everything, including our elections.\n    Our founders, our Constitution, our electoral process have \nbeen grounded in Federalism. This bedrock is the foundation of \nour country, and it has to be protected. When power is \nconcentrated in the hands of a few, tyranny inevitably follows. \nOur founders knew this; that is why they created, you know, \nthree branches of Government.\n    They created separation between the Federal Government, the \nStates, the local government--recall the 10th Amendment. I want \nto thank you again for the hard work that resulted in such \nsuccess in 2018, and I, from the previous questions that were \nasked, assume you have not read H.R. 1. Is that correct?\n    Mr. Krebs. I have reviewed it, yes.\n    Mr. Green of Tennessee. You have reviewed it? OK. Can you \ntell me, then, in a more global sense, how far should the \nFederal Government be able to go in telling Tennessee how we \nrun our elections? Considering specifically, what was read \nearlier from my colleague, about what the Constitution says \nconcerning elections.\n    Mr. Krebs. I--so every State is different; every \njurisdiction's different, every set of equipment's going to be \ndifferent. I would defer to Secretary Hargett to decide what is \nbest for the citizens of Tennessee.\n    But whatever I can do, as the Department of Homeland \nSecurity, to make his job easier--the thing I will note, and it \nhas been part of the conversation throughout the morning, that \nthe threat landscape is different today in 2019 than it was in \n2001, with HAVA and even before that. Back then, we were \nfocused on--the Department was focused on an antiterrorism \nmission.\n    Today, we have the most active nation-state adversary \nlandscape, certainly in my lifetime. That means that individual \nStates, individual counties, individual precincts cannot go it \nalone against the full-frontal assault of the Russian GRU or \nthe Russian FSB. So I need to be able to provide whatever \ncapabilities I can so that we can assure a collective defense \nacross election security.\n    Mr. Green of Tennessee. Yes, but the--the--as you have \nreviewed H.R. 1, I am sure you know that it tells Tennessee we \ncan't have voter identification; it tells us we--we can allow \nvoter registration to happen on the day of the election with no \nway to verify it.\n    That seems to me to be a violation of the Constitution, as \nhas been read and is clearly articulated in the 10th Amendment. \nThat is more than just security; that is dictating how we run \nour elections in Tennessee.\n    Quite honestly, that is offensive to us down in Tennessee. \nFor Mr. Hicks, I do have a question, sir. You said there is \nabout 8,000 jurisdictions, if I understood correctly. How many \nof those jurisdictions are identical? They do elections \nidentical to one or the other?\n    Mr. Hicks. That would be a difficult question to answer. I \nbelieve that, you know, each individual jurisdiction conducts \ntheir elections the way that they feel best for those \nconstituents in their jurisdiction.\n    But the Election Assistance Commission goes to these--once \ninvited, goes to these States and jurisdictions to offer our \nassistance, whether or not that is the $380 million that \nCongress appropriated or other aspects through our clearing \nhouse or other aspects of it, because those jurisdictions might \nnot know techniques or things that are being done in other \njurisdictions. But we bring that to them so they can run their \nelections effectively.\n    Mr. Green of Tennessee. Well, thank you for that answer, \nand I really appreciate it. My issue isn't so much with you \nnot--with your help--we want your help; it is essential to \nprotecting--but dictating how we run our elections in \nTennessee, that is a little different. That is my point. Thank \nyou very much.\n    Chairman Thompson. The Chair now recognizes the gentlelady \nfrom Texas, Ms. Jackson Lee.\n    Ms. Jackson Lee. Mr. Chairman, thank you very much for this \nhearing. Along with the Ranking Member, we are appreciative for \na hearing that indicates one of the strongest elements of \ndemocracy is the independent right of every American to cast \ntheir vote, unimpeded, unsuppressed, and unoppressed.\n    Let me ask you, Commissioner Hicks--and thank you for the \nElection Assistance Commission. In 2016, I believe then-\nSecretary Jeh Johnson joined with 16 other agencies, \nintelligence agencies, as I recall, the fall of the election to \nindicate a conspicuous engagement of Russia into the elections.\n    Let me just read a sentence--E-Deceptive Campaign Practices \nReport 2010; Electronic Privacy Information Center. They are, \nhowever, talking generally about what deceptive campaigns or \nattempts to misdirect targeted voters, regarding the voting \nprocess, or in some way affect their willingness to cast a \nvote.\n    Deceptive election activities include false statements \nabout polling place opening and closing times the date of the \nelection--voter identification rules or the eligibility \nrequirements for voters who wish to cast a vote. I think the \nintelligence report was focused on targeting voters, misleading \ninformation, social media, do you believe, based on those \nintelligence reports at that time--you are aware of that \nreport, elective report, in 2016?\n    Mr. Hicks. I am aware of it.\n    Ms. Jackson Lee. Do you believe the reports, first of all, \nMr. Johnson joined in that report ahead of the Department of \nHomeland Security?\n    Mr. Hicks. I have no reason to believe that that was false.\n    Ms. Jackson Lee. So in that--and Mr. Krebs?\n    Mr. Krebs. Yes, ma'am; I agree with the intelligence \ncommunity assessment.\n    Ms. Jackson Lee. So we know that there is, among others--\nand we certainly know that Russia is--looms large as having \nintentions to interfere with our elections. That means Federal \nelections, but Federal elections are held in States. We are a \ncollective of 50 States, so we know that that--they would be \nimpacted.\n    In that kind of report and the efforts that you all have, \ndo you see States willing to accept your assistance, and in \nwhat way is the best way that you are helping States \nacknowledge their own plight, if you will, of susceptibility to \nthis kind of intrusion?\n    Mr. Hicks. I believe State--thank you, Congresswoman--I \nbelieve States have come to the Federal Government more so than \nthey were before because there was a little bit of a hesitation \nthat way. But I believe that communication has improved to the \npoint where States are giving their input through the \nGovernment coordinating council, working with vendors and other \naspects of that through the sector-specific council to ensure \nthat the election integrity remains high.\n    Ms. Jackson Lee. Let me, because my time is short, go to \nthe cybersecurity for both of you to ask or Director Krebs you \ncan start with this. Cybersecurity involves everything from \nlarge systems to small mobile devices. My question is about a \nhost of technologies Classified as edge devices that may have \ninternet connections. How concerned should you be about edge \ndevices and election technology security?\n    Mr. Krebs. So we----\n    Ms. Jackson Lee. We could be concerned.\n    Mr. Krebs. Yes, ma'am. I briefly touched on some of those \nequipments that have modem or other telecommunications \nconnectivity, best practice generally speaking is to disable or \nremove that sort of capability. In 2018 some just didn't have \nthe time or the equipment to transition out. But it is \nsomething that across the risk profile of election \ninfrastructure, it is something that we work on. We work with \nthe State and local officials that have that equipment and we \nwork on transitioning and road mapping to more secure systems.\n    Ms. Jackson Lee. To each of you, do you feel, in spite of \nyour good works, that our election systems, State and Federal, \nare still in jeopardy of intrusion?\n    Mr. Hicks. I believe that there can always be improvements \nto be made and I believe that the work of the EAC can help with \nthose improvements.\n    Ms. Jackson Lee. Do you feel that would be foreign \nintrusions----\n    Mr. Krebs. Yes. There is always progress that can be made.\n    Ms. Jackson Lee. Let me ask the Chairman to submit into the \nrecord from the Brennan Center for Justice a study on securing \nelections from foreign interference, ask unanimous consent.\n    Chairman Thompson. Without objection.\n    [The information referred to follows:]\n       Letter Submitted For the Record by Hon. Sheila Jackson Lee\n                                 February 12, 2019.\nRepresentative Jackson Lee,\n2079 Rayburn HOB, Washington, DC 20515.\n    Dear Representative Jackson Lee: My name is Lawrence Norden, and I \nam the Deputy Director of Democracy at The Brennan Center for Justice \nat NYU School of Law. First, please extend the Brennan Center's thanks \nto Chairman Thompson and the U.S. House Committee on Homeland Security \nfor holding tomorrow's hearing on Election Security, an issue of \ncritical national importance. For nearly 15 years, I have led the \nBrennan Center's extensive work on election security and foreign \ninterference. In 2005, in response to growing public concern over the \nsecurity of new electronic voting systems, I chaired a task force (the \n``Security Task Force'') of the nation's leading technologists, \nelection experts, and security professionals assembled by the Brennan \nCenter to analyze the security and reliability of the nation's \nelectronic voting machines.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Lawrence Norden, The Machinery of Democracy: Voting System, \nSecurity, Accessibility, Usability, and Cost, Brennan Center for \nJustice, 46, 2006, https://www.brennancenter.org/sites/default/files/\npublications/Machinery_Democracy.pdf.\n---------------------------------------------------------------------------\n    In the 14 years since, I have authored or co-authored numerous \nstudies on the security, usability, cost, and design of our election \nsystems. In 2017, with my colleague Ian Vandewalker, I co-authored \nSecuring America's Elections from Foreign Interference, which looks at \nthe key steps we must take to ensure our elections are secure, free, \nand fair.\\2\\ The report begins with a foreword from Ambassador R. James \nWoolsey, former Director of Central Intelligence, and I have attached \nit to this letter.* With the 2020 elections around the corner, I \nbelieve the study will be of use to the committee. I ask that this \nreport be placed into the record for the hearing.\n---------------------------------------------------------------------------\n    \\2\\ Lawrence Norden, Securing America 's Elections from Foreign \nInterference, Brennan Center for Justice, 2017, https://\nwww.brennancenter.org/sites/default/files/publications/\nSecuring_Elections_From_Foreign_Interference_1.pdf.\n    * The document has been retained in committee files and is \navailable at the website listed above.\n---------------------------------------------------------------------------\n    In the coming weeks, the Brennan Center will be releasing a new \nstudy on the state of voting technology and the need for additional \nresources to ensure that our elections in 2020 are as secure and \nreliable a possible.\n    My colleagues at the Brennan Center and I are available to speak to \nthe committee, as well as provide briefings or updates, at the \ncommittee's request.\n            Sincerely,\n                                              Larry Norden,\n                                Deputy Director, Democracy Program.\n\n    Ms. Jackson Lee. And unanimous consent for E-deceptive \nCampaign Practices by the Electronic Privacy Information \nCenter, unanimous consent.\n    Chairman Thompson. Without objection.**\n---------------------------------------------------------------------------\n    ** The document has been retained in committee files and is \navailable at https://epic.org/privacy/voting/\nE_Deceptive_Report_10_2010.pdf.\n---------------------------------------------------------------------------\n    Ms. Jackson Lee. To the two witnesses just a yes or no \nanswer. The help of this committee and legislative effort to \nimprove your work along with funding, would that be of help to \nyou, Mr. Hicks?\n    Mr. Hicks. Yes.\n    Ms. Jackson Lee. Mr. Krebs.\n    Mr. Krebs. Yes, ma'am.\n    Ms. Jackson Lee. Thank you very much. I yield back.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Texas, Mr. Taylor.\n    Mr. Taylor. Thank you Mr. Chairman. Thank you Ranking \nMember. I appreciate the opportunity to be here.\n    So in 2011, I carried the MOVE Act Compliance Legislation \nfor the State of Texas. So in 2009 on a bipartisan effort \nCongress passed the law that allowed States to do--or required \nStates to do a better job of helping men and women who were \nserving in uniform outside the United States be able to vote. \nThat was--that was a 4-year compliance periods so the States \nhad 4 years to comply with it. One of the reasons for that was \nthat it--logistically we had to change our election schedule in \nTexas and so I am sure my colleagues from Texas will recall \nthat all of the sudden they were filing instead of in January \nthey were filing in December and that actually required a \nConstitutional amendment that had to be passed by the citizens \nof Texas.\n    So in working on that, again on a bipartisan basis, it took \na lot of lifting on behalf of the State to comply with that \npiece of legislation. This legislation is far more ambitious in \nwhat it endeavors to do. Has there been--have--have you done a \nstudy Mr. Krebs of what different States' laws they would have \nto change or Constitutional amendments that they would have \nto--to comply with H.R. 1? Have you done that Mr. Krebs?\n    Mr. Krebs. No, sir. We are focused on the technical \naspects.\n    Mr. Taylor. OK, and Mr. Hicks, have you done that? Have you \nanalyzed what Constitutional amendments or statutory changes \nwould be necessitated by H.R. 1?\n    Mr. Hicks. We have not.\n    Mr. Taylor. OK. I certainly hope if this is a serious bill, \nif this is something we actually think will be passed into law \nthat we have thought about at some level what we are going to \nhave to do at the State level because we cannot comply with \nthis at the State level unless we have really thought about it. \nI--I hope this isn't a show bill.\n    So Commissioner Hicks, in terms of ballot stuffing of \nyesteryear, right? So we--we had ballot stuffing with paper \nballots, is--with the paper ballot provision in H.R. 1 return \nus to the system of paper ballots? I mean is that--is that what \nwe are doing? We are kind-of going back in time?\n    Mr. Hicks. I guess I would need to read back through it \nbecause I don't--I don't interpret it that way.\n    Mr. Taylor. So the way I read it is that it requires paper \nballots. Is that--is that not what you--what you understand?\n    Mr. Hicks. For auditability.\n    Mr. Taylor. Right. So for time--for auditability and I \nthink this is an important distinction that we should let out \nhere. So time now, in my county, we have electronic machines \nthat print out on an individual machine-by-machine basis an \naudit of every vote so that that can be gone through and done \nwith an audit. So the machines are auditable through a paper \ntrail, not of the ballot itself but of what it--of ballots that \nare cast on that particular machine if that makes sense.\n    So as I understand this bill, everybody has got to stop \nusing those machines and start buying new machines that are all \npaper ballots. That is my understanding.\n    Mr. Hicks. That is not my understanding because there are \nsome machines that might have a paper trail associated under \nglass but it would be the verifiability of the voter to verify \nthat piece of paper.\n    Mr. Taylor. Are there enough machines that will be \nmanufactured between now and the beginning of the primaries in \nless than a year that we could actually implement this bill?\n    Mr. Hicks. I would need to talk to the vendors to see their \ncapabilities of manufacturing those machines.\n    Mr. Taylor. So we don't know if it could--it is even \nphysically possible to generate the number of machines that \nwill be required with this. I know there is funding in this \nlegislation but I am just unclear of whether or not it is even \npossible to logistically have all the machines in place.\n    Mr. Hicks. I would have to talk to the vendors themselves.\n    Mr. Taylor. You don't know. Does anybody--Mr. Krebs, do you \nhave any idea?\n    Mr. Krebs. I don't know but I assume if there is money to \nbe made they will figure out a way to do it.\n    [Laughter.]\n    Mr. Taylor. Well and I think and just as a practical--on a \npractical level so actually in my home county in Collin County, \nTexas, I was actually an election judge before I was elected to \nthe legislature and in that process I saw what happens when \nthere are not enough voting machines.\n    You have very long lines, people get discouraged and they \ndon't vote and so you have reduction of participation which is \nreally--it is a really disappointing event.\n    It is a very sad thing when people show up to vote, they \nwait for an hour, they can't actually vote because there aren't \nenough machines. Is--what--what provisions do we have in this \nlegislation that would protect from that scenario because it \nseems like we are setting up in this rush to try to get a bill \nout the door to provide funding with very limited amount of \ntime to put it together, so to speak, that we would make sure \nthat we have enough voting locations that we don't have people \nlining up and then saying I am not going to participate, I am \nnot going to vote.\n    Mr. Hicks. I think States have done a great job of moving \ntoward Election Day being the last date to actually cast their \nballot. Some States have moved toward early voting or vote \ncenters or absentee voting as well to alleviate the charge of \nhaving Election Day where 100 million people are trying to show \nup at the polls.\n    Mr. Taylor. Thank you. Thank you Mr. Chairman, I yield \nback.\n    Chairman Thompson. Thank you very much. Let me, for the \nrecord, indicate for the Members and the witnesses, we are \ntechnically here for only Section 3 of H.R. 1 bill. Some of the \nquestions have gone to other sections of the bill and I would \nlike for us to talk specifically about Section 3, which is our \njurisdiction. Yes, so I am--I just--I understand the interest, \nbut I don't think the witnesses are prepared to address some of \nthe questions that have been offered by the committee at this \npoint and that is just to make sure that we are all on track.\n    We now recognize the gentleman from New York, Mr. Rose.\n    Mr. Rose. Chairman, thank you, and that is Staten Island, \nMr. Chairman.\n    Chairman Thompson. There is a difference.\n    [Laughter.]\n    Mr. Rose. Mr. Krebs, how you doing? I am the incoming \nSubcommittee Chair of Intel and Counterterrorism, so I look \nforward to working with you and I think you hit the nail on the \nhead earlier, that it is clear that there are state actors, \nnon-state actors that are probing the homeland across the board \nto figure out where our vulnerabilities are. As they conduct \nthat probe, our electoral systems are one of the things that \nthey are analyzing.\n    So, in line with that I want to get a sense of, when you \nare working with local and State actors, who are you talking \nto? Is it the Terrorism Task Force, is it the Fusion Center, is \nthe secretary of state, is it the Governor, is the law \nenforcement entities? If it is all of the above, how do you do \nthat and what systems are in place to coordinate that type of \nmultifaceted action?\n    Mr. Krebs. It is all of the above and even more, the \nHomeland Security advisers and Adjutant Generals and things of \nthat nature. My team, the Cyber Infrastructure Security Agency, \nwhich you rightly point out, this election security issue is \nnot just about cybersecurity threats, there are also physical \nsecurities threats, there are insider threat, their access to \nmachines, manipulation to machines on device that we need to be \nthinking about. So, we approach this as a cyber and physical \nsecurity.\n    But, more broadly, form a counterterrorism perspective--the \nthing I have learned over the last couple years is that \nsecretaries of state are their natural risk managers. They have \nto plan for the hurricane. Look at what happened in the \npanhandle of Florida in the last election cycle. They have got \nto anticipate any nature of threat, and so, as we work through, \nwe do active-shooter training and those sorts of activities.\n    We have mechanisms in place, including, my team has over \n140 security advisers out in the field that work day in, day \nout with infrastructure owner/operators, with these officials, \nthey conduct training, they do walk-throughs, they do security \nfacility assessments to--in a lot of cases they provide reports \nback to the facility owner/operator with suggested \nimprovements.\n    Mr. Rose. So, but just to push you for a second on this, my \nunderstanding then is that there--you don't have an entity that \nyou are reaching out to, to coordinate this at the State and \nregional level. That it is incumbent upon you all, with these \n140 folks, to be reaching out to all of these local entities \nand it seems, from our perspective, that this is rather \ndisparate.\n    Mr. Krebs. So, specific to elections, we have developed \ncommunications protocols after some of the missteps of the \n2016--post-2016 notifications where we have a coordination \nprotocol, where we work with the State--the chief election \nofficial, the homeland security advisers, and so that is \ntypically our point of entry for--specific to elections.\n    Mr. Rose. OK, it would be great to see that.\n    Mr. Krebs. Yes, sir.\n    Mr. Rose. Then just last, at the Federal level, you \nmentioned that you have convening responsibility, but who is \nactually in charge of this interagency process? Who's at the \nhead of the table when all these folks are gathered together \nand who has that statutory authority to actually make sure that \nwe are getting the job done here?\n    Mr. Krebs. So, there are a couple different levels of this \nconversation. There is a policy coordination piece that the \nNational Security Council, Ambassador Bolton leads. There have \nbeen a number of convening meetings and what-not, all the way \nup to the principle committee meetings with the President.\n    Then at the operational level, there is a working group \nthat brings together the Department of Defense, the EAC is \ninvolved, the DNI.\n    Mr. Rose. Are you in charge of the working group?\n    Mr. Krebs. Am I? No, sir. I am in charge of the \ncybersecurity expertise and technical support to election \nofficials, that is my role.\n    Mr. Rose. Who would be in charge of the working group?\n    Mr. Krebs. There are a range of responsibilities and there \nis law enforcement actions, that is naturally the FBI, there is \nintelligence assessments, that is naturally the Director of \nNational Intelligence, there is the cybersecurity piece, that \nis me. This again goes to the whole-of-Nation, the whole-of-\nGovernment approach. There is no one agency that has all of the \ntools and capabilities that are needed to push back on this.\n    Mr. Rose. OK, all right. Thank you. I yield back my times.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Texas, Mr. Crenshaw.\n    Mr. Crenshaw. Thank you, Mr. Chairman and thank you both \nfor being here. I am pleased that this committee is meeting to \ndiscuss the integrity of our elections and how to strengthen \nthe cybersecurity of our election infrastructure.\n    I will say, that election integrity is multifaceted, there \nis a lot of aspects to it. It is not just the cyber side, but \nit is also the voter fraud side, including voter I.D. laws and \nhow to prevent fraud by vote by mail.\n    I would say it is unfortunate that this is not a mark-up \nprocess and it is also unfortunate that this part of the bill, \nwhich I think we could reasonably come to a bipartisan solution \non, is attached to a much larger bill that is poisonous and \nwill certainly not make it past the Senate.\n    I want to ask you both, could you clarify what role you had \nin crafting this particular legislation?\n    Mr. Krebs. So, in the last Congress we certainly provided \ntechnical assistance on aspects that got rolled into it, but \nsuggestions on what DHS needs, what DHS does.\n    Mr. Crenshaw. OK.\n    Mr. Hicks. I spent 11 years as a House staffer. If the \ncommittee wants to come and ask my opinion, I am more than \nwilling to give it.\n    Mr. Crenshaw. OK, but you were not consulted prior to this \nhearing on what should be in this section of the bill?\n    Mr. Hicks. The committee--Chairman Thompson and then-\nChairman Brady invited me to speak before their Task Force and \nI gave input there on various aspects.\n    Mr. Crenshaw. Is there anything missing from this section \nof the bill that would you recommend go in it? Are there new \nauthorities or capabilities that--and I think this is directed \nto you, Director Krebs, that DHS would need that are currently \nnot in it?\n    Mr. Krebs. So at this point, again, I think the Department \nhas, generally speaking, the authorities we need to engage and \nsupport the election officials.\n    Mr. Crenshaw. One of the key provisions in this bill, it \nincludes the expiration date on funds. It is asking us to spend \na lot more money very rapidly; I want to get a sense of how \nrealistic that is from you all. Given the slow pace of \nupgrading election infrastructure, do you think that States \nwould need more time and flexibility on this, given your \nexperience working with them?\n    Mr. Hicks. I believe that the Chairman had talked about \nthat this would go over for 10 years and in that cycle there \nwould be 5 Federal elections, allowing for States to make \nimprovements overall.\n    If the--I believe that the provision was put in there \nbecause of the original HAVA provisions that allowed States to \nuse those funds in perpetuity. So this gives them a deadline to \nactually spend the money similar to the 2018 provision, which \nonly allowed for 5 years.\n    Mr. Crenshaw. Do you have anything to add?\n    Mr. Krebs. Sir, our role is to help the election officials \nspend the money in the most risk-based and security-formed \nmanner.\n    Mr. Crenshaw. Thank you gentleman, I yield.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentlelady from Illinois, Ms. Underwood.\n    Ms. Underwood. Thank you Chairman Thompson for calling this \nimportant hearing, and it is a hearing that central to \nprotecting our democracy and I thank the witnesses for \ntestimony here today. My own State of Illinois was a target \nduring the 2016 Presidential elections where the information of \nthe 76,000 Illinoisans were compromised by Russian hackers.\n    So while I am relieved to hear from you that there are no \nknown harms that were caused in 2018's midterm elections by \nnation-state actors, for me, and I think those on this panel it \nis critical that State, Federal, and local governments continue \nto collaborate to strengthen election security and landscape of \nthese ever-evolving threats. Now my colleague Congresswoman \nSlotkin pursued a line of questioning with you regarding social \nmedia and some of the threats that you all have recognized.\n    My follow-up question, at the end of your response sir, Mr. \nKrebs, is that you said that the enemy was changing tactics and \nso what should we be looking for in 2020 to ensure that we are \ncontinuing preparedness particularly at the State and local \nlevels?\n    Mr. Krebs. That is exactly the question, what do we need to \nbe prepared for? We have a habit of defending against the last \nattack, and so we can close out the last avenue of attack, we \ncan patch vulnerabilities, we can configure systems more \nsecurity. But if we have seen anything, the adversary gets \nahead of us, anticipates.\n    So what we are working through right now is what could an \nadvanced actor do? I--this is a personal perspective, but I \ntend to think that they could look back and exploit, hey, we \nwere in that system--we are in there again. But they might not \nreally be there.\n    Ms. Underwood. Right.\n    Mr. Krebs. So they--and one way to look at it is the \nRussians in some cases are living rent-free in our heads, and \nso how are they going to take that to their advantage without \nactually being on-network, but using their media--social media \ntools, their influence campaigns. So staying ahead of them and \ntheir ability to spread false information--it is working with \nsocial media, it is working with the traditional media in a \ncontent-neutral way.\n    But getting ahead and anticipating the things they may try \nto push, but most importantly and this again goes to that \nwhole-of-Nation approach. What can we do to better inform the \nAmerican people of the risks that are being presented to them \nand information that is being presented, again to make them \nmore informed consumers?\n    Ms. Underwood. More concretely then, you perceive social \nmedia to continue to be a significant threat heading in to \n2020?\n    Mr. Krebs. I see from a cost----\n    Ms. Underwood. OK.\n    Mr. Krebs. Effectiveness and risk perspective, that is \nprobably--it is cheap to do, it is highly effective in terms of \nbroad impact, and it is comparatively low-risk compared to on-\nnetwork activity. So I think that it is going to remain a tool \nin their toolkit, they continue to do it to this day. What is \nmost concerning is more actors, including the Iranians and \nothers are getting in to that game, following the lead of the \nRussians.\n    Ms. Underwood. Sure. One of the trends that we have seen, \nat least in Illinois is the rise in popularity of early voting, \ntaking advantage of vote by mail or, as we call it, vote at \nhome. So wondering about any specific threats obviously social \nmedia is probably less relevant in that stage of voting in an \nelection, so just wondering if you had any specific threats \nthat you might want to make this committee aware of?\n    Mr. Krebs. I am not aware of any specific threats to early \nvoting, the thing I will note though is early voting provides \nus earlier opportunities to spot anomalies through the auditing \nprocess and other security fall-back measures. So in some \ncases, it actually advantages the defender.\n    Ms. Underwood. In your experience every jurisdiction is \nengaging in that auditing process throughout the early vote \nperiod?\n    Mr. Krebs. I am not sure I have enough information to say \nthat conclusively.\n    Ms. Underwood. Where would we go to find that out?\n    Mr. Krebs. In part, we would need to work with EAC through \nsome of their mechanisms.\n    Ms. Underwood. OK, thank you so much. I yield back, sir.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the other gentlemen from Mississippi, Mr. Guest.\n    Mr. Guest. Thank you, Mr. Chairman. I will follow up a \nlittle bit to what Congressman Taylor had talked about earlier. \nIn section 3001 of this act it says that it amends the Help \nAmerica Vote Act of 2002, to create a grant program for States \nto replace current voting machines with paper ballot systems, \nfor security improvements before the 2020 general Federal \nelection. Mr. Krebs, do you know what percentage of voting \nsystems would have to be replaced to meet that requirement?\n    Mr. Krebs. Specifically no, but I know that 5 States and--\n83 percent of another very large State need to go through that \nprocess.\n    Mr. Guest. So would the other 45 or 44 and a percentage of \nthe State that is not in compliance--would those current voting \nsystems comply with what we are seeking to do here?\n    Mr. Krebs. I would have to do a little bit deeper research \non there, but I do know that of those other States that may be \nnominally in compliance, there are still legacy machines that \nare outdated and some of them may not be supported by the \nvendor. It is a good thing to refresh and retire legacy \nsystems.\n    Mr. Guest. OK, but as far as a percentage of systems that \nwould need to be replaced, you do not have a percentage to give \nus today?\n    Mr. Krebs. Not--not with me sir, I would have to work with \nthe----\n    Mr. Guest. Mr. Hicks, do you have any idea?\n    Mr. Hicks. I could talk to our staff to figure out what the \nexact percentage is, but I don't have a direct percentage right \nnow.\n    Mr. Guest. Do you have an estimate on the cost to comply \nwith section 3001, Mr. Krebs?\n    Mr. Krebs. No, sir.\n    Mr. Guest. Mr. Hicks.\n    Mr. Hicks. The earlier testimony before the Senate Rules \nCommittee, that question was asked about replacing aging voting \nequipment in non-compliance would be in this bill, I believe \nthat to be between $500 million and $1 billion.\n    Mr. Guest. I know there was previous testimony that at \nleast 45 States currently used paper ballots--and this may have \nbeen testified to earlier and I may have missed it--outside of \nGeorgia what were the other 4 States that do not currently use \npaper ballots?\n    Mr. Hicks. South Carolina, Louisiana, I believe New \nJersey--and I would have to get the rest of that--and Delaware, \nyes.\n    Mr. Guest. Then Mr. Krebs you said that there was another \nState that was partially in compliance with using paper \nballots----\n    Mr. Krebs. Pennsylvania----\n    Mr. Guest. Pennsylvania.\n    Mr. Krebs. Yes, sir.\n    Mr. Guest. What percentage of Pennsylvania did you say does \nnot currently use paper ballots?\n    Mr. Krebs. I would have to get back to your with specifics, \nit is somewhere around the 80 percent number. I will note that \nall 5 States that are--don't have paper trails right now, and \nthe State of Pennsylvania are all on a path toward voter \nverifiable paper trail. These are good things, this is a good \ntrend.\n    Mr. Guest. Of those States that we have just talked about \nthat are on that path, do we have any idea as to whether or not \nthey will have paper ballots for the 2020 election cycle?\n    Mr. Hicks. I would--I don't know if all 5 of those will be \nbut I know that they are on that path to comply with that. But \nI would also say that whatever path they take to ensure that \nthose folks who have disabilities can still vote independently \nand privately as prescribed by the law in the Help America Vote \nAct.\n    Mr. Guest. Then finally, Mr. Krebs, in your report on page \n6 you say that our voting infrastructure is diverse subject to \nlocal control and has many checks and balances. Do you believe, \nMr. Krebs, that elections should remain under local control?\n    Mr. Krebs. Yes, sir.\n    Mr. Guest. Do you--do you Mr. Hicks, do you also believe \nelections should remain under local control?\n    Mr. Hicks. States and localities are the ones that run \nelections.\n    Mr. Guest. Thank you. I yield back Mr. Chair.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Texas, Mr. Green.\n    Mr. Green of Texas. Thank you Mr. Chairman. Thank you for \nyour leadership and allowing me to serve on this committee \nunder our leadership. I am a person who loves his country and I \nlove my State but I have heard this 10th Amendment argument \nbefore. Lonnie Smith was a dentist in Houston, Texas. He wanted \nto vote and there was a white primary. Smith versus Allwright, \n1944, went to the Supreme Court of the United States of \nAmerica. Lonnie Smith prevailed; that ended white primaries.\n    The 10th Amendment argument has been used consistently by \nsome States who deny rights. Texas is one such State. I love my \nState but Texas has been a bad actor for decades. I love my \nState. My State currently has a poll tax in contravention of \nthe 24th Amendment to the Constitution of the United States of \nAmerica. Talk about this photo I.D. and we will give you an \nI.D. if you can't afford it, if you are indigent.\n    Well I tested that system and voted without my proper I.D. \nand had some time to secure the proper I.D. The State of Texas \nwill accord you an I.D. at no cost if you are from Texas \nbecause in my case I am from Louisiana. I had to get my birth \ncertificate from Louisiana to get my I.D. in Texas and I had to \npay a fee for that; clever ways to disenfranchise.\n    So I thank God for the Federal Government and the stand \nthat has been taken over the years to protect the rights of \npeople in States. I don't think that is in contravention of the \n10th Amendment.\n    Now, to my question, you said Mr. Hicks that the States are \nmoving toward some sort of paper component, I believe is the \nphraseology that you utilized. Paper trail is what people at my \nlevel of life would probably say, ``Why are they doing that?'' \nWhat is the rationale for moving to paper verification?\n    Mr. Hicks. It is a little bit of two things. One, I believe \nit is confidence to ensure that the--if there is an audit being \ndone that there is some sort of physical trail that people can \npoint to and do a physical count of that. The other is I \nbelieve just moving back toward confidence as well.\n    Mr. Green of Texas. Confidence and the level of confidence \nthat we aspire or that we desire to have, is that one that \nwould give us a belief that if there has been some sort of \nintervention, we will be able to detect it and that paper--\nverifiable paper may be of assistance?\n    Mr. Hicks. There could be.\n    Mr. Green of Texas. If this is the case that verifiable \nassistance by way of paper is something that is of value, can \nyou give me a good reason why we would oppose having verifiable \npaper given that States are moving toward it and given if there \nis some value in it, why would we oppose it? What is a good \nreason to desire a system that doesn't have this type of \nverification?\n    Mr. Hicks. The biggest reason that I have heard over the \nyears is those folks who have disabilities who may not have the \ndexterity functions to handle that paper and to verify it. So \nif I am without sight, I can't verify a piece of paper \nphysically. I think the technology is moving toward allowing \nfolks who have sight disabilities to be able to verify that but \nthey still would have to physically use that paper. I believe \nthat we have come a long way since the 2000 election in terms \nof technology and moving forward.\n    For instance back in 2000, everyone in this room probably \nhas a smart phone. No one had those issues. So as we move \nforward with technology to allow for people to cast their \nballots and so forth, the other aspect of that is people who \nlive overseas and are in combat areas where they might not have \naccess to a fax machine to fax that back or the ability to get \nthat piece of paper back. But to ensure that our military and \noverseas folks still have a way to cast their ballots for the \nrights they are defending for us all.\n    Mr. Green of Texas. Thank you. Persons who need assistance \nin polling places, we currently allow that. If you need some \nsort of--if you are visually impaired we allow you to be \nassisted and there are ways to deal with our military personnel \nin foreign places, distant places. The empirical evidence seems \nto indicate that there is more value in having it than not. Is \nthat a fair statement?\n    Mr. Hicks. Yes.\n    Mr. Green of Texas. All right, thank you Mr. Chairman. I \nyield back.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentlelady from Florida who comes from a State \nthat has some minor experience in voting issues. Mrs. Demings.\n    Mrs. Demings. Thank you so much, Mr. Chairman and thank you \nagain to our witnesses for being here with us. Everybody in \nthis room clearly understands the deep, dark, ugly history that \nour great Nation has as it pertains to voter suppression and I \nwould think that this committee would lead the effort in making \nsure that we have a system that allows citizens of this country \nto be able to exercise their right to vote. That I would \nbelieve in this country that we would ensure that race, gender, \neconomic status, or ZIP code would never again be--to a \nperson's right to vote. So I want to thank you--the two of you \nfor what you do to make our process fair.\n    I am from Florida and let me just say I am not offended \nwhen Florida people all over this Nation question what in the \nheck is going on in Florida? I am not offended by it because I \nam committed to making sure that we get the process right. We \ncan never underestimate the--how important the cooperation is \nbetween Federal, State, and local governments are to making \nsure that this process is right. In the November's election, 20 \nStates, including my home State of Florida, elected new \nGovernors, and while several others elected or appointed new \nsecretaries of state.\n    So as we prepare for the 2020 election and using what \nhappened in 2016 kind of as a tool that we will not forget, \nlooking at the vulnerabilities and the experiences of 2016, I \nwill ask both of you, what outreach have you participated in to \nsecretaries of state, to new executive officers or Governors to \nmake sure that they are prepared for the 2020 process?\n    Mr. Hicks. Thank you, Congresswoman. That is a great \nquestion. We work very closely with the National Association of \nSecretaries of State, and I actually participated in their \nwinter conference 2 weeks ago, where I met several of the new \nsecretaries myself. We also work with the National Association \nof State Election Directors who also had their conference a \ncouple of weeks ago, here in the District of Columbia, where I \nhave met several of those new folks.\n    We work very closely with them to find out what sort of \nassistance the EAC can have. In 2018, we held a summit in--at \nthe National Press Club where it was well attended, broadcast \non C-SPAN, where we talked to people about preparing for the \n2018 election.\n    One month before the 2018 election, in October we held a--\nanother summit in the Congressional Visitor's Center where \nMembers of Congress and others were able to kick the tires on \nvoting machines, and hear from election officials, themselves, \nabout how they were preparing for the election coming up.\n    I believe that the EAC is looking to hold additional forums \nthis year, and next year, with disability groups, and State \nelection officials, and others so that we can continue our \npartnership. I believe that we have come a long way from when \nfolks were not looking favorably upon the EAC. I would ask that \nyou talk to--or ask the question to the secretaries of state.\n    I might be a little worried about this, but--about how we \nare doing, and move forward. There are other things that we can \ndo to improve the process. But at the end of the day, this is a \npartnership where we hope to do what is best for the American \npeople, and ensure that the confidence remains high.\n    I journeyed to your State in--in December to go down to Bay \nCounty and talk to folks, and find out what actually happened, \nand how they prepared for the election, since they were--things \nwere destroyed. They were cleaning out voting equipment with \ntoothbrushes, basically. But they still pulled the election \noff. We want to be able to provide them resources, not just \nmonetarily, but advice on how to prepare for 2020, and moving \nforward.\n    Mrs. Demings. Thank you. Director Krebs.\n    Mr. Krebs. Briefly, I have the advantage of having a field \nforce, 140 folks out in field. Their top priority, as these new \nsecretaries were being sworn in, was to get meetings on the \nbooks. Unfortunately, some of those meetings were disrupted by \nthe shutdown. But those are back on the books. We are engaging \nfull speed ahead.\n    Mrs. Demings. Great. Thank you so much. Mr. Chairman, I \nyield back.\n    Chairman Thompson. Thank you very much. The Chair now \nrecognizes the gentleman from Missouri, Reverend Cleaver.\n    Mr. Cleaver. Thank you, Mr. Chairman, thank you for being \nhere today. I--this is not a trick question, but I would like \nfor both of you, if you could answer the question. Do you think \nthat we have an election process that is equal in this country?\n    Mr. Krebs. I am sorry. Could you repeat the question?\n    Mr. Cleaver. Is the--are the elections in the United States \nof America equal? If we have a Presidential election, are all \nvotes equal?\n    Mr. Hicks. One person, one vote. So every vote counts \nequally.\n    Mr. Cleaver. Yes.\n    Mr. Krebs. I would agree with that.\n    Mr. Cleaver. Would you agree with that?\n    Mr. Krebs. Yes, sir.\n    Mr. Cleaver. So, everybody who votes should have equal \naccess to the voting booth?\n    Mr. Krebs. Every eligible voter should have access to a \nballot. Not necessarily going into a voting booth, as well. But \nhave access----\n    Mr. Cleaver. That is good. That is fine. That is OK.\n    Mr. Krebs. Yes sir.\n    Mr. Cleaver. OK. I don't think--I don't think elections are \nequal. I think I can prove it rather easily. If you live in \nOregon you can vote on Sundays. You can register all the way up \nto the election. If you are in South Carolina--and I even think \nFlorida, you can vote on--on Souls to the Polls, where you vote \non Sundays.\n    In Missouri you can't do that. In the neighboring State of \nKansas, you can't do that. In Iowa you can't do that. So \nsomething is not right, in terms of having equal access to the \nballot--I mean, to the voting precinct. Some people have a \ngreater opportunity to vote--vote than others. Am I wrong or am \nI right? Thank you. No, go ahead.\n    Mr. Hicks. I was going to say that I believe that there--if \nCongress wants to give the EAC more direction on how to improve \nthe process, then we are more than willing to help it. I \nbelieve that States are moving toward early voting.\n    I believe that States are moving, with the $380 million, to \nrefine voter registration processes. We will continually work \nwith States to improve the process. The U.S. Postal Service \ndoes a great job, in terms of vote by mail. But I think there \nare other aspects that we all can improve upon.\n    Mr. Cleaver. But you do understand that does some vote--\nsome States fighting it?\n    Mr. Hicks. Yes.\n    Mr. Cleaver. So am I right or am I wrong, Mr. Krebs?\n    Mr. Krebs. Sir, my job is regardless of the jurisdiction, \nwhatever the--whatever the system is, that that vote is being \ncast and counted, and it is done in a secure and resilient \nmanner.\n    Mr. Cleaver. OK. I understand. I appreciate it. That is--I \nlike that, a good American. OK, I will declare I am right.\n    [Laughter.]\n    Mr. Cleaver. I think I can prove it, empirically, that we \ndon't all have equal access to the voting booth. OK. The other \nthing--our conduct is always based on cost. We do something, \nthere is a cost to it, or for the most part there is a cost to \neverything.\n    I am wondering, we all have been told by our intelligence \nagencies that Vladimir Putin ordered interference with our \nelections. We have been--this is a direct quote, they will be \nback in 2020, FBI. In your opinion, Mr. Krebs, has--have the \nRussians paid a price for interfering with our elections?\n    Mr. Krebs. There has certainly been a significant amount of \npressure and pain put upon the Putin administration, sanctions, \nother diplomatic actions, and a number of indictments against \nGRU actors. We will continue to push them, we will continue to \ndefend.\n    My mission is to help State and local officials protect \ntheir networks, defend their networks and that is what we focus \non every single day.\n    Mr. Cleaver. Mr. Hicks.\n    Mr. Hicks. Our middle name is assistance and so we want to \nhelp as much as we can.\n    Mr. Cleaver. OK. I am not sure that they--that they paid a \nhigh enough price for doing what they have done but my \nsuggestion here is that they will come back again because the \nprice wasn't high enough.\n    All those people who have been indicted, all they have to \ndo to avoid going to jail is to--is never coming back to the \nUnited States or not being caught visiting another country with \nwhich we can have access to an arrest. Anyway, Mr. Chairman, I \nappreciate the opportunity. I yield back.\n    Chairman Thompson. Thank you very much. I thank the \nwitnesses for their testimony. I now call up the second panel.\n    I welcome the second panel of witnesses. First I--let me \nthank all of you for being so patient. I woul like to welcome \nour California Secretary of State Alex Padilla to the panel.\n    Secretary Padilla has been a leading voice on election \nsecurity and has done a number of innovative things in \nCalifornia to train up officials at the local level, raise \npublic awareness about misinformation, and make the most of \nFederal partnerships.\n    Second we will hear from Noah Praetz. OK. There is an issue \nwith a Mississippian and an Alabamian in pronunciation. Who \nuntil very recently served as the director of elections for \nCook County, Illinois where he oversaw elections in one of the \nlargest counties in the United States.\n    Third, I am excited to hear from Mr. Jake Braun, the \nexecutive director of the cyber policy initiative at the \nUniversity of Chicago Harris School of Public Policy and also a \nco-founder of a DEFCON Voting Machine Hacking Village, the \nworld's only public third-party inspection of voting equipment.\n    The research we have seen come out of DEFCON has been \ninstrumental in helping us understand our vulnerabilities and \nhelp us move the conversation on election security forward.\n    Finally, I now recognize a Ranking Member Mr. Rogers to \nintroduce Mr. Merrill, our minority witness today.\n    Mr. Rogers. Yes, I am very happy to have Secretary Merrill \nwith us today. He is in his second term as Alabama Secretary of \nState and is one of--if not one of, he is the hardest-working \npolitician in Alabama. He has done such a fine job and I am \nhappy to have him here with us today.\n    Chairman Thompson. Without objection, the witnesses' full \nstatements will be inserted into the record. I will now ask \neach witness to summarize his statement for 5 minutes beginning \nwith Mr. Padilla.\n\n   STATEMENT OF ALEX PADILLA, SECRETARY OF STATE, CALIFORNIA\n\n    Mr. Padilla. Thank you Mr. Chairman, Ranking Member Rogers, \nand Members of the committee. The defense of our Nation's \nelections must be a top priority for all of government; \nFederal, State, and local. After all, our democracy is under \nattack.\n    Elections officials have taken seriously the warnings from \nintelligence agencies. Our elections have been and will \ncontinue to be targeted by bad actors both foreign and domestic \nwho seek to disrupt and undermine public confidence in our \ndemocracy.\n    We know these threats to be real because we see them every \nday. If we agree that defending the integrity of our elections \nis a matter of National security, then we must act accordingly.\n    Yet, despite the warnings and advice, our National response \nhas been lacking. I have been to discuss what the Federal \nGovernment can do to help and to share what we are doing in \nCalifornia to better secure our elections.\n    I will begin by recognizing that both DHS Director Krebs \nand Senior Advisor Masterson are tremendously valuable \npartners. They have honored their commitment to timely \ncommunication with us when issues or concerns arise.\n    I will note that the importance of this partnership \nunderscores the danger of unnecessary Government shutdowns. \nWith the 2020 elections quickly approaching, our collaboration \nmust not be interrupted. Now this partnership is only one \ncomponent of a comprehensive defense strategy. We must also \ninvest in election administration.\n    The last time Congress approved new funding for elections \nwas 17 years ago through the Help America Vote Act. The \ninvestments made as a result were buying in large equipment and \ntechnology that are now 20 years old.\n    Today it is not uncommon for elections officials to be \nsearching on-line for replacement parts for voting systems that \nare no longer supported by manufacturers. Others are stuck \nutilizing old operating systems that cannot be patched or \nupdated with the latest security software.\n    So if we truly value our democracy, then we must commit \nconsistent Federal funding for elections administration and \nsecurity. Yes, Congress did appropriate $380 million last year \nin grants to States, but that wasn't new money, and it \ncertainly wasn't enough. Last year's appropriation was the last \nof butterfly ballot, hanging chad, money that was never \nintended for modern-day cyber threats.\n    Next, Congress has the opportunity to make the best \npractices for election security the National standards. Among \nthem, rigorous testing and certification of our voting systems, \nrequiring logic and accuracy testing of systems before every \nelection, requiring paper ballots and a voter-verified paper \ntrail, requiring voting systems to be kept off-line and \nrequiring post-election audits after every election.\n    This is a proven framework for securing elections and for \nimproving voter confidence. You see, if a voter begins to think \nthat their vote may not be counted or may not be counted as \ncast, and they choose to not participate in an election as a \nresult of that doubt, that is a form of voter suppression.\n    Now these policies have served California well for years, \nbut since 2016, we have done more. We have established these \npartnerships with DHS, FBI, the EAC, as well as State and local \nagencies, to better coordinate in the event of a threat or \nincident. We have engaged in security trainings, table-top \nexercises, and information sharing.\n    We have upgraded our State technology infrastructure and \nestablished an office of election cybersecurity and an office \nof enterprise risk management. We have dedicated staff to \nmonitoring social media for erroneous information about voting. \nWe have launched the public education campaign to raise \nawareness about election misinformation.\n    We have created a web portal with resources for voters, \nincluding the ability to verify their registration status, find \ntheir polling place and to report suspected misinformation. \nFinally, we piloted a voter status alert tool which notifies a \nvoter whenever their voter registration record is updated.\n    We plan to deploy this tool State-wide, in time for the \n2020 elections. Thankfully, the 2018 election went smoothly, \nbut we know that those who seek to undermine our Democracy will \ncontinue to try with increased frequency and sophistication. It \nis not enough to keep up with nefarious actors; we must stay \nahead.\n    This requires us to continue to work together, to implement \nthe best standards, and to make the necessary investments. \nThank you for this opportunity; I look forward to your \nquestions.\n    [The prepared statement of Mr. Padilla follows:]\n                   Prepared Statement of Alex Padilla\n                           February 12, 2019\n    Good morning and thank you Chairman Thompson, Ranking Member \nRogers, and Members of the committee for the opportunity to be before \nyou today.\n    And thank you for convening this hearing to discuss our Nation's \nelection security readiness. For me, and for my colleagues in State and \nlocal government, this conversation could not be any more urgent.\n    The defense of our Nation's election systems and infrastructure \nmust be a top priority for all of government--Federal, State, and \nlocal. After all, our democracy is under attack.\n    Elections officials throughout the Nation have taken seriously the \nwarnings we have received from Federal intelligence agencies--that our \nelections have been and will continue to be a target for bad actors, \nforeign and domestic, who seek to disrupt our democratic process and \nundermine public confidence in our elections.\n    Elections officials know these threats to be true, because we see \nthem every day. For example, in California, our internet-facing systems \nare pinged or scanned constantly. This activity is the equivalent of \nsomeone walking through a neighborhood, checking doorknobs, looking for \nunlocked doors. While these are not hacks or breaches, those conducting \nthis unauthorized activity certainly have intentions.\n    If we agree that the integrity of our elections is a matter of \nNational security, then we must act accordingly and recognize that \nelections officials are on the front lines. We are the first responders \nto attacks on our democracy.\n    Yet despite consistent warnings and evidence, our National response \nis severely lacking.\n    Most critically, we must rethink how we fund and administer \nelections.\n    In my testimony today, I will discuss what the Federal Government \ncan do to further support States and local jurisdictions, and I will \nshare what we are doing in California to better secure our elections.\n    I want to start by saying that DHS Director Chris Krebs and DHS \nSenior Advisor Matt Masterson have become tremendously valuable \npartners. They have demonstrated their commitment to quality and timely \ncommunication and coordination with State and local elections officials \nwhen issues or concerns arise.\n    When potential threat information has surfaced, they have reached \nout to us. When we read or hear of new threats, they are there to \ninform us of potential exposure.\n    The importance of this partnership underscores the danger of \nunnecessary Government shutdowns. During the recent shutdown, \nsecretaries across the Nation were notified that email responses and \nphone contact with DHS personnel would be suspended or delayed. As the \n2020 election cycle is already ramping up, we cannot afford to lose \ncritical contact with our Federal partners.\n    Partnership with DHS and other National security agencies is only \none necessary component of a comprehensive defense strategy.\n    Let's be honest, elections are underfunded and are too often a low \npriority for Federal, State, and local governments. The last time \nCongress approved new funding for elections was through the Help \nAmerica Vote Act (HAVA), 17 years ago, in the wake of the 2000 \nPresidential election. And the investments made as a result of HAVA \nwere by and large in equipment and technology that is now 20 years old.\n    Members of the committee, you would not settle for 20-year-old \ntechnology and reliability on your cell phones; our voting systems \nshould be no different.\n    The lack of sustained investment has resulted in outdated election \ninfrastructure and understaffed elections offices. Across the country \nthere are many elections officials in counties with small populations--\nand therefore small budgets--that don't even have their own IT staff.\n    In addition to being outdated, voting equipment in many \njurisdictions is at or beyond life expectancy. As we meet here today, \nthere are some elections officials searching on eBay for replacement \nparts for systems that are no longer supported by manufacturers. Others \nare utilizing operating systems that are so old, their vendor no longer \nprovides tech support--meaning some voting machines cannot be patched \nor updated with the latest security software.\n    Simply put, too many elections officials are ill-equipped to defend \nagainst 21st Century threats.\n    We often say that our budgets are a reflection of our values.\n    If we genuinely value our democracy, then we must commit consistent \nFederal support for election security and administration.\n    Members of the committee, respectfully, last year's appropriation \nof $380 million in cybersecurity grants to States was not new money, \nand it certainly was not enough. The $380 million was simply the final \nappropriation of HAVA funds. That was the last of the butterfly ballot \nand hanging chad money. That was not 2016, 2018, or 2020 cyber threat \nfunding.\n    In addition to funding, Congress also has a tremendous opportunity \nto make the proven best practices for election security the National \nstandard.\n    Among them:\n  <bullet> Rigorous testing and certification of voting systems with \n        up-to-date security standards;\n  <bullet> Requiring testing of voting systems for logic and accuracy \n        before every election;\n  <bullet> Paper ballots and a voter-verified paper trail, for \n        auditing, recount, and manual tally purposes;\n  <bullet> Keeping elections infrastructure off-line;\n  <bullet> Post-election audits after every election.\n    I suggest to you that this is the proven framework for better \nsecuring our elections as well as improving voter confidence. \nDeficiencies in our election security infrastructure can jeopardize \npublic confidence in our democracy. If voters begin to think that their \nvote may not be counted, or may not be counted as cast, and they decide \nto not participate in an election as a result of that doubt, that is a \nform of voter suppression.\n    These are just some of the best practices that have served \nCalifornia well since long before the 2016 election.\n    And in response to the 2016 election, we doubled down on our \nefforts.\n    We established intergovernmental partnerships with the U.S. \nDepartment of Homeland Security, the Federal Bureau of Investigation, \nthe Elections Assistance Commission, the California Department of \nTechnology, the California Office of Emergency Services, the California \nHighway Patrol, and county governments to ensure coordinated responses \nto cyber threats and incidents.\n    My office has engaged local elections officials in cybersecurity \ntrainings, table-top exercises, and information sharing. And I \npersonally visited fusion centers in all regions of California to \nbetter position ourselves to coordinate in the event of a threat or \nincident.\n    We upgraded our technology infrastructure and established both an \nOffice of Election Cybersecurity and an Office of Enterprise Risk \nManagement within our agency.\n    Another lesson I've taken to heart is that your technology is only \nas strong as the staff that uses it. Cybersecurity tools are just that, \ntools--tools for our staff to utilize. This is why we have invested in \nspecialized staff dedicated to cybersecurity and trainings for \nelections staff at the State level and with our local partners.\n    As part of our strategies in the new Office of Election \nCybersecurity, last fall we launched ``VoteSure,'' a first of its kind \nin the Nation public education campaign to increase voter awareness \nabout election misinformation on-line and to promote official, trusted \nelection resources. The campaign included the launch of a new web \nportal with a variety of tools and resources for voters including the \nability to verify registration status before going to vote, reliable \npolling place look-up tools, and a dedicated email address for voters \nto report suspected misinformation. And in a first-in-State history \neffort, we emailed official election information and resources directly \nto voters.\n    In the days leading up to the 2018 General Election, our staff \nidentified nearly 300 Facebook posts and Tweets with inaccurate and \nmisleading information about the voting process. We reported them to \ntheir respective social media companies for review. Ninety-eight \npercent of the posts and tweets we reported were promptly removed by \ntheir respective platforms for not meeting their standards.\n    Our office also piloted a new voter status email alert program in 7 \ncounties--Madera, Napa, Orange, Sacramento, San Mateo, San Bernardino, \nand Solano--for the 2018 General Election.\n    This new system automatically notifies voters whenever we have \nreceived a new registration or update to their registration record \nthrough our on-line voter registration website or a paper voter \nregistration form. We plan to expand the program State-wide ahead of \nthe 2020 elections.\n    California's share of last year's HAVA appropriation was $34 \nmillion. Funds in the current year's budget is helping counties with \ncosts of upgrading security of their connection to our State-wide \ncentralized voter registration database, known as VoteCal, and polling \nplace accessibility.\n    At the State level, we are using a portion of the funds for:\n  <bullet> Support of county efforts associated with cybersecurity \n        risks and infrastructure needs related to the State-wide voter \n        registration system, including important activities such as \n        security assessments, penetration testing, and staff training.\n  <bullet> Support for county improvement of polling place \n        accessibility and administration of elections.\n  <bullet> Support for county vote center implementation, which \n        includes costs associated with new voting technology like \n        ballot on demand, electronic pollbooks, remote accessible vote \n        by mail systems and voting systems.\n  <bullet> Enhancements to VoteCal State-wide voter registration \n        system.\n  <bullet> Development of security training curriculum and training of \n        counties.\n  <bullet> Support and guidance for counties implementing risk limiting \n        audits.\n    By all accounts, 2018 was a success. In California, voters \nresponded with record-high voter registration and the highest voter \nturnout in a midterm election since 1982. And the election went as \nsmooth as we could have hoped for.\n    But, the threats to our elections are ever-evolving. And those who \nseek to undermine our democracy will increase their efforts both in \nfrequency and sophistication.\n    My colleague, Minnesota Secretary of State Steve Simon, puts it \nbest, ``Election cybersecurity is like running a race without a finish \nline.'' It's not enough to keep up with nefarious actors who seek to \nundermine our democracy, we need to stay ahead.\n    To do that, we must constantly be learning, scrutinizing, testing, \nand upgrading our security--and that requires Federal, State, and local \nentities to keep working together and to make the necessary \ninvestments.\n    Thank you again for your work to address these issues head on. I \nappreciate your leadership and look forward to answering your \nquestions.\n\n    Chairman Thompson. Thank you very much. Next, we will hear \nfrom Mr. Praetz, who will--until very recently, served as the \ndirector of elections for Cook County, Illinois.\n\n STATEMENT OF NOAH PRAETZ, FORMER DIRECTOR OF ELECTIONS, COOK \n                        COUNTY, ILLINOIS\n\n    Mr. Praetz. Thank you, Chairman Thompson, Ranking Member \nRogers, distinguished Members. My name is Noah, and I was \ndirector of elections in Cook County, Illinois. I speak to you \nfrom that experience today, and it is a real honor to do so.\n    You know, when election officials certify results, they \nbestow, not just power, but legitimacy that comes from the \nessential American belief that our elections reflect a trusted \nand true accounting of the votes. We secure that legitimacy by \nprotecting two--two virtues, truth and trust, along two \ndifferent fronts, infrastructure and information.\n    Truth can be protected with policies and practices that \nensure a fair and accurate account. Trust is protected by \ncontinuing to deliver services to our voters as expected. \nElection officials have been security votes in voter records \nfor a very long time. When I started, prior to 2000, we served \nmostly as logistics managers--kind-of like wedding planners \nmaking sure the right list of people came together at the right \nplace with the right stuff.\n    After Bush v. Gore, a whole new era was foisted on us with \nvoting technology, new rules--and we become I.T. managers. Now, \nsince 2016, we must become cybersecurity managers. Spurred by \nthe need to defend against foreign adversaries, Federal and \nState officials have been working very successfully to find a \ngood balance of Federal involvement in elections, without \ntrampling on authority that the States zealously guard.\n    State election officials who protect State-wide voter \nregistration lists everywhere and more systems in some States \nand are often the spokespeople defending our institution \ndeserve great credit, particularly their lead blocking in 2016, \nbut also their leadership in the lead-up to 2018, when \naccepting the premise that we are a target and that we are \nvulnerable.\n    The Federal agency, led by Director Krebs and with \nMasterson's help, charged with providing direct support in this \narea, has also met the continuing demand for information and \nfor services.\n    Election officials remain committed to the security effort \neven though there were no known impactful attacks against us in \n2018, because we believe that good news is probably more a \nfunction of our adversaries not engaging than it is a result of \nour significant efforts over the last 2 years.\n    At the risk of being overly broad, I wish to underscore \nthat local election officials are the ones who control, secure, \nand run elections. One hundred and eight in Illinois; and over \n8,000 nationally are on the front lines. We deploy a variety of \nconnected digital systems--poll books, voter registration \nsystems, informational websites, election results websites, \nElection Day command centers, not to mention voting systems.\n    Each of these are a ripe target. Most local election \nofficials are city or county officers, 2 or 3 people, and they \nare facing down shadowy, powerful adversaries; kind-of like \nAndy in Mayberry sent to repel an invading army. Locals need \nadvice, support, and resources, for modern defendable \ntechnology and routine hand-counted audits, which can give \nconfidence that the digital results are accurate.\n    But second, and I think more critically today, they have a \npressing need for top-notch personnel with the skills to \nnavigate the current cyber battlefield. In Cook County, we \nundertook significant efforts in securing the infrastructure \nand helping raise awareness within the ecosystem.\n    We concluded that, to decrease the likelihood of a \nsuccessful attack, each local election official must have \naccess to an election security officer. We suggested this be \nhandled by a brigade of cyber-navigators, supporting local \nelection officials. These navigators would adopt the mantra of \ndefend, detect, recover.\n    They help improve defenses, following specific \nrecommendations already out there from the Center for Internet \nSecurity or the Defending Digital Democracy program at Harvard. \nThey establish breach detection techniques and they help \ndevelop recovery plans for when attackers do successfully \npenetrate the first or second line.\n    To accomplish this, navigators secure free support on \noffers from Homeland Security, State governments and companies \nlike Google, Cloudflare, and Microsoft. They work with State \nand county I.T. staff, and critically, they will work with the \ndeeply-embedded election vendors who are strategic partners \nthat provide locals with much of their current support.\n    Incidentally, Illinois lawmakers spent the HAVA funds you \nreleased on a navigator program, with $7 million allocated to \nsupport each county, 108, more or less equally, with human \nexpertise--9 navigators, each supporting about 12 counties and \nserving as their election security officer.\n    The remaining HAVA funds were to be spent with some \nrecognition that bigger counties, like Cook County, are likely \nmore high-value targets. Voters should feel broadly confident \nthat we have resilient systems and that election officials are \ntaking this problem very serious. But they should also \nunderstand that without continued investment, and people and \nproducts, the possibility of a successful attack increases.\n    Some losing candidates are already apt to call their \ndefeats into doubt. A new digital breach, no matter how far \nremoved from the vote counting system, could turn sore losers \nto cynicism, disbelief, even revolt. That is the reaction our \nadversaries are looking for.\n    The bottom line is we cannot eliminate every chance of \nbreach. We can make sure that successful attacks are rare, and \nwe can provide assurances that we are prepared to recover \nquickly when they happen. We do this with support at the local \nlevel. Thank you.\n    [The prepared statement of Mr. Praetz follows:]\n                   Prepared Statement of Noah Praetz\n                           February 12, 2019\n                               biography\n    Noah Praetz was the director of elections working under Cook County \nClerk David Orr and then under Clerk Karen A. Yarbrough. He was \nresponsible for the overall management of elections in Cook County, \nIllinois, one of the largest jurisdictions in the country serving 1.6 \nmillion voters.\n    He started as temporary worker hired to do data entry prior to the \n2000 Presidential election. In 2007 he became deputy director and in \n2013 he was appointed director.\n    Mr. Praetz currently runs an elections consulting practice. He \nteaches election law at DePaul University College of Law. He is an \nadvisory board member at the University of Chicago's Cyber Initiative.\n    Mr. Praetz was on the executive committee of the Government \nCoordinating Council representing the local election officials as \nHomeland Security sought guidance on how best to support the election \ncommunity. He was the treasurer of the International Association of \nGovernment Officials. He was also co-chair of the Election Center Cyber \nSecurity committee. He was active in the Illinois Association of County \nClerks and Recorders. He has presented on election security, \nsustainability, election day management, on-line registration, voter \nregistration modernization and other election-related items.\n                           executive summary\n    Election officials have been securing our Nation's votes and voter \nrecords for a very long time. We have been securing digital \ninfrastructure for a more than a decade. But the changed environment \nand the expectation of continued sophisticated attacks forces them to \nup their game.\n    Spurred by the need to defend against foreign enemies, Federal and \nState officials have been working successfully to find a good balance \nof Federal involvement in elections, without trampling on authority \nthat the States zealously guard. Good progress is being made.\n    However, even as the community of election officials appreciate \nthat election 2018 was free of any known incidents, they largely \nrecognize that those successes are probably less a function of their \nefforts than they are a function of our Nation's adversaries' probable \nchoice to hold back. The fundamentals of election security, and the \ninvestments neeeded to ensure improved security, have not changed since \nthe summer of 2016.\n    Broadly, the fundamentals are these, local election officials are \nthe ones who control, secure, and run elections. Locals--108 in \nIllinois and over 8,000 Nation-wide--are on the front lines of this new \nbattlefield. Locals control almost the entire election infrastructure. \nLocals are the entities most in need of support and attention. Locals \nneed help to fortify themselves, and our most important institution, \nagainst the high-probability threat actors they've been warned of. The \nStates, with partnership from the Federal Government, are the entities \nthat are now, and will continue to be, the leaders needed to support \nthe security efforts to the local election officials.\n    While in Cook County we studied and undertook significant efforts \nat securing the infrastructure and helping raise awareness within the \necosystem. We concluded that to decrease the likelihood of successful \nattack on digital services, each local election official must have \nready access to a savvy dedicated partner--an election infrastructure \nsecurity officer. Most locals don't have that capacity today.\n    Local election officials cannot master this problem without direct \nsupport of skilled experts. We suggested this be handled by a brigade \nof digital defenders, or what the Government coordinating council calls \n``cyber navigators,'' supporting local election officials into the \nfuture.\n    These ``navigators'' should adopt the mantra of Defend, Detect, \nRecover. They need to accomplish these three vital goals. They can help \nimprove defenses within election offices, following the specific \nrecommendations of Center for Internet Security or Defending Digital \nDemocracy--we believe they'll quickly bring up the floor of the \nelections security ecosystem. They'll also establish detection \ntechniques. And they'll develop recovery plans for when attackers \npenetrate the first and second line.\n    To accomplish this, the ``Navigators'' will secure free support on \noffer from public and private organizations, like Homeland Security, \nState governments, and companies like Google and Cloudflare. They will \nalso work with outside vendors who provide much of the elections \ninfrastructure and support to local officials. Third, they will build a \nculture of security that can adapt to evolving threats through training \nand constant re-assessment.\n    Voters should feel confident that we have resilient election \nsystems, with paper ballots and good audits almost everywhere. But \nvoters should also understand that without continued investment in \npeople and products the possibility of a successful attack increases. \nAs does the likelihood that losing campaigns may cultivate cynicism \nabout the integrity of our elections for their own purposes. Democracy \nis not perfect. As Churchill said, it is the worst form of government \nexcept for all the others. We need to protect it. We will regret it if \nour democracy is damaged because we looked away at a critical moment.\n                               testimony\n    Thank you, Chairman Thompson and Ranking Member Rogers, as well as \nall Members. It is an honor to be here. I am reminded as an election \nadministrator that when we certify results we are an essential part of \nthe process that bestows not just power, but legitimacy. And that \nlegitimacy attaches because of the essential American belief that our \nelections reflect a trusted and true accounting of each election. I \nspeak to you today in support of efforts to ensure that legitimacy \nremains the key virtue in our elections.\n    My name is Noah Praetz. Two weeks ago I stepped down as director of \nelections in Cook County, Illinois where I worked for Cook County Clerk \nDavid Orr, and recently Clerk Karen Yarbrough. I began my career in \n2000 and during that time our office tried to lead on technology and \nsecurity--using applied forensics in elections; creating widely-\ncirculated cybersecurity checklists in advance of the 2016 elections; \nand publishing the first white paper written by election officials in \nthe wake of the 2016 attacks. Recently, I helped the Center for \nInternet Security (CIS) adapt their digital security expertise to the \nunique context of elections and also spent a little time talking to the \nDefending Digital Democracy program at Harvard's Belfer Center (DDD). \nAs co-chair of the Government Coordinating Council (GCC) that the \nDepartment of Homeland Security created to help address election \nsecurity, I worked with Federal, State, and local leaders in elections, \ntechnology, intelligence, and law enforcement.\n    In the past 18 months I have testified before the U.S. Senate Rules \nand Administration committee once. On two occasions I testified before \nthe United States Election Assistance Commission (EAC) and on two \noccasions I testified before Illinois legislative committees. I have \npresented before the numerous meetings of election officials from \nIllinois and from around the country. Every time, I strive to deliver \nthe same message:\n  <bullet> The threats to election infrastructure are real.\n  <bullet> Elections are largely run and secured locally, so security \n        efforts, let by the States and augmented by the Federal \n        Government, need to be concentrated locally.\n    As election officials, we must accept the conclusion of the \nintelligence community--our elections were attacked and are vulnerable. \nAnd while enemy hostile probes of our news and influence systems appear \nto have been more successful than those on election administration, we \nhave to expect the attacks will evolve. We, as election administrators, \nmust defend our section of the line--by securing all elements of our \nvoting infrastructure.\nCybersecurity--One More Sword to Juggle\n    Prior to 2000, election administrators served mostly as wedding \nplanners, making sure the right list of people came together in the \nright place with the right stuff. After Bush v. Gore, the Help America \nVote Act (HAVA) heralded in new era of voting technology, and we became \nlegal compliance and IT managers. We've been working to protect digital \ntechnology since then. But the 2016 election showed irrefutably that \nsophisticated attacks are to be expected and that we must also be \ncybersecurity managers.\n    Foreign governments, foreign non-state actors, and domestic \ntroublemakers have the capacity and desire to corrode the essential \npublic belief that our election outcomes are true and reliable. To very \ndifferent degrees, this threat applies to both preliminary returns \nannounced on election night and to official, final results. Beyond \ncorrupting election results, the threat also reaches the large variety \nof systems used to run seamless elections.\n    Therefore, the new security mantra, or security framework, for \nlocal election officials must be ``defend, detect, recover.''\n    Security isn't just about defense. Perfect defense is difficult or \neven impossible. I could cite a list of our best companies and \nGovernment entities that have been breached despite significant \ndefensive investments. Instead, the challenge of security is to ensure \nno attack exceeds our resilience--our ability to detect and recover--\nwhether that requires restoring lost data or even recounting ballots--\nto establish election results that are trusted and true.\n    Because State laws vary, local election officials confront a \ndifferent security matrix in each State, affecting their ability to \ndefend, detect, and/or recover. States with great audits (detection) \nand paper ballots (recovery) are much more resilient by definition; and \nthe burden of defending their voting system perfectly is consequently \nmuch lower. On the other hand, States without great audits and without \npaper ballots place the unenviable burden of perfect defense on their \nlocal election administrators.\n    In 2017, Cook County Clerk David Orr and I published a white paper \ncalled ``2020 Vision: Election Security in the Age of Committed Foreign \nThreats.'' It is included at the back of this testimony. But I want to \nacknowledge that different bodies of this Congress have already taken \naction that broadly agrees with our vision and I commend that work.\nElections are Secured Locally\n    I have tremendous appreciation and respect for State election \nofficials and their responsibilities and efforts. They are often the \nmouthpiece of our institution and responsible for managing the \nregulatory framework. For the past 16 years many have also managed \ntheir State's voter registration systems. In some States they take a \nfar more active role in protecting other parts of the infrastructure. \nAnd it was States that were the named targets in 2016. But let there be \nno mistake--local election officials are on the front lines of this new \nbattlefield: 108 in Illinois and over 8,000 Nationally. So, by and \nlarge, local election officials secure the Nation's election \ninfrastructure. Locals install, store, monitor, test, deploy, run, and \naudit the voting machines and software. Locals install, store, monitor, \ntest, deploy, run, and audit the electronic pollbooks. It is locals who \nmanage warehouses, informational websites, voter databases, polling \nplaces, GIS Systems, results reporting systems, military voting \nsystems, command centers, and the myriad digital services we rely upon \nin modern American elections. It is a local job to defend these \nsystems, to institute controls that would detect breach, and to deploy \nmitigation strategies that can guarantee election processes and results \nthat are trusted and true. It is their job to ensure recovery.\n    Most of us are county officers, and we are facing down powerful, \nshadowy adversaries, like Andy of Mayberry sent to repel an invading \narmy. We need advice, support, and resources--first, for better \ntechnology and routine hand-counted audits which can give additional \nconfidence that digital results are accurate. Second, and most \ncritically today, we have a pressing need for top-notch personnel with \nthe skills to navigate the current cyber battlefield. Our country's \nlocal election officials need direct human support as we work to defend \nourselves against the onslaught of digital threats we've been warned \nabout.\nCook County Efforts\n    Since the summer of 2016 we stepped up our efforts to protect \nourselves and to protect the broader ecosystem: We introduced \nadditional hand-counted audits to our State-mandated 5 percent machine \nre-tabulation. And we are pushing State legislation to add additional \naudits to election results--in the form of Risk-Limiting Audits.\n    We did a complete mapping of all our systems and conducted a point \nanalysis of potential vulnerabilities. We have documented all defensive \nmeasures employed and created a list of those we hope to employ going \nforward. We also documented all methods of detecting breach, as well as \nthose we hope to employ in the future. Finally, we are developing our \nrecovery plans for any breach at any point on any system. Before \nNovember of this year, we will practice every recovery method.\n    We began installing new election equipment that will be easier to \ndefend and will make detection and recovery significantly easier.\n    We introduced State legislation to help local election officials \nbring in more expertise and cyber monitoring capability.\n    We worked to create a communication structure in Illinois with \nFederal, State, and local cyber experts, technology experts, law \nenforcement officials, and election officials.\n    We teamed with our neighbors at the Chicago Board of Elections to \nhire an election infrastructure and information security officer.\n    We worked with MS-ISAC to get rapid intelligence on vulnerabilities \nand specific threat information to our networks. And we have pushed our \ncolleagues around the State to join it and the elections ISAC. \nAdditionally, we have gotten threat briefings from DHS and FBI.\n    We worked with DHS to conduct cyber scans of our websites--and to \nrun a full risk and vulnerability assessment. And let me say that I am \nglad the folks working for homeland security are on our team. I firmly \nbelieve if every election official, State or local, undertook a similar \neffort, there would be a deafening roar from my colleagues for more \nresources to procure modern technology and institute modern controls.\n    We worked with the folks at DEFCON on some of their activities \nrelated to training election officials on the defense of networks.\n    I co-chaired the newly-created Government Coordinating Council \n(GCC) set up with DHS to help drive Federal policy and resource \nallocation. I sit alongside the chairman of the Election Assistance \nCommission (EAC), the president of the National Association of \nSecretaries of State (NASS), the president of the National Association \nof State Election Directors (NASED), and from DHS deputy assistant \nsecretary, Infrastructure Protection, National Protection and Programs \nDirectorate (NPPD). In that role I tried to continually push for the \nadvancement of local official's concerns.\n    In all efforts we learned that coordinating efforts is critical to \nour individual and ecosystem success.\nCoordinated Efforts\n    There has been a tremendous amount of attention on the States, and \ntheir relationship to the Federal Government and it's great to see that \nrelationship mending and great information starting to be shared \nbetween the two groups. On the GCC we have worked hard to refine a plan \nfor securing our sector as well as protocols for sharing information \nthroughout the ecosystem. We are working with the private-sector vendor \ncommunity to ensure we have a common approach to protecting the sector.\n    Federal Government agencies now know how to communicate to the \nState-level election professionals and vice versa. What remains \nunfulfilled is the assurance that the information can get all the way \ndown to the local level and that the locals are prepared to digest the \ninformation and take necessary action.\n    It is time to ensure that the successful effort to normalize \nrelations with State officials be duplicated with local election \nofficials. Like an iceberg, the mass, and indeed most of the risks to \nthe Nation's election infrastructure, lies below the surface. And its \nsecurity lies in the hands of women and men who run elections at the \nlocal level.\n    Given concerns with Federalism, the most likely path for \nsuccessfully fortifying local election officials is through State \ngovernment and State election officials. But it's important that they \nenvision their job as helping ensure locals are resourced appropriately \nand meeting important security metrics. I have no doubt that our State \nofficials are up for the challenge and I look forward to assisting our \nindustry mature in this direction quickly.\nIncreased Stable Investment & Short-Term Spending\n    We have looked to our State and Federal funders and regulators to \nfortify locals on this battlefield. Given the costs of regular \ntechnology refreshes and support for human resources with cyber \ncapacity, the needed investment is very large. And locals need a signal \nthat they can invest now for security and not squirrel away recent \nmoney for some future episode.\n    Nevertheless, the recent investment is greatly appreciated. \nCongress just released $380 million to combat the election \ncybersecurity threat. And that is an important start. It may be \nnecessary for the States, Federal Government, and locals to \ncollectively invest that much annually. Meanwhile, Americans justly \nconcerned about the costs need confidence this money will be spent \nwell. In my mind there are two top priorities. First, a handful of \nStates and counties still have paperless voting systems. These should \nbe replaced as soon as possible.\n    Second, everywhere, we must improve the security capacities of \nlocal election offices. Most are run by a just handful of incredibly \ndedicated and hardworking heroes. But a handful of people making \ncritical security decisions are outmatched against the threats we've \nbeen warned of.\n    In a local newspaper last year we called for a brigade of digital \ndefenders to be deployed to serve election offices around Illinois and \nthe Nation, starting now and working through the 2020 Presidential \nelection and beyond. Recently, the Government Coordinating Council, \ncomprised of the leadership of America's election organizations, \nsuggested a similar construct, suggesting that States employ ``cyber \nnavigators'' to help fortify local election officials.\nIllinois Approach\n    In Illinois we formulated a loose security group consisting of \nrepresentatives of Homeland Security, FBI, the Illinois State Police \nand their Cyber Team, Illinois Information Security Office, the \nleadership of the local election official associations, and the State \nBoard of Elections. Originally our some of local officials and the \nState Board of Elections had desired to pass through the HAVA funds to \nthe local election officials based largely upon voting age population. \nBut as our group and State legislators digested the cybersecurity \nproblem, we recognized that such a distribution would not be effective \nin fortifying most of the locals. First, regardless of the number of \nvoters served, all 108 election officials had nearly identical cyber \nfootprint, in that they had the same number of networked-attached \ndigitally exposed systems. Second, the larger offices already had some \ncapacity to tackle this problem--whereas the smaller offices are \nsqueezed so tightly they can barely comply with the current \nrequirements, let alone secure the entire elections threat surface \narea.\n    After the GCC issued guidance suggesting ``Cyber Navigators'', the \nState legislature mandated that at least one-half of the HAVA funds \njust released be expended on a ``Cyber Navigator'' program to be \nadministered by the State Board of Elections. The State Board is likely \nto get help fulfilling this mandate from other organizations with cyber \nexpertise. By and large, local election officials supported the bill. \nAnd our State board is eminently capable of fulfilling the mandate.\n    These ``Navigators'' need to accomplish three vital goals. First, \nthey should work to institute the election security framework--defend, \ndetect, recover. They can help improve defenses within election \noffices, following the specific recommendations of CIS. We believe \nthey'll quickly bring up the floor of the elections security ecosystem. \nAppropriately supported, we can see massive improvement very quickly. \nThere is low-hanging fruit, but even low-hanging fruit needs to be \nplucked. They'll also work to support locals' efforts at instituting \ndetection techniques and recovery plans. Second, the ``Navigators'' \nwill do the work necessary to secure the free support being offered by \npublic and private organizations, like the Department of Homeland \nSecurity, State resources, Google and Cloudflare, or the Elections \nInformation Sharing & Analysis Center; they will also work with the \noutside vendors who provide much of the elections infrastructure and \nsupport to local officials. More importantly, they will help build a \nculture of security that adapts to the evolving threats we face through \ntraining and constant assessment efforts. Illinois' 108 local election \noffices will mature quickly with this reinforcement. As specific \nmitigations and upgrades are identified by Navigators, the State Board \nshould be positioned to quickly provide that investment.\n    It is expected that the State Board of Elections will take some \nsmall portion of the remainder of the HAVA funds to support their own \ninfrastructure, naturally, since they manage and maintain the State-\nwide voter database. Everything else shall be distributed to the local \nelection officials to invest as they see fit, subject to the \nguidelines. I'll note that our legislature sought to compel \nparticipation in the Navigator program by making receipt of future \ngrants contingent upon local official participation.\n    In Illinois, we recognized that this is inherently a local problem. \nBut we also recognize that locals cannot solve this problem themselves. \nThis coordinated, managed approach assures appropriate assessment and \nremediation efforts can be efficiently implemented. We are utilizing \nexisting expertise from other areas of Federal, State, and local \ngovernment as force multipliers. And we are excited that our State \nBoard of Elections is taking on this new mandate and moving quickly to \nimplement it.\n    This massive reinforcement effort can be accomplished here and \nNation-wide. And it can be done now. It will require the States to cut \nthrough the red tape that can delay action. This may mean relying on \nexisting contracts, or even emergency procurements. But States must do \nwhatever they need to do to get the army of ``Navigators'' on the \nground this summer. After all, the danger is not hypothetical. We're \nbracing against the renewed attacks we've been told to expect.\nSupporting a Resilient Public\n    One job of an election administrator is to conduct elections so \nthat losing candidates accept the fact that they lost fairly. Anything \nthat hinders our ability to do that decreases confidence in the system. \nAnd undermines our ability to bestow legitimacy--not just victory.\n    Election officials deploy a variety of networked connected digital \nservices, such as voter registration systems, and unofficial election \nresults displays. Each of these is a ripe target for our adversaries. A \nsuccessful attack against those services may not change a single vote, \nbut could still damage public confidence. This is particularly true in \na time of great public suspicion, exacerbated by a disappointing \nproliferation of gracelessness and grandstanding.\n    Our public confidence is already weaker than it should be. \nVacillating voting rights rules, no matter how marginal the effect, are \ndisconcerting to many people, naturally suspect given our history. \nAdditionally, some media, activist groups and politicians have acted in \nways that ultimately prey on Americans' insecurities about their most \ncherished institution, either through outlandish claims of fraud, or \noverstated claims of suppression. Such actions have done a disservice \nto the institution we serve and consequently to our ability to bestow \nnot just victory, but legitimacy. We must be very careful to calculate \nnot just the relative effects on power that election rule changes can \nhave, but also the relative effects on legitimacy. Or put another way--\nwill losers be more or less likely to accept that they lost fairly.\n    Some losing candidates are already apt to call their defeats into \ndoubt. A new digital breach--no matter how far removed from the vote \ncounting system--could turn sore losers to cynicism, disbelief, even \nrevolt. That's the reaction the enemies of the United States want.\n    In fact, in the face of direct targeting of a State or local \nelection office it is very possible that there will be some service \ndisruptions--most likely to the network connected digital services like \nelection results websites.\n    The bottom line is we can't eliminate every chance of breach, but \nwe can make sure that successful attacks rare. And we can provide \nassurances that we are prepared to recover quickly when they happen. We \ncan do this with support at the local level. I support Federal efforts \nlike the Secure Elections Act. While I would always advocate for more \nlocal participation, in the current environment, doing something \nimperfect now is greatly superior to doing something perfect at some \npoint in the future.\n    As Americans, we get to choose how we want to respond to potential \ndisruptions. The damage of a foreign attack on our elections \ninfrastructure will be greatly diminished if the targeted institution \nis also being supported internally with respect.\n    Thank you for the opportunity to appear today. I look forward to \nyour questions.\n                        Attachment.--White Paper\n 2020 vision: election security in the age of committed foreign threats\nSponsored by: Cook County Clerk David Orr\nAuthored by: Noah Praetz, Director of Elections\n            December 2017\n    The entire National security establishment admonishes that threats \nto our election infrastructure are real. Foreign governments, foreign \nnon-state actors, and domestic troublemakers have the capacity and \ndesire to corrode the essential public belief that our election \noutcomes are true and reliable. To very different degrees this threat \napplies to both preliminary returns announced on election night and to \nofficial, final results.\n    Beyond results, the threat applies to the large variety of systems \nused to run seamless elections. These include electronic and paper \npollbooks; voter registration and election management systems; websites \nwith voter tools and public information; and a variety of other \nsubsystems such as: GIS, ballot printing system, mail ballot \npreparation and processing system and a variety of essential election \nsupport systems like election day control centers.\n    Local election officials--nearly 9,000 of them in the country--are \nthe shock troops on this new battlefield. They desperately need \nresources, including Federal Government resources.\nPolicymakers and funders must act now to ensure election security\n    The new security mantra for local election officials is ``defend, \ndetect, recover.''\n    Perfect defense is difficult or even impossible. Instead the \nchallenge of security is to ensure no attack exceeds our resilience--\nour ability to detect and recover--whether that means restoring lost \ndata or even recounting ballots to establish election results that are \ntrusted and true.\n    Each State has a varying security matrix to operate in; their mix \nof ability to defend, detect, and recover. States with great audits \n(detect) and paper ballots (recover) are much more resilient by \ndefinition; and the burden of defending their voting system is \nconsequently much lower. On the other hand, States without good audits \nand without paper ballots place the unenviable burden of perfect \ndefense on their election administrators.\n    Below is a challenging, comprehensive, yet achievable list of \nactions to protect the integrity of these multiple systems. Make no \nmistake, this will be a painful and expensive undertaking. But the \nprotection of our foundational institution requires this sacrifice.\n             responsibilities of policy makers and funders\nDefend\n    Increase the defensive capacity of local and State election \nofficials by:\n    1. Supporting a digital network for all local election officials \n        that will facilitate rapid sharing of threats and incidents, as \n        well as supporting increased training and resiliency;\n    2. Financing an Election Infrastructure and Information Security \n        Officer (EIISO) (or consultant) servicing every local and State \n        election official in the country;\n    3. Ensuring that threat and incident information known to \n        Government is shared appropriately throughout the election \n        ecosystem.\nDetect\n    Increase the catastrophic breach detection capacity by \nincentivizing:\n    1. The use of modern public audits of all elections;\n    2. The use of modern voting technology that captures a digital \n        image of each ballot that can be tied to the original ballot \n        and the cast ballot record;\n    3. The use of monitoring sensors on the networks of all willing \n        election officials.\nRecover\n    Eliminate even the most remote possibility of an undetectable \ncatastrophic breach by replacing all paperless voting systems that \ncurrently serve nearly 20 percent of the country.\n    Release election officials from their burden of being perfect every \nsingle time!\n     potential approach for election officials and their election \n            infrastructure and information security officer\nDefend\n  <bullet> Get experts into the office. Engage outside cybersecurity \n        resources & professionals. No election offices can handle this \n        problem on their own. Inside most elections offices, there \n        simply is not the complete capacity to accept the threat, \n        assess the vulnerability, digest recommendations, manage \n        mitigations, and perfect recovery.\n    <bullet> Utilize as many free local, State, and Federal (DHS, CIS, \n            and MS-ISAC) tools as possible.\n      <bullet> If Government resources are unavailable, or \n            underwhelming, hire private firms or partner with academic \n            institutions.\n    <bullet> Collaborate with resources inside local, State, and \n            Federal Government because we are not alone in facing this \n            type of threat include the fusion centers.\n    <bullet> Bring in outside resources to partner with information \n            technology and information security teams, with a focus \n            solely on election security.\n      <bullet> The reality is that most election officials share their \n            internal information technology and security resources with \n            every other county office engaged in critical activities, \n            such as health and public safety. It can be nearly \n            impossible to get the attention necessary for election \n            security unless it is the primary focus of those resources.\n  <bullet> Understand and limit the threat surface area; or all \n        possible points of vulnerability for malicious attack.\n  <bullet> Inventory all election-related systems: e.g. voting machine \n        and vote counting system; e-pollbook system; voter \n        registration/election management system; mail ballot delivery \n        and processing system; and on-line systems such as voter \n        registration, mail ballot request tools, voter information \n        look-up.\n  <bullet> Map how systems work and data flows, and mark every single \n        point of vulnerability.\n  <bullet> Limit the threat surface area by making policy decisions \n        that reduce points of vulnerability wherever possible (this is \n        about managing risk, not eliminating it.)\n  <bullet> Employ defense tactics and policies for each system--on-line \n        or not.\n    <bullet> Implement the Center for Internet Security's top 20 cyber \n            controls. Do the top 5 first. These include:\n      1. Inventory of Authorized and Unauthorized Devices; 2. Inventory \n            of Authorized and Unauthorized Software; 3. Secure \n            Configurations for Hardware and Software; 4. Continuous \n            Vulnerability Assessment and Remediation; 5. Controlled Use \n            of Administrative Privileges; 6. Maintenance, Monitoring, \n            and Analysis of Audit Logs; 7. Email and Web Browser \n            Protections; 8. Malware Defenses; 9. Limitation and Control \n            of Network Ports; 10. Data Recovery Capability; 11. Secure \n            Configurations for Network Devices; 12. Boundary Defense; \n            13. Data Protection; 14. Controlled Access Based on the \n            Need to Know; 15. Wireless Access Control; 16. Account \n            Monitoring and Control; 17. Security Skills Assessment and \n            Appropriate Training to Fill Gaps; 18. Application Software \n            Security; 19. Incident Response and Management; 20. \n            Penetration Tests and Red Team Exercises.\n    <bullet> Employ election system-specific defense and detection \n            tactics across specific systems.\n      <bullet> These can include all the hardening options that systems \n            may have, such as locks, seals, chain of custody, advanced \n            authentication, etc.\nDetect\n  <bullet> For each vulnerability point identified in the mapping \n        process, consider a method of detecting whether something \n        anomalous has happened; or brainstorm the first place such an \n        intrusion might be detectable.\n  <bullet> Validate everything; every available log should be checked \n        including: Seals, time sheets, cameras, swipe cards, login \n        data, registration statistics, etc.\n    <bullet> Behavioral analysis tools and procedures can and will \n            point out what is going on. For example, voter registration \n            follows a natural pattern year over year. Identifying the \n            pattern and watching for anomalous behavior works.\n  <bullet> Use forensics when possible.\n    <bullet> A forensics analysis of the software system employed can \n            offer a high level of confidence that it is operating as \n            certified. This is particularly true in the voting system \n            environment. Comparing snapshots of deployed software with \n            a clean reference copy during a live election is a powerful \n            verification technique.\n  <bullet> Conduct public audits of the election results that allow for \n        a visual comparison of the cast ballot record with the ballot \n        itself.\n    <bullet> Be transparent and brace for public scrutiny.\n    <bullet> Crowdsourcing the election brings the greatest confidence, \n            but also the greatest public scrutiny. ``Sausage making'' \n            will be on full display. Consider publishing ballot images \n            scrubbed of identifying marks. In the short run this can \n            create volatility, and people may scrutinize the office and \n            the software used, but ultimately the confidence levels \n            will be increased.\n    <bullet> Work to investigate audit styles that bring the highest \n            level of confidence to the most stakeholders. Consider the \n            use of sophisticated yet efficient testing algorithms, such \n            as risk-limiting audits.\nRecover\n  <bullet> For each vulnerability point, assume a successful breach and \n        determine how to recover.\n  <bullet> Where possible, make policy decisions and investments that \n        yield the clearest path to recovery.\n    <bullet> For example, on electronic voting machines: After removing \n            paperless systems consider that ballot marking devices are \n            better than machines with paper audit trails. Digital \n            scanning devices that create images of ballots are better \n            than scanning devices that don't.\n  <bullet> Build in redundancy that doesn't rely on technology.\n    <bullet> For example, paper pollbooks backup electronic pollbooks. \n            Emergency paper ballots backup corrupted (or just \n            malfunctioning) touch-screen or ballot marking devices.\n  <bullet> Practice recovery with professional staff, advisors, and \n        vendors by running drills and exercises. Theory is only theory. \n        Practice makes it real.\n                 local election officials need support\n    It must be underscored--local election officials are the front-line \ntroops in this battle. Those who control Federal, State, and local \nspending must provide local election officials with resources to do \ntheir job in this environment. Those who drive State election policies \nmust make choices to fortify local officials for their new cyber \nmission.\n    Election officials are serving valiantly and professionally. They \nare talented and capable. They are holding the line. But they are \noperating with limited resources under sometimes unfair burdens placed \nupon them by policy makers in their respective States. Like good \nservants, they will say they can continue to hold the line. And they'll \nmean it.\n    But they need to be asked to hold a reasonable line. And holding a \nline that requires perfect defense every time is not reasonable.\n    It is impossible to defend against every conceivable attack. But if \nwe detect breaches and recover from them quickly, we will survive any \nincident.\n    And so will faith in our democracy.\n\n    Chairman Thompson. Thank you very much. With much \nexcitement, we have been anticipating Mr. Braun's testimony.\n\n   STATEMENT OF JAKE BRAUN, EXECUTIVE DIRECTOR, CYBER POLICY \n                           INITIATIVE\n\n    Mr. Braun. Chairman Thompson, Ranking Member Rogers, and \ndistinguished Members of the committee, thank you for the \nopportunity to speak to you today on this important issue. I \nalso want to thank my co-panelists, Secretary Padilla, Noah \nPraetz, Secretary Merrill, they have led this Nation in \nsecuring elections and have become a model for other election \nofficials around the country to follow.\n    So with that, I am Jake Braun. I am the executive director \nof the University of Chicago, Cyber Policy Initiative at the \nHarris School of Public Policy. I am neither a technologist nor \nan election administrator, however, I have been working this \nissue for about 15 years from 3, kind-of, distinct vantage \npoints.\n    A few years ago, I worked on voter protection issues for \nmultiple Presidential campaigns. Then, during my time at DHS I \nworked on this issue from both the Homeland and National \nsecurity perspective.\n    Then most recently, I co-founded the DEF CON Voting Machine \nHacking Village. DEF CON is the largest hacker conference in \nthe world and the Voting Village, as we like to call it, is the \nonly public, third-party assessment of voting equipment on the \nplanet that we are aware of.\n    One thing that has become clear to us, clear to me, as I \nhave worked on these issues from these different--very \ndifferent perspectives over the years, is that this is a \nNational security issue. This is not, kind-of, an election \nadministration nuisance.\n    What I would argue that the committee is solving for here \nis, they are not solving for dangling chads, they are solving \nfor: How do we stop an existential threat to the United States \nfrom undermining our elections? So let me give you a few kind-\nof key findings from the most recent DEF CONs that help \nelucidate that point.\n    So thing one, the supply chain for the equipment, both the \nsoftware and the machines is global. Many of these parts are \nmade in places--nations that are unfriendly to the United \nStates, like China.\n    Hackers--nation-state hacks could put malware on firmware \nfor these machines and other devices used to implement \nelections, and hack whole classes of machines all across the \nUnited States, all at once and never have to leave the Kremlin. \nThat is not something that any local election official can be \nexpected to deal with on their own. That is a National security \nissue and, therefore, Congress must act to support them.\n    Second, both DEF CON, the Senate Intelligence Committee, \nand OAS, which is the National--or global head of website \nsecurity, have identified nearly identical threats to website \nattacks across the country. On top of that, as was stated \npreviously in this hearing, there are multiple States that \ndon't have paper trails, much less audits in place to re-\nengender trust if there was an attack on their elections. So it \nmay be simply an attack on election reporting website that \nundermines trust in an election, especially in States like \nthose without paper trails and audits.\n    On top of that, there has been reports since 2016 that \nRussia has actually hacked election results-reporting websites \nin the United States already. On top of that, we know that \nRussia did this in the Ukraine, where they coupled their \nattacks on the election reporting websites with fake news they \nput out saying that their candidate had won, when, in fact, he \nhad not.\n    This--all of this together, fighting back an onslaught of \nattacks from both the cyber and media perspective from a \nnation-state is something that no local election official can \nbe expected to do. That is a National security threat and, \ntherefore, Congress must act to help State and locals deal with \nit.\n    Finally, the cyber industry itself is--I mean, sorry--the \nelection industry itself is cyber immature, as we may say. \nMeaning that, oftentimes, even when vulnerabilities are told to \nvendors, they don't get fixed.\n    For example, back in 2007 there was a vulnerability \ndisclosed to a vendor and--for a specific machine. This machine \nis used in 23 States, counts millions of ballots in a National \nelection, often thousands of ballots locally at a particular \njurisdiction. We went back and looked at that same machine at \nDEF CON last year, and that same vulnerability still persisted. \nSo over a decade later, the vulnerability's still not been \nfixed.\n    To be clear, the--the attack that was used on this machine \nis attack to be--could be carried out remotely by foreign \nhackers on foreign soil. It is an attack that can jump the \nerroneously-named air gap, and take over a machine completely \nto delete or add whatever types of votes you would want.\n    By the way, this all may sound very hard, however, most of \nthese attacks were done by hackers that are generalists, with \nno previous access to the machines, no knowledge of the \nmachines and no specialized training on how to attack these \nmachines.\n    OK. So that is all the bad news but there is--there is a \nfew good things to highlight here. One of those things is the \nsecurity measures in this bill, they are very good.\n    I think that my colleagues have highlighted some incredibly \nimportant things like audits, paper trails, improving cyber \nhygiene, money to State and locals who desperate need it to \nimprove their cyber hygiene posture.\n    But there is also a few other things; No. 1, there is money \nfor R&D. The current state of the machines Nationally is such \nthat they are essentially un-securable and we desperately need \nnew machines around the country. However, the market for \nmachines is such that the margins are so slim for the vendors \nthat they will never be able to put the money needed into R&D \nto create machines of the future that can secure our elections. \nSo Congress, thus, needs to help with that.\n    No. 2, there is a very innovative bug bounty program in \nthere, which I think creatively helps solve the cyber work \nforce problem, which is a very serious problem. Then, finally, \nthere is vulnerability disclosure component to it.\n    So thank you very much. I am happy to answer any questions.\n    [The prepared statement of Mr. Braun follows:]\n                    Prepared Statement of Jake Braun\n                           February 12, 2019\n    Chairman Thompson, Ranking Member Rogers, and distinguished Members \nof the committee, thank you for the opportunity to speak to you today \non this important issue.\n    I would also like to thank my co-panelists, Secretary Padilla and \nNoah Praetz. They have led the Nation in securing their elections and \nhave become a model for other election officials around the country to \nfollow.\n    My name is Jake Braun and I am executive director for the Cyber \nPolicy Initiative at the University of Chicago Harris School of Public \nPolicy.\n    I am also co-founder of the DEF CON Voting Machine Hacking Village. \nDEF CON is the largest hacker conference in the world and the Voting \nVillage is the only public, third-party inspection of voting equipment \nin the world, that we are aware of.\n    Moreover, for the last 2 years, I have worked with leaders in the \nNational security establishment to release an annual report on the \nNational security implications of our findings at DEF CON. The reports \nhave won multiple awards and our efforts have been hailed by people as \ndiverse as President Trump's former White House Cyber Czar, Rob Joyce; \nthen-Chairman of the Cyber Caucus, Congressman Will Hurd; and \nCongresswoman Jackie Speier; as well as a bipartisan group of Senators \nfrom the Senate Select Committee on Intelligence, led by Senators \nHarris and Lankford.\n    The main question relevant for this committee is whether any of our \nfindings are useful to the legislation you are now considering. The \nanswer, in my estimation, is emphatically yes.\n    To that end, I have one overarching finding I want to highlight as \nwell as a few key vulnerabilities which clarify the importance of the \nfinding. Finally, I would humbly like to make a couple recommendations \nas to how these problems can be addressed.\n    The overarching finding is that attacks on our election \ninfrastructure are NOT solely an election administration nuisance but \nrather a National security threat. Time and again this conclusion \nmanifests itself in our research. This threat is not about how to \neradicate hanging chads. This is about our National security apparatus \nmarshalling its resources to do what our Nation expects it to do, which \nis protect our country from existential threats to the United States. A \ncounty clerk or secretary of state is not equipped to defend our \ndemocracy from nation-state hackers. These nation-state adversaries may \nattempt to change vote totals or they may simply try and erode our \nconfidence in the integrity of American elections. Either way, this is \na National security threat and thus Congress must act.\n    Let me give you a few examples of specific key findings that draw \nus to the conclusion that this is a National security threat:\n    1. The voting machine supply chain is global and parts are made in \n        nations unfriendly to the United States, like China. If an \n        adversary were to infect the firmware made at a plant in China \n        or elsewhere, which we know has happened with other products, \n        whole classes of voting machines could be hacked all at once on \n        Election Day from the Kremlin. No election clerk or secretary \n        of state alone can defend against these global supply chain \n        issues. This is a National security threat and thus Congress \n        must act.\n    2. Second, we have highlighted well-known vulnerabilities in \n        websites. The global leader on website security, The Open Web \n        Application Security Project (OWASP), and the 2018 report by \n        the Senate Select Committee on Intelligence have highlighted \n        similar threats to election websites. The bottom line is no one \n        can defend a website from a determined nation-state actor. Just \n        ask the top 25 banks in the country who collectively spend \n        billions on security but failed to stop members of the Iranian \n        Revolutionary Guard from attacking their websites consistently \n        over the course of 2 years. Further, since 2016, the media has \n        reported successful attacks on election websites in the United \n        States by Russia. Russia also executed an attack against \n        Ukraine's Central Election Commission website in 2014, rigging \n        the website to announce the Russian-supported candidate won. \n        Ukrainian officials detected the breach before the election \n        results went live, but Russian media still erroneously named \n        their candidate the winner. In U.S. States where there are no \n        paper audits possible, hacking a website may be all that's \n        necessary to cast doubt on an election's integrity. Moreover, \n        no clerk or secretary of state alone can defend themselves \n        against a multi-layered cyber and media campaign to cast doubt \n        on the integrity of a National election. Rather, this is a \n        National security threat and thus Congress must act.\n    3. Finally, perhaps the most disconcerting ``flaw'' we found is \n        that vendors don't fix vulnerabilities when they are disclosed \n        to them. A significant flaw with the M650 machine, which was \n        used in 23 States as of 2018, was disclosed to the vendor in \n        2007. However, to our knowledge the vendor neither told its \n        customers about the flaw nor did they fix the flaw at the time \n        it was disclosed. Nor did they fix it after the 2016 elections \n        when they supposedly started taking security much more \n        seriously. Nor did they fix it, to our knowledge, after we \n        pointed it out again at DEF CON in 2018. To be clear, this \n        attack would allow an attacker, through a remote hack that \n        could be carried out from abroad, to jump the so-called ``air \n        gap'' and hack into a voting tabulator processing ballots for \n        key counties in battleground States. This attack could flip the \n        Electoral College and determine the outcome of a Presidential \n        election. Obviously no clerk or secretary of state alone can \n        defend against adversaries who can change large number of votes \n        without needing physical or network access to the machines.'' \n        Clearly, this is a National security threat and thus Congress \n        must act.\n    One might think these attacks sound pretty hard to carry out. \nHowever, most of these attacks and dozens of others we found were \ncarried out by generalists with no specialized training on election \nequipment or previous knowledge of the machines or networks.\n    Some have claimed that the setting at DEF CON does not represent a \nreal election environment, thus diminishing the utility of our \nfindings. However, as said at the outset, DEF CON is the only public, \nthird-party inspection of election equipment, so it's the best we have \nfor now. Further, as former White House Cyber Czar Rob Joyce, said, \n``We know our adversaries have a room just like the one at DEF CON.'' \nBy which he meant that our adversaries are researching all the voting \nequipment we have and more because they don't have to get the machines \nlegally, like we do at DEF CON. However, they aren't doing the research \n3 days a year, they are doing it 365 days a year. They also don't \ndisclose the vulnerabilities they find, like we do. Yet they are \nlooking for the same flaws we are: Hacks that are quick, remote, and \nscalable.\n    So what can be done about these problems?\n    First, I would encourage you all to study the recommendations of a \nnew report on election security from the National Academies of \nSciences, Engineering, and Medicine. Their recommendations are \ncomprehensive and sound.\n    Second, pass this bill. The measures in the H.R. 1 proposed \nlegislation provide for auditable paper trails and local implementation \nof at least the top 5 of the 20 Critical Security Controls, as well as \nfunding for cyber assessments and remediation. Congress must support \nState and local administrators' efforts by providing funding and \nassistance to implement cyber best practices that reduce America's \nvulnerability to these clear threats to our election infrastructure.\n    Finally, the election industry desperately needs funding for R&D to \nbuild voting equipment that can stand up to these modern threats. The \ncurrent equipment is essentially unsecurable. The vendors will never \nhave the enough money to fund the R&D necessary to develop equipment \nthat can defend against nation-state attackers. H.R. 1 provides R&D \nfunding for voting technology of the future, and I would strongly \nencourage the committee to keep that funding in whatever version \nhopefully passes.\n    Again, not solely an election administration nuisance but rather a \nNational security threat. Thus Congress needs to act and fund a \nsolution. I thank you for your efforts to pass this critically \nimportant legislation.\n\n    Chairman Thompson. Thank you very much for your testimony.\n    I now recognize, Mr. Merrill, to summarize his statement \nfor 5 minutes--or do the best you can do.\n\n   STATEMENT OF JOHN H. MERRILL, SECRETARY OF STATE, ALABAMA\n\n    Mr. Merrill. Thank you, Mr. Chairman, I will. I appreciate \nthat. I am honored to be with you. Ranking Member Rogers, thank \nyou so much for the invitation to come and share with you all \ntoday.\n    I am John Merrill. For the last 4 years and 25 days, I have \nhad the privilege to serve as Alabama's secretary of state. In \nour State, as in 35-plus other States in the Union, the \nsecretary of state is the person that is responsible for the \nelection system in that particular jurisdiction.\n    I think it is important for you to know some of the things \nwe have done in Alabama and some of the thoughts of some of the \npeople that I represent that have similar positions to the one \nthat I hold.\n    As far as secretary of state's role is concerned; we have \npre-election, Election Day, and post-election activities that \nwe are responsible for. We coordinate all voter registration \nefforts in our State, we certify the ballots, we also monitor \nand enforce campaign finance laws at the State level.\n    We ensure participation in the election's process through \nawareness campaigns. We have Election Day and election night \nreporting systems that we have created and compile and certify \nelection results. We also engage in partnerships with our \npublic and private partners and independent partners in \ndifferent ways.\n    We work with our county and municipal governments as well \nas Federal agencies when it is appropriate including but not \nlimited to the election's systems commission, the Department of \nJustice, the National Guard, the Department of Homeland \nSecurity.\n    Our relationship with those entities has improved over the \nlast 3 years since we had this type situation first introduced \nto us. In our preparation for the 2018 election cycle, we \nconcentrated in the areas of cybersecurity, election integrity, \nwhich also includes enforcing the laws, and we use paper \nballots in Alabama. We are going to continue to do that and by \nFederal law, anybody has to retain the Federal ballots for a \nperiod of not less than 2 years. That is the Federal law \nalready. Voter confidence and voter participation is \nextraordinarily important.\n    Now we have heard a lot of different things today. But one \nof the things I think is so important for us to remember and to \nacknowledge and this has come from the Department of Homeland \nSecurity most recent report that there was no breach of any \nincident in the tabulation that occurred in the 2016 general \nelection.\n    That has been researched, it has been documented, and no \nbreach has occurred and no tabulation change occurred in any \nelection in any State in the Union in the 2016 cycle. I also \nthink that it is important to know that there is some serious \nconcerns and issues with H.R. 1 in our opinion.\n    No. 1, significant Federal overreach has been indicated \nthrough the introduction of this legislation and it appears to \nprovide certain things that need to be done but the lack of \nresources in order to be able to do those effectively.\n    So they are strictly underfunded or unfunded mandates. No. \n2, there are many prescriptive requirements that have been \nindicated that States that would accept these funds would face \nsignificant difficulty in enacting those new programs without \nthe resources necessary to do that.\n    They include but are not limited to some things that are \nalready on-going in our State and other States in the Union, \nwhich are electronic poll books, paper ballots, automatic voter \nregistration, audits, same-day registration. Those things are \nstrictly prescribed that they need to be adhered to regardless \nof what the local jurisdiction would like to do. No. 3, the \namount of time that the States have to meet the requirements is \nnot something that is going to be able to be met.\n    One of the questions was asked earlier is that something \nthat is going to be able to be adhered to and the answer to \nthat question is no. If you want to know why it is because at \nthe Federal level and at most State levels they move at the \nspeed of Government and if you move at the speed of Government \nyou know why it is not going to be done. You have to create \nRFPs and other things but we can talk about that later if you \nare interested.\n    As far as--the most important thing that I could share with \nyou about a good election security bill, it would be one that \nwould create the necessary resources to the States without \ncreating unfunded or underfunded mandates and strangling \nrestrictions that would introduce Federal overreach. I yield \nback the balance of my time.\n    [The prepared statement of Mr. Merrill follows:]\n                 Prepared Statement of John H. Merrill\n                           February 13, 2019\n    My name is John Merrill, and I am Alabama's 53rd secretary of \nstate.\n    Thank you for the opportunity to appear before you today to address \nhow we, as the States' chief State election officials, work diligently \neach and every day in our State, and with our counties, municipalities, \nand other local jurisdictions to ensure we elect our leaders in free, \nfair, and accessible elections. This work can be complimented by \neffective partnerships at the Federal level, like those we have today \nwith the Elections Assistance Commission (EAC), and the Department of \nHomeland Security (DHS), the National Guard, the Federal Bureau of \nInvestigation (FBI), and other groups and associations like the \nNational Association of Secretaries of State (NASS).\n    My goal as Alabama's 53rd secretary of state is to ensure that each \nand every eligible U.S. Citizen that is a resident of Alabama is \nregistered to vote and receives a photo ID.\n    During my time as Alabama's secretary of state, my team and I have \nchanged the paradigm for voting in the State of Alabama. Since I took \noffice on January 19, 2015, we have worked with notable Alabamians, \nlocal officials, interested agencies, key communicators, and interested \ncitizens to encourage voter registration and voter participation. The \nresults are that we have registered 1,199,909 new voters, which brings \nour total number of registered voters to 3,473,030. Thirty of our 67 \ncounties use electronic poll books, which expedites the check-in \nprocess and offers greater security for the voter and greater \nefficiencies and accountability for the poll worker. Our stated goal is \nto have electronic poll books in every county in the State by 2022. As \na part of our efforts to ensure voter integrity, we have worked to \nsecure 6 convictions of criminal activity related to voter fraud and \nwill continue to document, investigate, and prosecute those \nindividuals' intent on disrupting our democratic institutions for \npersonal or political gain.\n    All of these efforts have helped our citizens become more involved \nand engaged in the process to elect officials that represent them in \nlocal, State, and Federal positions. We have broken every record in the \nhistory of the State for voter participation as Alabamians have turned \nout to vote in record numbers. In March 2016, we set a record for voter \nparticipation in a Presidential preference primary with 1.25 million \nAlabamians casting a ballot. In the General Election on November 8, \n2016 with 2.1 million Alabamians casting a ballot. Alabama then broke \nthe record for participation in a Special Election during the 2017 U.S. \nSenate Special Election, held on December 12, 2017, with 1.3 million \nAlabamians casting a ballot for their choice for the next U.S. Senator \nfrom Alabama. Most recently, we broke the record for turnout in a non-\nPresidential general election year during the 2018 General Election \nwith more than 1.7 million Alabamians going to the polls.\n    In Alabama, we are making it easy to vote and hard to cheat.\n    As we prepared for the 2018 General Election, we worked to ensure \nour systems were protected by requiring 2-Factor Authentication for any \nState or local user who accesses the voter registration system. We \nsecured our networks and our election night reporting system with \nresources provided through the Department of Homeland Security, our \nlocal information systems team, and other third-party vendors. Our work \nto conduct elections efficiently and effectively is supported both by \nthe Elections Assistance Commission and the Department of Homeland \nSecurity. The EAC provides guidance and support, as we prepare our \nlocal election officials to administer their elections. Our \nrelationship with DHS is a relatively new one, but it is one that has \nbeen home to significant growth over the last 2 years. Prior to the \nSenate Special Election in December 2017, we had very little \ninteraction with DHS. However, as that election approached, we were \nable to work closely with DHS to ensure our systems were secure. We \nwanted to make sure that any vulnerabilities that we could identify \nwere resolved and any new issues were mitigated before they disrupted \nan election in Alabama. We have also hosted a team from DHS on-site \nwith us throughout election day to ensure issues are resolved in real \ntime.\n    The most significant support that the Federal Government has \nprovided to my State has been access to Federal grants and other \nresources to modernize and to increase the accessibility of our State's \nvoting systems. Additional funding is imperative to ensure voting \nequipment can remain up-to-date and voting systems can remain secure to \nprotect the data of those citizens.\n    Another area in which I have continued to advocate is for the EAC \nto provide guidance, testing, and verification of vendors, equipment, \nand systems much like the Federal Government does for other aspects of \nour Nation's critical infrastructure.\n    The impact of the enactment of H.R. 1 could possibly damage the \ncredible elections process we have worked hard to build in Alabama by \ncreating a series of administrative concerns for the State to enforce.\n    Title I of this bill creates significant concerns for me and the \npeople of our State. This bill makes any process currently in place in \nour State to update and maintain the voter registration system illegal, \nwhile expanding the process of voter registration. Empirical data shows \nthat no State in the union has done more, per capita, in the past 4 \nyears to increase voter registration than Alabama. This bill would \ncreate massive errors in the States' voter rolls and would be a \ndisservice to voters that often benefit from the reminders sent from \nelection offices encouraging them to update their registration \ninformation.\n    In Alabama, more than 94 percent of the eligible population is \nregistered to vote. Therefore, our biggest responsibility when it comes \nto maintaining the voter registration system is to keep voter \ninformation accurate and current. Providing awareness efforts and \nteaching our citizens how to effectively participate in their \ndemocratic institutions is a much more effective method to get voters \nto the polls. That is exemplified in Alabama and was reconfirmed \nthrough a recent ruling from the Federal court on Alabama's photo voter \nID law and its implementation. The judge in that case wrote that if \nevery State in the union did what Alabama has done, then every State \ncould have photo voter ID in their State because Alabama makes it so \neasy to be able to vote.\n    Title V of this bill is troubling, as it amends the Federal \nElection Campaign Act of 1971 to turn the Federal Election Commission \n(FEC) into a powerful, Government tool that provides a balance to big \nmoney donors and distribute resources to candidates unable to raise \nfunds from those donors. However, this bill will not have the desired \nimpact that the authors intend. The bill attempts to provide this \nbalance to candidate fundraising by giving power to the FEC to \nredistribute tax-payer money to citizens that qualify and by providing \nmatching funds to candidates who only accept small-dollar donations. \nThis change would transform campaign financing and would enact into law \nexcessive Federal intervention in a system that, is by law, to be \nadministered by the State.\n    Under this bill, if the Commission finds, by themselves, that a \ncandidate has failed to comply with any of the requirements of this \nprogram, the commission has the ability to simply revoke the \ncertification of a candidate. This revocation could come in the middle \nof an election cycle allowing the FEC to become a partisan tool to be \nused as a weapon to completely eliminate a candidate's ability to \ncampaign. This bill has the potential to make the FEC one of the most \npowerful entities in the U.S. Government.\n    A candidate that has been revoked by the FEC would then be unable \nto receive public funds and may have to repay all the resources \nreceived by their campaigns into an account the FEC controls to then \nuse to conduct further audits or, if used improperly, to conduct \nunmitigated harassment of candidates they disagree with based on \npartisan, political, or philosophical differences. Past experiences \ninvolving the Internal Revenue Service indicate that this is not only \nplausible but likely.\n    By taking the ability to financially support a candidate away from \nthe electorate, the most important person in our Nation--a citizen of \nthe United States--and placing it with the Federal Election Commission, \nbrings us one step closer toward the Federal Government dictating \nwinners and losers in elections.\n    The most important feature to a good election security bill is to \ncreate one that provides necessary resources to the States without \ncreating unfunded or underfunded mandates and strangling restrictions \nthrough Federal overreach.\n    United States Senators and Members of Congress that are unwilling \nor unable to consider the fact that each State has unique laws and \ncircumstances with different levels of resources must understand that \nthey are creating an ineffective system that will create additional \nhardships for the entities responsible for administering and conducting \nelections in their State, and potentially cause unnecessary damage to \nthe credibility and security of our electoral process. State leaders \nmust be given the opportunity to build their system around their \nState's laws and citizens regarding elections as is indicated in the \nUnited States Constitution.\n\n    Chairman Thompson. Thank you very much. Let me thank all \nthe witnesses for their testimony and we have about 20 minutes \nto kind-of run this before they call votes so we are going to \nmove very fast.\n    Mr. Braun, when you brought--who did you bring to the \nattention of that there was some vulnerabilities in equipment \nand you found that going back later the vulnerability was still \nthere. Who do you make aware of that vulnerability?\n    Mr. Braun. Sir, we--we put it in a report that we released \nboth to the press and to--we actually released it here on \nCapitol Hill in our building and gave it to multiple \nstakeholders in Government as well as the private sector. We \ndispersed it widely.\n    Chairman Thompson. OK. Did you make it available to DHS?\n    Mr. Braun. Yes, we sent them advanced copies as well as the \nfinal copy.\n    Chairman Thompson. OK. Did you get a comment back from them \nin any way?\n    Mr. Braun. I did not, sir.\n    Chairman Thompson. OK. Thank you. Mr. Merrill.\n    Mr. Merrill. Yes, sir.\n    Chairman Thompson. Did you apply for any of the funds from \nthe Election Assistance Commission?\n    Mr. Merrill. Yes, sir. To get our balance from the original \nHAVA appropriation we did so.\n    Chairman Thompson. How much did you get?\n    Mr. Merrill. About $6.2 million for the State of Alabama.\n    Chairman Thompson. Could you have done what you did without \nthat money?\n    Mr. Merrill. Well, we have. Congressman, we have not spent \na dime of that money yet because the things that we are \nplanning on introducing, the continuation of the purchase for \nelectronic poll booths, which we have 30 of our 67 counties \nthat are currently using it and the introduction of additional \naudit procedures that will be in place that will cost us some \nresources.\n    Some other things that we are doing in the area of \ncybersecurity where we have to provide an appropriate match for \nthat purpose. Everything that we have done so far and we have \ndone a number of things, as a matter of fact, if you will let \nme just mention some of these.\n    Chairman Thompson. No. No. You just answer my question.\n    Mr. Merrill. Yes, sir. Yes, sir.\n    Chairman Thompson. You got $6.2 million right?\n    Mr. Merrill. That is correct.\n    Chairman Thompson. You anticipate to spend it?\n    Mr. Merrill. We going to spend it.\n    Chairman Thompson. OK. That is what--that is what I am \ntrying--trying to get at.\n    Mr. Merrill. Yes, sir.\n    Chairman Thompson. So--so you saw the need for additional \nresources.\n    Mr. Merrill. Congressman, I always see the need for \nadditional resources.\n    Chairman Thompson. OK. Mr. Padilla, could you tell us how \nmuch California received?\n    Mr. Padilla. California's share of last year's \nappropriation was about $34 million. It is pretty much being \nspent if it is not already been spent in the current fiscal \nyear budget. It is in a number of areas.\n    Some of it is in hardware; software upgrades to our \nVoteCal, which is our centralized voter registration database, \nothers for security improvements and counties' access to that \nsame database.\n    We have dedicated some of the funding per EAC DHS \nrecommendation on training. Cyber training is as important as \ncybersecurity to make sure staff at the State and at the local \nlevel are practicing all the best cyber hygiene practices as \nwell.\n    I want to make a special comment on the timing of this \nbecause I have heard this about the Q&A of the first panel. Is \nthere enough time, is there enough time, is there enough time \nas if--sounds like an argument to not move forward with \noffering States additional resources.\n    There are ways to expedite how that money gets from the \nFederal Government to the State government down to the locals \nwho need it the most. You know first of all, Florida 2000 \ntriggered HAVA. HAVA was 17 years ago and the final \ndisbursement of those dollars was just last year.\n    The Federal Government can move more quickly and \nappropriate and not just approving but appropriating the monies \nto States. The 2016 election kind-of revived a lot of these \nconversations. Yet, it wasn't until April 2018 that those final \nHAVA dollars were moved. So the Federal Government can move a \nlittle bit quicker. At the State level we have learned how to \naccelerate that--that money the investment added to local level \nby entering into contracts with counties to move their money to \non a reimbursement basis. So the fact that the check is not in \nhand should not hold up counties being able to make the \ninvestments that they need to make.\n    Once they know that they can count on being reimbursed, a \nlot of counties are willing to move more quickly and bring \nthose security benefits to the elections.\n    Chairman Thompson. So, thank you very much. Mr. Braun, \nsupply chain is important also. I mentioned it to the last \npanel and I was given this assurance that we are in a global \neconomy and everything was fine. I heard a little something \nfrom your comment. Can you elaborate on that?\n    Mr. Braun. Sure. This is kind-of a known thing that Russian \nhackers as well as other nation-states hack parts in the supply \nchain all the time. I think anybody who questions whether \nsupply chain or remote hacks are possible just look at Stuxnet. \nThose centrifuges were buried in concrete vaults underground in \nthe desert and folks were still able to get in there and take \nthose out. Anybody who thinks that undermining our institutions \nand our democracy is any less of a strategic importance to \nPutin than taking out the Iranian nuclear program was to those \nwho did that is very mistaken----\n    Chairman Thompson. I agree so have to on that end pay close \nattention to who's providing the equipment for our elections.\n    Mr. Braun. Without question there needs to be assessments \nof the parts and where they came from and inspections of them \nand a whole regime put in place for that.\n    Chairman Thompson. Thank you. I yield to the Ranking \nMember.\n    Mr. Rogers. Thank you, Mr. Chairman. What I have been \nmaking the point in my earlier questioning and trying to \nemphasize is as Secretary Merrill said, he hasn't spent any of \nhis money yet and Secretary Padilla said he started spending \nit. It just takes time. This money is not going to fix anything \njust in 1 year. It is going to be a process. In most cases it \nis going to take several years and that has been my only point.\n    Secretary Merrill, the purpose of this hearing is to review \nH.R. 1 even though we are not going to be marking it up. Is \nthere anything in H.R. 1 that you can find helpful to you in \nsecuring elections?\n    Mr. Merrill. No, Congressman, there are some things that we \nfind restrictive because of what we would have to do to adhere \nto certain guidelines that are in the bill that are associated \nwith the allocation that would accompany it.\n    Mr. Rogers. If we were marking it up, which we are not, \nwhat would you suggest we do to improve it?\n    Mr. Merrill. Well one of the things that I would encourage \nthe Members to do is to make an appropriation that establish \nsome level of guidelines but did not have strict adherence that \nhad to be met so that the local State or the local jurisdiction \nwould be able to purchase equipment or be able to purchase \nservices or be able to purchase types of products that were \nnecessary for them to administer their elections in a way that \nthey saw fit and in a way that was best for them.\n    Because in my mind, it is always best to make those \ndecisions at the local level as opposed to the National or the \nState level going down to the local jurisdiction.\n    Mr. Rogers. Secretary Padilla, the same question. What \nwould you do if we were marking up H.R. 1 to improve it, if \nanything?\n    Mr. Padilla. I appreciate the opportunity. So there is an \nelement to H.R. 1 that establishes not just time tables for \nEAC--or excuse me--DHS testing and certification of voting \nsystems prior to their being used by States. That element fails \nto recognize there is a handful of States, California being \none, that has established testing and certification at the \nState level where we statutorily require our 12 State standards \nto meet or exceed the Federal guidelines.\n    So an allowance for those States to test at the State \nversus requiring a duplicative Federal testing or certification \nand as long as the time table suits us in terms of properly \nadministering the elections, that flexibility will be helpful \nas well.\n    Mr. Rogers. Let me ask this, you heard Mr. Higgins earlier \nin the questioning and the previous panel emphasized that there \nare scores of thousands of voting locations around the country. \nWhen you get the HAVA funds, and this is for Secretary Padilla \nor Merrill, do you prescribe standards that counties must \nadhere to for you to fund their purchase of equipment or \ntraining?\n    Mr. Merrill. Yes, sir, actually that is done, Congressman, \nin the legislation that was approved when HAVA was first \nadopted. One of the things that we discovered was that that was \nnot always being adhered to whenever that appropriation came \nand it was approved at the State level. So we have made sure \nthat we even had training and we provided training to our local \njurisdictions as well.\n    Mr. Rogers. You just don't write a check to the local city \nor county.\n    Mr. Merrill. Certainly not. Certainly not.\n    Mr. Rogers. You say that is a Federal requirement?\n    Mr. Merrill. Yes, sir. There are certain guidelines that \nwere established in the HAVA appropriation that said these are \npermissible expenses and if you go outside of that then \nsomebody should be held liable for that. That has not happened \nin the past.\n    Another frustration that we have experienced is when those \nadditional dollars came, they were complimenting what happened \nin 2003. Well what happened in 2003, and of course that--that \nwas your first session in the Congress, was that there was no \ndeadline on when those funds had to be expended at the State or \nlocal level.\n    We have a number of counties in our State that received an \nappropriation 15 years ago and that money is still sitting in \ntheir bank account. Now it looks good to those people that live \nin that county but those resources are not spent--they are \nsupposed to be used to benefit all of the constituents that \nlive in that county in that particular jurisdiction. In our \ninstance in the 2,401 individual jurisdictions where we have \nvoting precincts.\n    Mr. Rogers. Mr. Braun----\n    Mr. Padilla. If I may--if I may add?\n    Mr. Rogers. Certainly.\n    Mr. Padilla. So similarly and in agreement that the \nguidelines that are established at the EAC or at the Federal \nlevel as those monies move. We mentioned earlier how this \ncontract reimbursement basis with counties allows the \ninvestments to be made earlier. It also provides to those \ncontract reviews an additional point of compliance, if you \nwill, or a verification that indeed the expenditure is being \nmade or consistent with those Federal requirements.\n    Mr. Rogers. Right. Mr. Braun, we all know that Russia has \nbeen meddling in our elections by disinformation for decades \nand just like they do countries all around the world for \ndecades particularly in eastern and western Europe. But you \nmade a point a few minutes ago that the Chairman addressed but \nyou said that there have been instance--and my understanding \nthere have been no incidents of hacking in the 2016 or 2018 \nelections but you said that there have been some incidents \nprior to that where Russia had hacked some machines in this \ncountry. Can you expand on that please?\n    Mr. Braun. It was actually a website I was referring to. \nVox Media reported, I believe it was actually 2017 instance \nwhere Russian bots I think took down an election reporting \nwebsite in Tennessee.\n    Mr. Rogers. OK.\n    Mr. Braun. Multiple Federal sources were cited in the \nreport.\n    Mr. Rogers. Thank you very much. I yield back.\n    Chairman Thompson. Thank you very much. The Chair yields to \nthe gentlelady from New York, Miss Rice.\n    Miss Rice. Thank you Mr. Chairman and thank you all for \ncoming today. Over the past couple of weeks I have heard some \npeople refer to H.R. 1 as a Federal takeover of our elections. \nBut I hope that everyone on Panel II would agree that the \nFederal Government has a Constitutionally-protected role in \nadvising and helping to administer elections.\n    I think 2016 should have established that once and for all. \nI think the previous panel, both Mr. Krebs and Mr. Hicks, laid \nout the fallacy of that claim by showing that they were able to \nbuild relationships with States and localities to work together \nwithout infringing upon the State's ultimate ability and right \nto set election standards in their own States.\n    My concern is the--what--and this is to everyone on the \npanel, what are States doing to work with social media \ncompanies to combat wide-spread disinformation campaigns \ntargeting our elections? What do you think the Congress and the \nFederal Government can do to better prepare States and local \nelection officials for these dynamic hybrid warfare attacks?\n    Mr. Merrill. Outstanding question. I will tell you this. I \ndon't think--well, there is nobody at this table that has had a \nhigher-profile situation than we did in Alabama when Senator \nJones was elected December 12, 2017.\n    I attended a presentation that was made by Facebook and \nTwitter in February 2018. They were talking about all they had \ndone to help folks, and how they had made it easier for people \nto understand when bots were removed, and how it was helping \nthe electoral process.\n    I said to them--after I waited patiently in line, I said, \nnow friends, let me say this to you. I said, if you will tell \nme what you did to help us in Alabama, we will both know \nbecause they were talking about what they done in ours, \nspecifically. They didn't do anything to help us.\n    Now, subsequently, we came to Washington and had a meeting \nwith Facebook, and talked to them about what they could do, and \nhow they could be more helpful. One of the things they have \nintroduced now is that whenever you get ready to purchase an ad \non Facebook, they communicate with you directly through a card \nthat is mailed to a particular location so you know if that \nindividual is making the purchase as a United States Citizen.\n    There are other mechanisms that they have put in place that \nI think are appropriate now. But we have got to have some \ncooperation with the people at the social media level. That \nwill enable us to be more effective.\n    We were actually able to have ads removed from YouTube and \nGoogle because of the work that we did, but we had a difficult \ntime with Facebook. Twitter was also very supportive in what \nthey did to help us.\n    Mr. Padilla. In my oral remarks I made reference to the \ncreation of an Office of Election Cybersecurity, as well as \nOffice of Enterprise Risk Management in California. In my \nwritten remarks, I expand on that a little bit. Some of the \ninitiatives within the election cybersecurity effort included: \nWe branded a voucher. We put up a specific web portal with a \nlot of important voter tools, the find your polling place, \nverify your registration status, and a dedicated email address \nfor the public to report suspected misinformation.\n    In addition to that, some of our additional State funding \nallowed us to hire staff strictly dedicated to social media \nmonitoring. Not to censure candidates or campaigns, but to \nspecifically look for erroneous information about the election \nor the voting process.\n    Some are to--a lot of secretaries benefited from a mass \nconversation--the National Association of Secretaries of State \nconversation with representatives from Facebook, and Twitter, \nand others. I mean, we have the benefit that they are based in \nCalifornia. So we have a little bit quicker access to them. \nCreating specific protocols for being able to report to them, \nwhere these specific complaints, kind-of, jump to the front of \nthe line for review because, you know, if you submit something \non Election Day, you can't wait for 7 days for it to be \naddressed.\n    We--we ended up reporting close to 300 who we felt were \nmisleading or inaccurate posts, tweets, et cetera, 98 percent \nof which the social media companies, themselves, took down \nbecause it violated their policies. So it is one example of \nmonitoring, reporting, and relationship.\n    Mr. Praetz. If I might? We have looked at this as, sort-of, \ndefending our institution on two fronts; one is mis- and \ndisinformation front. It is a place where as election officials \nwe don't have a tremendous amount of control.\n    Then, there is the other front, which is the infrastructure \nfront, which is the place where we have 100 percent control on. \nSo that is where a lot of our focus has been. But there is a \nbit of overlap, and it comes in the form of information about \nwhere people vote, when you vote, what you need to vote, I.D. \nrequirements, things like that.\n    So, it is really key that, as election officials, as more \nand more folks drive voters back to the trusted sources, like \nus, that we remain trusted sources and are providing fully \naccurate information.\n    That means that we have got to, sort-of, up the notch again \non the infrastructure that we are protecting. One other note is \nthat we have got to expand the services we provide. I think \nsocial media steps in where they think there are gaps, in terms \nof driving registration outreach, or driving--showing up at the \npolling place outreach.\n    They are filling gaps that they perceive in the \nadministration of elections. To the extent that we don't fill \nthose ourselves, there are going to be third-party providers \nthat continue to do so. That--that can result in challenging \nrelationships because sometimes the information they rely upon \ncan be inaccurate.\n    Miss Rice. Go ahead. Mr. Braun.\n    Mr. Braun. Congresswoman, thank you for that question \nbecause I think it hits on the head of--of how this is such a \nNational security problem. At the University of Chicago, we \nspend a lot of time trying to update concepts like nuclear \ndeterrents or cyber deterrents, which has really not happened \nyet in the National security world.\n    I think that the point that you are making, it is nearly \nimpossible for us to stop Russia from doing something like they \ndid in the Ukraine where--imagine election night 2020 and 12 \nbattleground State websites are down because they have hacked \nthe websites. Then, Russian media is announcing that their \npreferred candidate had won the election. It would be chaos.\n    We can't really stop it from happening without a strong \ndeterrence regime. That is not in place yet. I--and it is \nsomething that, you know, the National security establishment \nreally needs to think through, and implement. Thank you.\n    Miss Rice. Mr. Braun, I couldn't agree with you more. Let \nme just end with this thought. Everything that I have heard \ntoday over the past 3 hours and 15 minutes, I hope has \nestablished, in all of our minds, the need to address this \nissue from a non-partisan stance because this gets to the very \nheart of maintaining the democracy. That, whether you are a \nRepublican or a Democrat, you love and you want to maintain.\n    I really hope that, thanks to smart brains like you, and \nthe prior panel, and hopefully the--the commitment of everyone \non this committee, and throughout this body, we recognize how \nimportant it is to maintain the integrity of our democracy. \nThank you and I yield back, Mr. Chairman.\n    Chairman Thompson. Thank you. The Chair recognizes the \ngentleman from Louisiana, Mr. Higgins.\n    Mr. Higgins. Thank you, Mr. Chairman. It is interesting to \nhave my colleague, Miss Rice, mention that--the smart brain in \nthe room mentioned by the smartest brain in the room. \nGentlemen, thank you for your service. My question is going to \nbe to both secretaries of state, Secretary of State Padilla and \nMerrill.\n    I had mentioned in an earlier round of questioning that \nthere were over 174,000 precincts, Mr. Chairman, voting \nprecincts in America. My brilliant staff has advised me the \nactual number is 178,217 in the 2016 voting cycle. That is \njust--this is a tremendous endeavor.\n    Our goal here in this committee is--is shared on--from both \nsides of the aisle, we want every legal vote to have access to \nthe poll, easy and fair access to the poll and we want their \nvote to be accurately counted, whether they are Democrats, \nRepublicans, or anything in between. We have that same goal. \nYou, gentlemen, have the incredible task of ensuring that that \nhappens in your individual States.\n    The--your colleague from the State of Texas, secretary of \nstate has stated that in Texas it has been identified 58,000 \nnon-U.S. citizens who are illegally in the country voted in one \nway or another in elections over the last two decades.\n    May I remind all of us that sometimes even Federal \nelections are determined by very, very few number of votes. Our \ncolleague Will Hurd from Texas 23rd district, his election was \ndetermined by 926 votes. So to say that it is a--that it is a \nsmall problem is not a--I don't think it is intellectually \nsound, when--when that is--when that response is measured \nagainst elections that are determined by very few votes.\n    So Secretary of State Padilla, is seems to me, since we are \ndealing with Title III, election security. That is our \njurisdictional authority in this committee. Security has--as \nit--to establish a perimeter. That you want to control access \nto that perimeter first and then control action within that \nperimeter.\n    So how do you, good sir, in California, how can--how do you \nguarantee the citizens of your State that access to a \ncontrolled voting environment or precinct is limited to a legal \nvote? I--and, sir, I will be asking you the same question.\n    This is--this is a spectrum beyond the control of the \naction. We spent a lot of time talking about how we confirm the \naccuracy of a vote and cyber interference, et cetera. How do we \ncontrol legal access to that voting perimeter, good sir, in \nyour State?\n    Mr. Padilla. I very much appreciate the question. I know \nCongress at times deals with public safety issues and debates \nabout the balance between public safety and civil liberties. I \nput that out there just as a framework to consider when it \ncomes to elections. We value security and we value \naccessibility, right? Those two are not mutually exclusive.\n    Mr. Higgins. They are difficult, yes.\n    Mr. Padilla. So when it comes to the security of the voting \nprocess and the actions taken within, just look at the data. I \nmean, there have been numerous reports, numerous studies, \nnumerous investigations that, when it comes to the baseless \nallegations of massive voter fraud, show that voter fraud is \nexceedingly rare.\n    So the safeguards are working, by and large. Does that mean \nthat we should not take it seriously? No, we do take \nallegations very seriously. But the measures that have been--\ntechnology and otherwise----\n    Mr. Higgins. Intelligent response. So let me give time to \nyour--to your colleague from Alabama. Before he answers, let me \nstate that what we seek is reassurance at the State and the \nlocal level as we are dealing with 178,000 precincts that legal \naccess to that voting environment is recognized as a security \nconcern, if we are talking about jurisdiction over the security \nof the--and the sanctity of our elections in America. This is \ncertainly--any reasonable man or woman would recognize this. \nSir, in Alabama, how would--how would you handle that?\n    Mr. Merrill. Congressman, 2,401 of those are in Alabama and \nI want to share this with you, too. I want to be perfectly \nclear about this----\n    Chairman Thompson. You have 10 seconds.\n    Mr. Merrill. OK. The only people that need to be voting in \nU.S. elections are United States citizens.\n    Mr. Higgins. Well, that would--that indentify the legal \naccess.\n    Thank you, gentlemen, for your service to your country. Mr. \nChairman, I yield.\n    Chairman Thompson. Thank you very much. The reason I said \nthat, Mr. Secretary of State, they have called votes and we \ntrying to finish----\n    Mr. Merrill. Yes, sir.\n    Chairman Thompson. That is the good news. The bad news is \nall the questions going forward will be yielded to 2 minutes.\n    Mr. Correa.\n    Mr. Correa. Mr. Chair, just a quick question. Mr. Padilla, \nMr. Merrill, H.R. 1, help or not help with voter system \nintegrity?\n    Mr. Padilla. Help. Additional resources on the table that \nare desperately needed, we have offered under our previous \nquestion some specifics on how to maybe improve upon the \nlanguage to make it even more strategic for State investment.\n    Mr. Merrill. Congressman, it has a potential to, but not in \nthe current form.\n    Mr. Correa. Thank you.\n    Chairman Thompson. Thank you.\n    Chair yields to the gentlelady from Arizona, Ms. Lesko.\n    Mrs. Lesko. Thank you, Mr. Chair.\n    Very quickly I am just going to ask one of the questions \nand it will be to you, Mr. Merrill. Section 1302 of this bill \nH.R. 1 criminalizes false statements or misinformation \nregarding elections and candidates.\n    Much of how, in this bill it determines if a person is in \nviolation of these provisions is to their intent. The penalty \nwritten in the bill is a fine of up to $100,000 or up to 5 \nyears in prison, or both.\n    I guess, my question is and--how are we going to \ndetermine--who's going to be the arbitrator and determining if \nsomething is misinformation or not? I know, I can tell you in \nmy election, my opponent did a lot of misinformation about me. \nAre they going to be a criminal now as well?\n    Mr. Merrill. Well, Congresswoman, I want to make sure \nthat--that you know this. We take voter fraud, which that would \nbe a part of voter fraud, very seriously in our State.\n    Since I have been the secretary, we have had 6 convictions \nand we have had 3 elections that have been overturned. Prior to \nthe time that I became the secretary, we had not had an \nincident of occurrence that was reported, identified, \ninvestigated, and prosecuted.\n    I brought a sheet, if you would like to have it I will be \nhappy to share it with you, we have had 874 unique instances \nreported in our office since we have been there and all but 4 \nhave been fully taken care of in one way or the other. I have \ngot a way to show you what we have done on that.\n    I think it is important to know that we have a number of \nprosecutors in our State that are not really interested in \nadvancing investigations into voter fraud because they think \nthe penalties are too stiff. So the penalties that are outlined \nin the code section that you just identified, I don't know that \nthey are really commensurate with what the crime may be.\n    So I think there is a number of people who may be concerned \nabout the implementation of that at any level.\n    Mrs. Lesko. Thank you, Mr. Chairman, perhaps I had got \nmisinformation. The information I got was on that particular \nsection. It also included like misinformation like you would \nput out on Facebook or something like that, and it would \ncriminalize it. So perhaps I am wrong, because that would be \nconcerning to me. Thank you.\n    Chairman Thompson. Thank you very much. Will the gentleman \nprovide that----\n    Mr. Merrill. Oh, yes----\n    Chairman Thompson. Document for the--for the committee.\n    Mr. Merrill. I can be--I can do so, sir.\n    Chairman Thompson. Thank you very much. I yield 2 minutes \nto the gentlelady from California, Ms. Barragan.\n    Ms. Barragan. Thank you, Mr. Chairman. I first want to \nthank everybody for being here. I have a bias here; I am from \nCalifornia. Thank you, Secretary Padilla, for everything you \nare doing. In 2016, several media reports claim that 21 States \nhad been targeted or hacked. Was California one of them, and if \nso, what happened?\n    Mr. Padilla. So California was not hacked, if you are \ntalking about a hack or a specific type of breach. You know, \nthe question brings to mind another valuable lesson that to \nthink all secretaries have learned and local elections \nofficials have learned in our partnership with DHS and others.\n    We talk cybersecurity and we reference cyber hygiene \nearlier, but cyber vocabulary is also critical. When there is \nan incident, it is important to be specific and precise about \nwhat has or has not happened, right. We don't want to downplay \nincidents because that would be irresponsible for, you know, \naccountability to the public, but we also can't blow it up \neither.\n    So, the stories that came out in 2016, about 21 States, \nfrom my understanding, California was on the list of States \nthat were ``scanned'' by entities that trace back to agents of \nthe Russian government. So what is scanning? You know, scanning \nhas been described in lay terms as the equivalent of somebody \nin the neighborhood shaking doorknobs to see if the doors are \nlocked, right.\n    You are looking for vulnerabilities that scan in and of \nitself; it is not compromising a system--it is not flipping \nvotes--it is not a theft of data. So, frankly, scanning is \nvery, very common in this day and age, given the technology \nthat we all depend on now, not just in the election space, you \nknow, across industries. So that is a long way to answer your \nquestion. California was on that list, but we know what it was; \nwe know what it wasn't, and our integrity of our missions are \nintact.\n    Ms. Barragan. Thank you. I will yield back, given the short \ntime.\n    Chairman Thompson. Thank you very much. I am sure \nCongressman Cleaver appreciates it. You have 2 minutes.\n    Mr. Cleaver. Thank you, Mr. Chairman. Mr. Merrill----\n    Mr. Merrill. Yes, sir.\n    Mr. Cleaver. Gave us a short answer, if you can. You kind-\nof confused me. Were you--were you suggesting that there were a \nlot of--much more voter fraud in the State of Alabama, but you \ndidn't--that was another attempt to prosecute because it was \nthis--the penalties were too stiff?\n    Mr. Merrill. Yes, sir. We have some; actually, I have two \nincidents that I could share with you just briefly. One, 119 \nabsentee ballot applications were mailed to one location and \nnobody lives in that home. In another jurisdiction, 109 \nabsentee ballot applications were mailed to the mayoral \ncandidate's mother's home, and neither one of those had been \nprosecuted yet.\n    Mr. Cleaver. Were there many--many more?\n    Mr. Merrill. Sir?\n    Mr. Cleaver. Were there many more of such cases?\n    Mr. Merrill. Oh, yes sir. Yes, sir; we have them \nfrequently. They are not just related to certain parts of our \nState either.\n    Mr. Cleaver. No, that was just interesting, because most of \nthe----\n    Mr. Merrill. Yes, sir.\n    Mr. Cleaver. Studies showed that we didn't have a lot of \nmass votes in----\n    Mr. Merrill. Yes, sir. The main instances kind-of that we \nsee are in the area of absentee balloting, not in walk-up, in-\nperson voting.\n    Mr. Cleaver. OK. But my final question; I want you to tell \nme whether or not I am right. Our elections equal--we have \n8,000 voting jurisdictions--8,000. Forty-three States use \nelectronic voting machines--and I go on to list a lot of \ndifferent things that are different. So, you can't--I am having \ndifficulty. I went to--somebody already tried to--you have--\nwhen you do--you have to make things match.\n    So, I can't fit it. If all these things were having--all \nthese different States and territories are doing things \ndifferently, how can we all be equal? Anybody? Am I right or am \nI wrong? Am I right or wrong?\n    Mr. Padilla. If your premise is, look, this is the United \nStates of America, and if you are 18 years or older and a \ncitizen with minimal exceptions, you have the right to vote, \nexercise that right vote without any--without any unnecessary \nobstacles, then it is, how we achieve those in each State?\n    Do some States have easier ways to be a registered voter if \nyou are eligible? Yes, some have better than others. Do some \nStates offer more options for when, where, and how to cast a \nballot? Unfortunately, yes; some States do better than others. \nMy work in California is to try make California, you know, the \nleader of the pack when it comes to, yes, being secure, being \nas accessible and voter-friendly as possible.\n    Mr. Cleaver. Thank you.\n    Chairman Thompson. Thirty seconds for the gentleman from \nAlabama.\n    Mr. Merrill. Yes, sir. Congressman, one of the things that \nI wanted to share was that, since January 19, 2015, we have \nregistered 1,199,909 new voters; we now have 3,473,030 \nregistered voters.\n    We have exceeded and surpassed any voter registration and \nvoter participation records in the history of our State. In \nthat period of time, we have done more per capita than any \nState in the union, to ensure that all of our eligible citizens \nare registered to vote and have an I.D.\n    Chairman Thompson. Thank you very much. Thank you, \ngentleman from Missouri, for his question.\n    Let me thank all of the witnesses for your expert \ntestimony. We will probably have some additional questions for \nyou--for you to respond back to us. I would like unanimous \nconsent to--to the record, that final report on a Democratic \nCongressional Task Force*** on election security and article on \nvoting participation. Without objection.\n---------------------------------------------------------------------------\n    *** The document has been retained in committee files.\n---------------------------------------------------------------------------\n    [The information follows:]\n  Article, www.vox.com, ``Civil rights leaders fought to make voting \n          easier. An Alabama Republican didn't get the memo''\nJohn Merrill thinks guaranteeing people the right to vote ``cheapens'' \n        the civil rights movement's fight to, well, vote.\nBy Victoria M. Massie, @vmmassie, Nov 3, 2016, 5:10pm EDT\n    Alabama Secretary of State John Merrill says that automatically \nregistering people to vote ``cheapens'' civil rights leaders' efforts \nto maximize people's rights to, well, vote, Slate reported.\n    In an interview published Wednesday by Answering the Call, a voting \nrights initiative, Merrill was asked to explain why he opposes \nautomatic voter registration, a move that could help fix America's \npaltry voter turnout rate.\n    Merrill didn't waver. First he name-dropped ``civil rights \npioneers'' like Dr. Martin Luther King Jr. and Rosa Parks, noted his \nfriendship with Rep. John Lewis (D-GA), and touted the fact his \ndaughter interned for African-American Congress member Terri Sewell (D-\nAL). Then Merrill argued that granting people the right to vote \n``cheapens'' these people's work by rewarding folks who are ``too sorry \nto get up off of their rear to go register to vote'':\n\n``These people fought--some of them were beaten, some of them were \nkilled--because of their desire to ensure that everybody that wanted to \nhad the right to register to vote and participate in the process. I'm \nnot going to cheapen the work that they did. I'm not going to embarrass \nthem by allowing somebody that's too sorry to get up off of their rear \nto go register to vote.''\n\n    To make his point abundantly clear, Merrill compared automatic \nregistration to ``giving [people] a trophy because they've played on \nthe ball team.''\n    For Merrill, automatic voter registration feeds into the taboo \nnotion of entitlements, rewarding people with services when they didn't \nput in the initiative to earn them.\n    There's just one problem: American citizens who are at least 18 \nyears old should be entitled to the right to vote if they meet the age \nand citizenship requirement.\n    Rather, the major barrier standing between people and the polls \ntends to be policies trying to keep select groups far away, as civil \nrights leaders demonstrated half a century ago.\n    Despite having the constitutional right to vote, African Americans \nin Southern States like Alabama faced insidious Jim Crow-era policies \nlike poll taxes and literacy tests that were damn near impossible to \npass. In 1965, a 25-year-old Lewis and other civil rights activists of \nthe time were brutally beaten by Alabama State troopers for attempting \nto March from Selma to Montgomery for that right.\n    The slew of voter ID laws passed to the fix nonexistent voter fraud \nthat dubiously suppresses voters of color is one of the latest 21st-\ncentury examples. Others include some States like Alabama denying \nfelons and people with mental disabilities the right to cast a ballot.\n    Historically, the right to vote has never been about effort. It's \nbeen about access, and is likely one of the reasons Lewis has been a \nfierce advocate for automatic voter registration--even if he's \nallegedly Merrill's pal.\n    Merrill's dog-whistle politicking about ``entitlements'' doesn't \nchange that.\n\n    Chairman Thompson. I thank the witnesses for their valuable \ntestimony and Members for their questions. The Members of the \ncommittee, as I indicated, may have additional questions for \nthe witnesses, and we ask you respond expeditiously, in \nwriting, to those questions.\n    Hearing no further business, the committee stands \nadjourned.\n    [Whereupon, at 1:30 p.m., the committee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n  Questions From Chairman Bennie G. Thompson for Christopher C. Krebs\n    Question 1. You testified that disabling or removing wireless \nmodems from voting systems is a best practice recognized by DHS. Has \nDHS communicated this best practice in writing to election \nadministrators? Can DHS share any written material on this?\n    Answer. Response was not received at the time of publication.\n    Question 2a. You testified that all 13 States that currently use \npaperless voting systems as their primary voting equipment in at least \none jurisdiction are on a path to transition to voter-verified paper \nballots throughout their States.\n    Please confirm this is accurate.\n    Answer. Response was not received at the time of publication.\n    Question 2b. Please provide an estimated time line (rough) for each \nState to complete the transition to paper ballots.\n    Answer. Response was not received at the time of publication.\n  Questions From Honorable Sheila Jackson Lee for Christopher C. Krebs\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. Response was not received at the time of publication.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. Response was not received at the time of publication.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. Response was not received at the time of publication.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. Response was not received at the time of publication.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. Response was not received at the time of publication.\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. Response was not received at the time of publication.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. Response was not received at the time of publication.\n    Question 8. How well does same-day voter registration during early \nvoting and on election day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. Response was not received at the time of publication.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. Response was not received at the time of publication.\n    Question 10. Do election administrators plan for 100% voter \nparticipation during early voting or on election day? If not, why not?\n    Answer. Response was not received at the time of publication.\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. Response was not received at the time of publication.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. Response was not received at the time of publication.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. Response was not received at the time of publication.\n  Questions From Honorable James R. Langevin for Christopher C. Krebs\n    Question 1a. How have you engaged local and State media outlets to \nensure that unofficial vote reporting is protected from malicious \ninterference?\n    How many affiliates has CISA worked with?\n    Answer. Response was not received at the time of publication.\n    Question 1b. How have you coordinated defense or information \nsharing related to the defense of State and local media outlet \nnetworks?\n    Answer. Response was not received at the time of publication.\n    Question 1c. How have you coordinated dissemination of information \nregarding attempts to interfere with other aspects of elections?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Have you observed any change in public confidence as a \nresult of efforts to increase election security?\n    How does DHS/CISA assess confidence in election integrity?\n    Answer. Response was not received at the time of publication.\n    Question 2b. What outcomes does DHS/CISA use to determine success \nin protecting elections?\n    Answer. Response was not received at the time of publication.\n    Question 3a. Does DHS have any outstanding requests for risk and \nvulnerability assessments from States or local election officials? Is \nthere a wait for new assessments?\n    Have States/localities been implementing the policies that DHS \nrecommended based on these assessments?\n    Answer. Response was not received at the time of publication.\n    Question 3b. How often does DHS/CISA conduct reassessments of \njurisdictions? How often does CISA recommend refreshing RVAs?\n    Answer. Response was not received at the time of publication.\n      Questions From Honorable Dina Titus for Christopher C. Krebs\n    Question 1. In my home State of Nevada there have been thousands of \nattempts by various actors to breach our voter registration database. \nFortunately, our State and local election officials have managed to \nthwart every single one of these attacks. They have utilized Albert \nsensors to identify suspicious IP addresses and known malware \nsignatures and alert the appropriate authorities. How important is it \nthat each State deploy these Election-system sensors?\n    Answer. Response was not received at the time of publication.\n    Question 2. Acknowledging the importance of coordinating Federal, \nState, and local election security efforts, what kind of barriers exist \nthat slow or prevent the Multi-State Information Sharing and Analysis \nCenter from coordinating with local and State IT personnel to inform \nthem about the types of attacks that occur and where they came from so \nlocal officials can better prepare for future attacks?\n    Answer. Response was not received at the time of publication.\n    Question 3. What sort of obstacles have you experienced when trying \nto share sensitive information about imminent threats with State and \nlocal election officials?\n    Answer. Response was not received at the time of publication.\n    Question 4. H.R. 1 aims to create channels for interagency \ncollaboration by, among other things, requiring DHS, EAC, the \nintelligence community, the State Department, and other Federal \npartners to develop a comprehensive National strategy to protect our \nelections and our democratic institutions, perhaps through broad \ninitiatives around media literacy or studying the effects of influence \ncampaigns. Who is responsible for convening and coordinating \ninteragency efforts to secure elections, and to what extent is there \nleadership from the White House?\n    Answer. Response was not received at the time of publication.\n   Questions From Honorable Yvette D. Clarke for Christopher C. Krebs\n    Question 1. In November 2018, Senator Ron Wyden wrote to DHS, \nasking the agency to ``forensically examine paperless voting machines \nused in the November 6, 2018 general election for signs of tampering or \nother manipulation by foreign governments or other malicious actors.'' \nOn December 18, 2018, DHS responded to Senator Wyden, stating that \n``under our existing authorities, DHS cannot mandate that States submit \nto comprehensive forensic examinations of their voting machines.'' But \nlast week, the DOJ and DHS issued a public statement saying there was \n``no evidence to date that . . . a foreign government or foreign agent \nhad a material impact on the integrity or security of election \ninfrastructure or political/campaign infrastructure used in the 2018 \nmidterm election.'' If DHS didn't have the authority to examine \npaperless voting machines used in the November 2018 election for \nevidence of hacking, which is what you informed Senator Wyden in your \nletter, what is the basis for your public statement last week saying \nthere is no evidence that foreign governments hacked our election \ninfrastructure?\n    Answer. Response was not received at the time of publication.\n    Question 2. Last year, the FBI uncovered that a Russian oligarch, \nwith close ties to President Putin, had acquired an ownership interest \nin a vendor which hosted State-wide election data for Maryland.\\1\\ \nUntil the FBI alerted them, State election authorities were unaware of \nthe vendor's ties to Russia. Even if no tampering occurred, this raises \nimportant questions about foreign ownership of firms providing \nelection-related services. To the best of your knowledge, is the \nFederal Government undertaking any efforts, other than the CFIUS \nprocess, to assess potential existing foreign ownership of firms that \nproduce voting machines or provide other election-related services? If \nso, please describe these efforts. If not, do you believe foreign \nactors may seek to invest in this sector with the intent of interfering \nin our elections?\n---------------------------------------------------------------------------\n    \\1\\ https://www.baltimoresun.com/news/maryland/politics/bs-md-\nelection-russia-20180713-story.html.\n---------------------------------------------------------------------------\n    Answer. Response was not received at the time of publication.\n  Questions From Honorable Michael T. McCaul for Christopher C. Krebs\n    Question 1a. Foreign states, including Russia and other malicious \nactors have and will continue to attempt to interfere with U.S. \nelections. In fact, I encouraged, in a Classified space, both the Obama \nadministration and the Trump administration to call out Russia for \ntheir targeted attacks on our Nation. Their activities have injected \nchaos and doubt into foundation of our democracy. An issue of this \ngravity requires Congress to act in a deliberate and bipartisan manner. \nNow, all eyes are on 2020.\n    What do you see as the major vulnerabilities in our election \nsecurity as we look to the future? How do we address these?\n    Answer. Response was not received at the time of publication.\n    Question 1b. Can you outline the major lessons learned and the \nsteps your agency has taken to effectively provide Federal assistance \nto the local election level?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Last Congress, my bill, the Cybersecurity and \nInfrastructure Security Agency Act, was signed into law to streamline \nNational Protection and Program's Directorate's (NPPD) efforts to \nexecute cybersecurity and critical infrastructure missions and \nestablish it as the Cybersecurity and Infrastructure Agency (CISA).\n    How has CISA been effective at combatting cyber threats? What are \nthe major successes?\n    Answer. Response was not received at the time of publication.\n    Question 2b. What do you anticipate are the upcoming roadblocks and \nhow can Congress be helpful?\n    Answer. Response was not received at the time of publication.\n      Questions From Chairman Bennie G. Thompson for Thomas Hicks\n    Question 1a. In response to questioning from Congresswoman Clarke, \nyou testified that it is possible to audit a Direct Recording \nElectronic (DRE) voting machine to determine if the system has been \nhacked. Yet that appears inconsistent with the findings of research \nperformed by the National Institute of Standards and Technology (NIST) \nat the request of the EAC.\n    Is there new research that suggests it is possible to audit DREs?\n    Answer. All voting systems certified by the U.S. Election \nAssistance Commission (EAC) to meet the Voluntary Voting System \nGuidelines (VVSG) are required to have redundant memory. All voting \nsystems, including Direct Recording Electronic (DRE) voting machines, \nare required to have two, separate sources for memory. A comparison \naudit of these two separate sources of memory, including a DRE's \ninternal memory that stores voting results, could identify \ndiscrepancies, and thus reveal that a system had been compromised.\n    With that stated, because both sources of memory for DREs without \nVVPATs are electronic, it is fathomable that a sophisticated attack \ncould alter both sources of memory to make them identical and cause \nalterations to the data to be undetected. The EAC recognizes the \npossibility of this threat is real, which is why the VVSG 2.0 has \nPrinciples and Guidelines requiring software independence. At the \nmoment, paper is the best way to audit a voting system, but all systems \nutilizing paper must comport with HAVA's mandate for all voters to be \nable to cast their ballot privately and independently.\n    The EAC is not aware of new research to this point, however the \nCommission is aware that jurisdictions have in the past conducted \nparallel audits with DREs to ensure votes are being tallied accurately.\n    Question 1b. What is the source of that information?\n    Answer. Vendors have identified this process, and the EAC is aware \nthat the University of Connecticut's Center for Voting Technology \nResearch has numerous post-election audit reports that utilize such \ndata.\n    Question 1c. Should this new research override NIST's findings?\n    Answer. No. This research should not be depicted as contrary to the \nfindings of NIST. In order to meet the National standard set by the \nVoluntary Voting System Guidelines (VVSG), all tabulators, including \nDREs, are required to have redundant memory that can be independently \nverified in order to meet the National standard set by Voluntary Voting \nSystem Guidelines (VVSG). However, it is also feasible that such a \nsystem could be compromised via a significant attack that would alter \nboth sources of electronic data. This is why the VVSG 2.0 recommends \nsoftware independence. It is also why election offices customarily \nfollow the principle known as ``Defense in Depth'' by building in \nmultiple layers of security to prevent such an attack from happening, \nassess damage created by such an attack, and mitigate the fallout if a \nsystem was compromised.\n    Question 2a. You testified that you had little concern regarding \nthe risk of corruption of voting systems through the supply chain \nbecause of the EAC Testing and Certification program. But the EAC \nTesting and Certification program which lacks Full Formal Verification \n(FFV) or full source code review. Moreover, the EAC Testing and \nCertification Program does not evaluate voter-registration systems, e-\npoll books, election night reporting systems, and other critical \ncomponents that run elections.\n    Can you elaborate on how the EAC Testing and Certification Program \nis capable of detecting supply chain corruption in voting systems \nwithout FFV?\n    Answer. When the Help America Vote Act of 2002 established the U.S. \nElection Assistance Commission, it also created the EAC's Testing & \nCertification Program to certify, decertify, and recertify voting \nsystem hardware and software, as well as accredit test laboratories. \nThe Testing & Certification Program has a very specific mandate that \ndefines its work as helping to develop guidelines for, and certifying, \nvoting equipment. This mandate does not include voter registration \nsystems, e-poll books, and election night reporting systems.\n    To the question of risk management in the supply chains of systems, \nthe EAC test labs review the source code, hardware, and software \ncomponents of all voting systems tested under the EAC's Testing and \nCertification Program. The EAC maintains an on-going Quality Monitoring \nProgram to identify and correct issues in the field. Additional details \non these programs are included below.\n    The EAC's Testing and Certification Program conducts a full review \nof vendor-developed hardware, software, and source code for every \nsystem it certifies. Also required by the VVSG is a technical data \npackage (TDP) that includes an approved parts list and/or the bill of \nmaterials documentation.\n    After a voting system is certified, there is a process for on-going \nvalidation and verification through the Quality Monitoring Program. \nThis is an audit and analysis of issues reported from the field, issues \ndiscovered by the vendors from their internal testing, and quality \naudits that are performed on the voting system manufacturers. Also, as \nmanufacturers have hardware that reaches the end of its useful life, \nthey are required to submit engineering change orders to update the \napproved parts list and/or bill of materials. In accordance with the \nsystem certification, these engineering change orders must be approved \nby the EAC before the vendor can implement the new parts into their \nmanufacturing process.\n    That being said, the EAC's Testing and Certification Program cannot \nmitigate all supply chain threats. As with all security, including \ncybersecurity, there is not one mechanism that can thwart all threats. \nThis is why the election community should focus on building resiliency \nand security through the principle of ``Defense in Depth.''\n    The EAC's Testing and Certification Program does, however, provide \nbuilt-in layers of security for supporting the methodology of ``Defense \nin Depth'' for mitigating the supply chain threats for EAC-certified \nvoting systems via the mechanisms previously described. The EAC also \nrecommends and assists jurisdictions in working with Federal partners \nso they can benefit from the ``whole of Government'' approach to \nsecuring our Nation's election systems.\n    For example, the EAC has played an instrumental role in providing \nopportunities for State and local election officials, as well as \nelection vendors and other key stakeholders, to interact with \nDepartment of Homeland Security (DHS) officials following the \ndesignation of elections as part of the Nation's critical \ninfrastructure. The Commission led the establishment of the Government \nCoordinating Council for the Election Infrastructure Subsector (GCC) \nand the Sector Coordinating Council (SCC). Both councils were \nfunctioning within 1 year of the critical infrastructure designation. \nOHS has said that the GCC was formed faster than any other similar \ncritical infrastructure sector council to date.\n    Since then, the GCC has launched an Information Sharing and \nAnalysis Center (ISACs) that allows election officials to receive \ntimely notifications of potential threats, real-time monitoring of \nmalicious activity on their networks and access to cybersecurity \nexperts. Such working groups are exemplary proof-points of how local, \nState, and Federal governments can work together toward the shared goal \nof protecting our Nation's election systems.\n    Question 2b. Please explain how the EAC Testing and Certification \nProgram is capable of detecting potential corruption by vendors \nservicing and programming systems that have already been certified.\n    Answer. The EAC's Testing and Certification Program cannot mitigate \nall supply chain threats; not even for threats to the one system of the \nelections process it oversees, which is the voting systems. As with all \nsecurity, including cybersecurity, there is not one mechanism that can \nthwart all threats, which is why election officials should focus on \nbuilding resiliency and security through the principle of ``Defense in \nDepth.'' The EAC's Testing and Certification Program does, however, \nprovide built-in layers of depth for mitigating the supply chain \nthreats for EAC-certified voting system via the mechanisms detailed \nbelow.\n    All voting systems tested under the EAC's Testing and Certification \nProgram go through a full review of all vendor-developed source code. \nThe software and hardware, as certified, has been validated and \nverified to be programmed for its intended use. Also required by the \nVVSG is a technical data package (TDP) that includes an approved parts \nlist and/or the bill of materials documentation.\n    Additionally, after a voting system is certified, there is a \nprocess for on-going validation and verification through the Quality \nMonitoring Program. This is an audit and analysis of issues reported \nfrom the field, issues discovered by the vendors from their internal \ntesting, and quality audits that are performed on the voting system \nmanufacturers. Also, as manufacturers have hardware that becomes end of \nlife, they are required to submit engineering change orders to update \nthe approved parts list and/or bill of materials. In accordance with \nthe system certification, these engineering change orders must be \napproved by the EAC before the vendor can implement the new parts into \ntheir manufacturing process.\n    Question 2c. Please explain how the EAC Testing and Certification \nprogram is capable of protecting voter-registration databases, election \nnight reporting systems and e-poll books from supply chain corruption?\n    Answer. These particular systems are outside of the scope of the \nEAC's Testing and Certification program as detailed in the Help America \nVote Act. It should be noted that a number of States have independent \ncertification programs for electronic poll books and provide their own \ncertification testing requirements for e-poll books and voting systems. \nIn addition, States and local election agencies have resources to \nprotect voter registration databases and other technology, including \nservers. For example, voter registration databases are periodically \naudited by State or independent experts.\n      Questions From Honorable Sheila Jackson Lee for Thomas Hicks\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. State and local election officials would likely tell you \nthat each of their election systems and processes play a critical role \nin the administration of successful elections, which is why they invest \ntime and resources into contingency planning and establishing practices \nthat ensure eligible voters have the ability to successfully cast their \nballot. For example, the availability of provisional ballots at the \npolls is the ultimate fail-safe step that election officials offer on \nElection Day to ensure that eligible voters impacted by unforeseen \ncircumstances or issues are able to cast their ballots and have them \ncounted. In addition, election officials often have contingency plans \nin place that include roving technicians who are able to quickly \nidentify and resolve issues with voting equipment or provide \nreplacement voting systems if there is a failure. Another example of \nState and local election leaders creating fail-safe processes is the \nusage of audits to verify election results and confirm that election \nsystems functioned properly to produce an accurate result.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. Yes. Voter registration databases play a critical role in \nthe administration of elections. State and local election leaders \nsecure these systems by implementing controls to maintain \nconfidentiality, integrity, and availability of the system and its \ndata. Each election office has its own procedures and requirements for \nhow these systems are managed, but the EAC does provide best practices \nregarding these systems.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. The availability of provisional ballots at the polling \nplace is a key fail-safe measure to ensure that voters have the ability \nto participate in an election should voter registration databases not \nbe available for any reason. In addition, jurisdictions frequently \nconduct a back-up of their voter registration database so, if a problem \ndetected, the administrator is able to retrieve the back-ups to a \nspecific date and time to review and began remediation if necessary.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. State and local election leaders across the Nation have \ncontingency plans in place for events that could impact Election Day, \nincluding a compromised voter registration database. The availability \nof provisional ballots at the polls is a safeguard that ensures an \nelection can still take place under these circumstances. In addition, \nelection jurisdictions typically have a back-up of their voter \nregistration list at the local level, and many election officials \nprovide paper back-ups at polling places or election offices.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. According to the 2016 EAC's Election Administration and \nVoting Survey (EAVS), from 2012 to 2016, there was a significant \nincrease in the use of electronic poll books Nation-wide. The number of \nin-person voters checked in with e-poll books more than doubled during \nthis time span, increasing 110 percent from 19.7 million to 41.4. \nmillion voters. The EA VS also found that 32 States, the District of \nColumbia, and U.S. Virgin Islands reported using e-poll books in at \nleast one jurisdiction in the 2016 election. Five States used e-poll \nbooks State-wide.\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. The EAC is aware of some specific instances reported in the \nmedia, but the Commission does not track such data related to \nelectronic poll books. State and local election administrators are \nbetter positioned to provide detailed responses to this question.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. Typically, as part of election officials' on-going \ncontingency planning efforts, jurisdictions using electronic poll books \nprepare a paper back-up system in the event of an issue with the \nelectronic poll books. Some jurisdictions may send the paper back-up to \nthe polling place with the e-poll books, while others send them only if \nneeded. The issuance of provisional ballots is one way that election \nofficials ensure that voters have the ability to cast their ballot when \nelectronic poll books fail. State and local election administrators \ndevelop and implement their own recovery plans and are better \npositioned to provide detailed responses to this question.\n    Question 8. How well does same-day voter registration during early \nvoting and on Election Day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. Same-day voter registration is a policy choice made by the \nStates. Its potential impact on the successful administration of an \nelection is a question better posed to the election officials charged \nwith carrying out elections.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. The EAC, often in conjunction with DHS, provides election \nofficials training on election technology and security. In that \ntraining, the EAC highlights the best practice of disconnecting all \nportions of the voting system from the internet. Further, that training \nhighlights best practices for securing systems that are networked, such \nas two-factor authentication, implementing integrity checks such as \ndigital signatures and hashing, as well as the utilization of \nencryption.\n    In addition, the EAC has issued best practices and checklists for \nsecuring networked systems, such as election night reporting systems, \nas well as how to protect data that is on network systems. These \nresources include the EAC's Checklist for Securing Voter Registration \nData and other handbooks, playbooks, and best practices documents.\n    Question 10. Do election administrators plan for 100 percent voter \nparticipation during early voting or on Election Day? If not, why not?\n    Answer. Election administrators forecast turnout across advance \nvoting sites, by mail, and at polling locations. This forecasted mix \nallows election administrators to ensure proper resources are applied. \nOverall, election administrators plan to ensure that each and every \nvoter is provided the ability to cast a ballot. In addition, States \nhave laws and regulations to guide the number of pre-printed ballots \nrequired for election day, and many States also have in-house or \npolling place ballot-on-demand systems to provide additional ballots as \nneeded.\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot-marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. State election offices often create guidance and procedures \nfor local jurisdictions to follow. The EAC provides tools that can be \nused as part of this process, most notably the EAC's Election \nAdministration and Voting Survey interactive portal that allows \njurisdictions to compare their own election data with that of \njurisdictions with similar characteristics. In addition, there are on-\nline tools available to assist election officials seeking to identify \nthe number of voting systems and check-in stations they need to \nmitigate the chance of lines.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. Yes. Contingency planning is a key function of election \nadministration. Election officials must prepare for the unexpected and \nhave plans in place to conduct elections when disaster strikes. The EAC \nis committed to helping election officials prepare for everything from \nwildfires and hurricanes to terrorist threats and electricity outages. \nIn fact, the Commission has launched a new initiative to more \nrigorously engage election officials who can help to shape the \nCommission's more robust suite of services and resources for election \nadministrators who face natural or man-made disasters.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. The impact of these procedures is different in the States \nand jurisdictions that may offer these services, and, therefore, the \nState election offices would be the best source to answer this \nquestion.\n          Questions From Honorable Dina Titus for Thomas Hicks\n    Question 1. In my home State of Nevada there have been thousands of \nattempts by various actors to breach our voter registration database. \nFortunately, our State and local election officials have managed to \nthwart every single one of these attacks. They have utilized Albert \nsensors to identify suspicious IP addresses and known malware \nsignatures and alert the appropriate authorities. How important is it \nthat each State deploy these Election-system sensors?\n    Answer. Every State and local election official has the duty to \nsecurely protect their election systems. Nevada's election officials \nhave availed themselves to many security-focused services provided by \nthe OHS. The EAC recommends that it all States use the Federal \nresources available--including those provided by the OHS and those that \nmight be funded as part of the $380 million in HAVA Funds passed last \nyear by Congress and administered by the EAC--to address election \nsecurity threats.\n    Question 2. Acknowledging the importance of coordinating Federal, \nState, and local election security efforts, what kind of barriers exist \nthat slow or prevent the Multi-State Information Sharing and Analysis \nCenter from coordinating with local and State IT personnel to inform \nthem about the types of attacks that occur and where they came from so \nlocal officials can better prepare for future attacks?\n    Answer. Because OHS manages the Election Infrastructure Information \nSharing and Analysis Center (EI-ISAC), this question would best be \nanswered by OHS.\n    Question 3. What sort of obstacles have you experienced when trying \nto share sensitive information about imminent threats with State and \nlocal election officials?\n    Answer. For the most part, the EAC has not experienced obstacles \nwhen charged with sharing information about imminent threats with State \nand local election officials. This is something the EAC did even ahead \nof the 2016 election and prior to DHS's decision to designation \nelections as part of the Nation's critical infrastructure. That said, \nthe delay in issuance of security clearances for the EAC Commissioners \nremains an issue that hopefully will be resolved quickly to allow the \nEAC to receive and share sensitive information when necessary.\n    Question 4. H.R. 1 aims to create channels for interagency \ncollaboration by, among other things, requiring DHS, EAC, the \nintelligence community, the State Department, and other Federal \npartners to develop a comprehensive National strategy to protect our \nelections and our democratic institutions, perhaps through broad \ninitiatives around media literacy or studying the effects of influence \ncampaigns. Who is responsible for convening and coordinating \ninteragency efforts to secure elections, and to what extent is there \nleadership from the White House?\n    Answer. The DHS Government Coordinating Council (GCC), of which the \nEAC Commissioners are members, is the primary body to share information \nrelated to securing elections. Aside from that body, under the Help \nAmerica Vote Act, the EAC is the only Federal agency authorized to \nassist election officials with all aspects of elections, including \nsecurity.\n       Question From Honorable Yvette D. Clarke for Thomas Hicks\n    Question. Last year, the FBI uncovered that a Russian oligarch, \nwith close ties to President Putin, had acquired an ownership interest \nin a vendor which hosted State-wide election data for Maryland. Until \nthe FBI alerted them, State election authorities were unaware of the \nvendor's ties to Russia. Even if no tampering occurred, this raises \nimportant questions about foreign ownership of firms providing \nelection-related services. To the best of your knowledge, is the \nFederal Government undertaking any efforts, other than the CFIUS \nprocess, to assess potential existing foreign ownership of firms that \nproduce voting machines or provide other election-related services? If \nso, please describe these efforts. If not, do you believe foreign \nactors may seek to invest in this sector with the intent of interfering \nin our elections?\n    Answer. The EAC agrees that the question of foreign ownership is an \nimportant one. As such, foreign interference in elections should always \nbe treated as a credible threat. That's why the Commission's Testing \nand Certification Program provides built-in layers of security and \nquality assurance on voting system manufacturers, including a \nregistration process that requires disclosure of ownership and on-going \nquality monitoring audits. Since the EAC cannot mitigate all threats \nfrom its registered voting system manufacturers, it recommends that \nelection officials focus on building resiliency and security through \nthe principle of ``Defense in Depth'' and by taking advantage of \nresources offered by Federal partners.\n    As a clearinghouse of information on best practices in election \nadministration, the EAC has also provided officials with real-life \nexamples of how to mitigate threats potentially posed by foreign \nownership. For example, the EAC has posted security language from a \nRequest for Proposal requiring voting equipment vendors, and their \nparent and holding companies, to be based in the United States. Our \noffice, in conjunction with the Department of Homeland Security (DHS), \nhas also offered election officials training on election technology and \nsecurity, including best practices for contracting and the selection of \nvendors.\n      Questions From Honorable Michael T. McCaul for Thomas Hicks\n    Question 1. Voting machine challenges remain a chronic problem. How \ncan local officials who are the center of gravity for running and \nsecuring elections ensure electric voting machines are secure?\n    Answer. The goal of every election official is to ensure not only \nvoting machines, but the entire election system, is secure. Security \nhas always been at the heart of what election officials do. Each State \nand jurisdiction has measures in place to ensure security in all phases \nof the election process. Every jurisdiction is different. This is one \nof the great strengths of our election system--that there is no one \ncentral point of access that could render the system vulnerable to a \nmassive attack.\n    Since the EAC's inception, our HAVA-mandated Testing & \nCertification Program has been a critical first step in the process of \nmaintaining the reliability and security of the voting systems used in \nour Nation's elections. The Commission also produces guidelines and \nchecklists, posts Requests for Proposals, elevates best practices and \nadministers an IT Management course to help election officials take a \nholistic approach to securing their election systems. Through our \npartnership with the National Institute of Standards and Technology \n(NIST), the EAC has also maintained the Voluntary Voting System \nGuidelines (VVSG), which sets the National standard for voting \nequipment around the country.\n    However, as stated above, the EAC is not the only security solution \nfor election officials. As secure voting systems must have many layers \nof security and resiliency built into every component, election \nofficials must also have a ``Defense in Depth'' in terms of \npartnerships and resources they can draw from to secure their systems.\n    Question 2. What incentives are in place for election equipment \ncompanies to improve their security?\n    Answer. The best incentive for election equipment companies to \nimprove security is in response to a requirement by their customers, \nState and local election officials who administer elections. The EAC \nproduces guidelines and checklists, posts on-line sample Requests for \nProposals, elevates best practices, and administers an IT management \ncourse to help election officials take a holistic approach to securing \ntheir election systems, including making sure best practices are \nrequired of their contractors and vendors in addition to their own \nelection staff.\n    Another incentive for election equipment vendors is the EAC's \nTesting and Certification Program. In order for a voting system vendor \nto have the ability to submit a voting system to be tested and \ncertified by the EAC, it must first become a registered manufacturer. \nThis requires disclosure of ownership, as well as on-going quality \nmonitoring audits. The Testing and Certification Program also oversees \nthe Voluntary Voting System Guidelines (VVSG), which the EAC maintains \nwith our partners at NIST. The VVSG are a set of standards against \nwhich voting systems can be tested to determine if the systems meet \nthose standards. Some factors examined under these tests include \nfunctionality, accessibility, accuracy, auditability, and security \ncapabilities. These principles, and the best practices disseminated as \npart of the EAC's Clearinghouse function help set and maintain the \nstandard for voting equipment around the country.\n      Questions From Honorable Sheila Jackson Lee for Alex Padilla\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. Response was not received at the time of publication.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. Response was not received at the time of publication.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. Response was not received at the time of publication.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. Response was not received at the time of publication.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. Response was not received at the time of publication.\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. Response was not received at the time of publication.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. Response was not received at the time of publication.\n    Question 8. How well does same-day voter registration during early \nvoting and on election day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. Response was not received at the time of publication.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. Response was not received at the time of publication.\n    Question 10. Do election administrators plan for 100 percent voter \nparticipation during early voting or on election day? If not, why not?\n    Answer. Response was not received at the time of publication.\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. Response was not received at the time of publication.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. Response was not received at the time of publication.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. Response was not received at the time of publication.\n      Questions From Honorable James R. Langevin for Alex Padilla\n    Question 1. Our system is only as strong as its weakest link, and \nwe need to ensure everyone has this ``cyber hygiene'' knowledge. Have \nyou found that there's a general lack of knowledge of security \nvulnerabilities and best practices at the staff level?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Have the trainings you've conducted for staff been \nproductive?\n    Answer. Response was not received at the time of publication.\n    Question 2b. What are some lessons learned from these trainings?\n    Answer. Response was not received at the time of publication.\n    Question 3. The risk and vulnerability assessments offered by DHS \ncan be extremely valuable for States and localities. Have you found \nthese assessments for States and local election officials to be useful \nas you work to secure your election systems, and have you implemented \nDHS's recommendations?\n    Answer. Response was not received at the time of publication.\n    Question 4. Do you have the resources you need to implement the \nrecommendations, and if not, what more do you need to do so?\n    Answer. Response was not received at the time of publication.\n          Question From Honorable Dina Titus for Alex Padilla\n    Question. When speaking with State and local election officials in \nNevada, I have heard that while urban areas like Las Vegas may have the \nIT workforce available to recruit individuals to implement new \ncybersecurity measures like Albert sensors, rural areas have been \nstruggling to find trained personnel. Have you experienced this \nshortage in other parts of the country, and do you believe further \ninvestment in STEM education is necessary to effectively mitigate this \nskills gap and secure our most vulnerable election sites?\n    Answer. Response was not received at the time of publication.\n       Questions From Honorable Yvette D. Clarke for Alex Padilla\n    Question 1a. Last year, the FBI uncovered that a Russian oligarch, \nwith close ties to President Putin, had acquired an ownership interest \nin a vendor which hosted State-wide election data for Maryland.\\1\\ \nUntil the FBI alerted them, State election authorities were unaware of \nthe vendor's ties to Russia. Even if no tampering occurred, this raises \nimportant questions about foreign ownership of firms providing \nelection-related services.\n---------------------------------------------------------------------------\n    \\1\\ https://www.baltimoresun.com/news/maryland/politics/bs-md-\nelection-russia-20180713-story.html.\n---------------------------------------------------------------------------\n    To the best of your knowledge, does your State have any election-\nrelated contracts with vendors backed by Russian or Chinese investors?\n    Answer. Response was not received at the time of publication.\n    Question 1b. What measures, if any, does your State undertake to \nassess foreign ownership of election vendors prior to signing contracts \nwith them?\n    Answer. Response was not received at the time of publication.\n       Question From Honorable Michael T. McCaul for Alex Padilla\n    Question. Foreign states, including Russia and other malicious \nactors have and will continue to attempt to interfere with U.S. \nelections. In fact, I encouraged, in a Classified space, both the Obama \nadministration and the Trump administration to call out Russia for \ntheir targeted attacks on our Nation. Their activities have injected \nchaos and doubt into foundation of our democracy. An issue of this \ngravity requires Congress to act in a deliberate and bipartisan manner. \nNow, all eyes are on 2020. How has the cooperation with DHS and \nDirector Krebs strengthened California's election security?\n    Answer. Response was not received at the time of publication.\n      Questions From Honorable Sheila Jackson Lee for Noah Praetz\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. Most election systems and processes are managed at the \nlocal level and therefore the fail-safe approach is often determined \nand implemented locally, though often State-wide guidance is provided. \nElection officials do try and ensure business continuity and therefore \nthey do build in redundancies to many processes. However, there are \nlarge variations in the degree to which election officials are able to \nidentify critical path systems, prioritize efforts, and build in \nsustainable redundancies.\n    Prioritizing the most critical systems is incredibly important. \nMost foundationally people need to be able to vote and administrators \nneed to be able to count those votes accurately. Voter Registration \nSystem and Voting Systems are therefore the two most critical systems, \nwithout which elections could not be run. However, within those two \numbrella systems, and around the edges, election officials rely on a \nvariety of other system to aid in the seamless efficient administration \nof elections. Successful attacks on any of those systems can have a \ndetrimental effect on the voter experience--and therefore in their \nlevel of trust. Some of these others connected systems that election \nofficials rely upon to deliver expected services include:\n  <bullet> Voting Systems for casting and counting votes, as noted \n        above\n  <bullet> Voter Registration Systems for managing the list of voters \n        and what they are--entitled to vote upon, as noted above\n  <bullet> Election Management Systems for handling data necessary to \n        facilitate the two above and to facilitate the various other \n        duties\n  <bullet> Electronic Pollbook Systems\n  <bullet> Ballot Printing Systems\n  <bullet> Ballot Envelope Scanner\n  <bullet> Election Day Command Centers\n  <bullet> Election Information Websites\n  <bullet> Election Service Websites--registration--ballot requests w/ \n        or without marking--sample ballots\n  <bullet> Election Night Reporting Websites\n  <bullet> Election Auditing Tools\n  <bullet> Other miscellaneous tools.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. Yes, I consider a State-wide voter registration database to \nbe a critical system to the administration of elections. However, the \nparticular level of criticality can vary depending upon whether the \nState has a centralized singular top-down voter database construction, \nor a diffuse, bottom-up construction. In Illinois the system was \nconsidered ``bottom-up'' meaning each county had their own primary \ndatabase.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. One fail-safe operation available Nation-wide is the use of \nprovisional ballots that can be counted after the election in the event \nvoter data in the over registration database is not 100% accurate at \npoint of service. Additionally, some States, like Illinois, offer same-\nday registration (SDR) options. SDR as a service offering and fail-safe \nprocess also offers a significant amount of resiliency. There are \npolicy decisions that can impact business continuity when the software \nis not operating as expected. However, there is wide latitude and \nvariance in how these fail-safe programs are managed and \nconsequentially in how impactful such a major event would be. For \nexample, in Cook County we implemented a registration process that was \nonly marginally longer than a normal check-in process and believed we \ncould have managed a significant data problem without equally \nsignificant impacts on lines and voter expectations. However, to do so \nwe relied on electronic pollbooks (e-pollbooks). Were the e-pollbooks \nrendered inoperable entirely, the tertiary paper-based backup would \nhave had a significant negative impact on the amount of time voters \nwould have had to wait in line to check-in.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. I do not know how many places have a specific detailed plan \nfor this type of occurrence. But every State and local election \nofficial knows how to administer provisional ballots and many times in \nlarge numbers. Whether most are outfitted for wholesale failure of the \nprimary voter registration system is unlikely. In Cook County we could \nhave likely handled a wholesale data failure given our use of \nelectronic poll books and streamlined registration process. However, \nshould we have had to revert to our back-up paper provisional and \nregistration system there would have been significant service impacts.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. I do not know Nation-wide. In Illinois there are between 20 \nand 30 election jurisdictions that have electronic poll books, \nincluding all counties with over 100,000 voters. This accounts for over \n83% of the State's registered voters.\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. I'm sure there are many cases of them not operating as \nexpected or intended. They are computers operated by humans. And while \nthe root cause most often comes back to user issues, the effect on a \nvoter is the same. We certainly had sporadic episodes of having to \nrevert to our back-up systems and even our paper registration books. \nThis occurred in far fewer than 1 percent of our precincts and the \nissues was resolved at some point during the day in almost every case; \nthe digital services and data became reliable once again.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. Recovery plans are different everywhere. In suburban Cook \nCounty we had a number of back-ups. First, if the specific primary e-\npoll book software was inoperable, but the device worked, we utilized a \nredundant digital file of voters. We were able to do this because we \ncapture actual signatures for every voter on paper and kept a full \npaper record. If the device failed entirely or workers felt most \ncomfortable with paper back-ups we had a printed version of the poll \nbook for emergency use. And finally, there was a process for Election \nDay Registration or Provisional Voting which guarantee all voters cast \na ballot.\n    Question 8. How well does same-day voter registration during early \nvoting and on election day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. Same-day voter registration relieved a tremendous amount of \npressure in Cook County on election day and during early voting. It \nallowed for instant correction of operational voter registration \nmistakes (things like typos, and jr/sr problems, which always occur at \nsome small rate) and provided a large fail-safe process for malicious \nactivities.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. Cook County issued no guidance to other election officials \nother than the white paper that was attached to the testimony I \ndelivered. It did not include a prohibition on wireless. In fact, Cook \nCounty used wireless technology in different contexts. While there was \nincreased marginal risk Cook County accepted it because of the \nsignificant operational & voter list maintenance advantages. Ultimately \nthe team believe that it had the ability to mitigate the potential \nsecurity consequences through back up plans and solid audits.\n    The e-poll books communicated wirelessly with the central servers. \nAside from embedded security like encryption, because Cook County had \nsame-day registration, the team believed that the downside risk \nincrease due to this communication method was covered for, and \ntherefore Cook chose to allow wireless communications between e-\npollbooks and the central office.\n    Cook County also transmitted encrypted unofficial election results \nfrom the precincts. However, before publishing those results Cook \nCounty validated that the results were not being systematically altered \nin any way during the transmission process. And before certifying the \nofficial results Cook County validated that the transmitted results \nmatched the precinct printed results 100% of the time. In an \nenvironment where there are audits and auditable materials, the level \nof acceptable risk changes. It was the team's judgment that the \ndecision to utilize technology to solve some operational and trust \nproblems was acceptable even if they increased risk marginally to other \nareas. But it was only acceptable because Cook County believed they \nwould find and be able to correct exploitation of those risk areas.\n    Question 10. Do election administrators plan for 100% voter \nparticipation during early voting or on election day? If not, why not?\n    Answer. In Cook County voters voted early on touch screens with \naudit trails and Cook County could accommodate 100% turnout, \ntechnically. However, Cook understood that they only had to outfit \nthemselves for around a 30% voting in that early voting time period. \nWith respect to printing paper ballots and resourcing with machines and \nstaff, some officials do plan for complete turnout. Others do not. In \nIllinois officials are technically required to print ballots for 110 \npercent of the registered voters on election day. Many don't however, \nbecause they subtract the number of people using vote by mail and early \nvoting, and they also rely on historical numbers as a valid offset. \nFinally, the ability to vote people on the ADA touch-screen devises \noffers some bandwith protection if turnout is full. Paper ballots are \nnot cheap and in odd-year local elections or in even-year primary \nelections, with an expected turnout of maybe 30 percent, it has \nhistorically not been viewed as imprudent to try to do some surgical \ntargeting of ballot printing numbers.\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot-marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. Yes. The best practice is to guarantee you can meet the \nhighest foreseeable demand at any location during any election. There \nare available wait time calculators to maximize the resource \nallocations. The Presidential Commission on Election Administration \ncollected and published these resources.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. The Election Assistance Commission (EAC) provides some \nclearinghouse information in this area. More would be valuable. And I \nbelieve it is an upcoming effort of the agency. These are problems we \nhave been dealing with since the beginning of the republic. And taking \n``Super Storm Sandy'' as an example it is evident that election \nofficials have been exceedingly resourceful during this type of event.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. Increasing voting locations opportunities increases the \ninherent resiliency of a system by distributing the available access \npoints such that there is no single point of failure that would \nabsolutely disenfranchise any one individual. But there are certainly \nsome voter costs associated with travelling further than expected to \nvote on election day. Its also important to note that there are \nmarginal tradeoffs with changing the voting model away from precincts. \nSome advocates and election officials believe that strong local \noversight at the precinct level provides the best election day \nassurance against nefarious behavior by the very rare but committed bad \nacting campaign or voter. Further, some security activists believe they \nhave the best chance of validating data and monitoring voting behavior \nwhen elections are managed in digestible chunks, like in the precinct \nunit.\n       Questions From Honorable James R. Langevin for Noah Praetz\n    Question 1. Our system is only as strong as its weakest link, and \nwe need to ensure everyone has this ``cyber hygiene'' knowledge. Have \nyou found that there's a general lack of knowledge of security \nvulnerabilities and best practices at the staff level?\n    Answer. In the past 2 years the overwhelming majority of the \nprofession has grown to fully accept the premise that we rely on \ntechnologies and people that are inherently vulnerable. This has been a \nsea change in our industry. However, there remains a tremendous \ndisparity in the degree to which election officials and their staff \nwill, or can, make the changes necessary to increase their security \nposture to the highest levels. While there remains plenty to learn, the \nbiggest issue will always remain the operationalization of best \npractices.\n    Question 2. The risk and vulnerability assessments offered by DHS \ncan be extremely valuable for States and localities. Have you found \nthese assessments for States and local election officials to be useful \nas you work to secure your election systems, and have you implemented \nDHS's recommendations?\n    Answer. The Risk and Vulnerability assessment conducted by DHS at \nCook County was tremendously valuable. Though Cook took the security \nissue seriously for a long time we were still very surprised by what \ncommitted, skilled, security tradespeople were able to accomplish on \nthe networks. The findings set the table for years of modernization and \ntransformation. It is critical to note that even with their findings, \nCook County was forced to layer the optimal situation on top of the \nelection calendar, resource constraints, probability of a successful \nattack, and the consequences/risks of operational disruption due to \nchange and regression testing oversites. There are many risks, and \nelection administration is a matter of risk management, cyber and \notherwise.\n    Question 3. Do you have the resources you need to implement the \nrecommendations, and if not, what more do you need to do so?\n    Answer. There were certainly resource deficiencies in Cook County. \nThose deficiencies are worse almost everywhere else. The demand is not \njust for modern defensible technology, though that is in short supply. \nThere is a dearth in human skill necessary to operationalize \nrecommendations. Cook County long argued that every election official \nshould have access to an Election Infrastructure Security Officer. For \ngiant counties like Cook, they could hire their own. But that would \ncost nearly a billion dollars a year to replicate Nation-wide--an \nimpossible and unnecessary investment. A huge security leap could be \naccomplished by providing the same single human resource across \nmultiple local election official agencies. In Illinois this was handled \nby a team of ``cyber navigators'' who have essentially adopted a dozen \ncounties and are helping them mature their election security. The \nnavigators are helping them operationalize the recommendations, not \njust form DHS, but also from CIS and Belfer. They are helping them \nprocure free services and manage vendors. The key is to do the basics \nnow and utilize the best available shared resources and free resources \nfrom the private and public sector.\n           Question From Honorable Dina Titus for Noah Praetz\n    Question. When speaking with State and local election officials in \nNevada, I have heard that while urban areas like Las Vegas may have the \nIT workforce available to recruit individuals to implement new \ncybersecurity measures like Albert sensors, rural areas have been \nstruggling to find trained personnel. Have you experienced this \nshortage in other parts of the country, and do you believe further \ninvestment in STEM education is necessary to effectively mitigate this \nskills gap and secure our most vulnerable election sites?\n    Answer. There is no question that there is a skilled professional \ngap between the workforce needed and that available. This runs not \nsimply through elections Nation-wide, but through the all sectors of \ncountry. There are millions of jobs in the field unfiled because the \nworkers are not yet available. The demand will continue to grow. And \nthe supply must grow to meet the demand. Given that the cyber risk is \ntop of list from a National security perspective, it would seem \nappropriate to throw everything including the kitchen sink at it.\n       Questions From Honorable Michael T. McCaul for Noah Praetz\n    Question 1a. Mr. Praetz, I share your assessment that we must \nexpect the attackers' methods aimed at our election system will evolve. \nYou described the large role that local officials play in running and \nsecuring elections and the critical public partnership.\n    How can the Federal Government best support these efforts without \nthe all-too-common Federal overreach?\n    Answer. Overly proscribing tactics and specific actions to be taken \ncan create overreach or the perception thereof; and can lock in actions \nthat won't likely remain necessary or valuable over time. However, the \nFederal Government could provide investments in the area to the States \nand local election officials while simultaneously demanding some set of \nmeasurable progress to prove the investment is worthy of the taxpayers' \nsacrifice. I laid out my navigator program support. The Federal \nGovernment could invest in such a program without proscribing how the \nStates do it--the model can be different everywhere--and the laboratory \neffects of those differences highly valuable overtime. However, there \nare some areas where prescription is more important, particularly \naround ballot audits. Some level of hand-auditing seems necessary to \nprove up that the machines are reading them correctly. That's not to \nexclude additional audits that may be superior to a small hand-counted \naudit in a vacuum.\n    Question 1b. How will Federal mandates from Washington address the \nproblems you outlined and not just add more bureaucracy?\n    Answer. A program initiated by the Federal Government which aims to \nsupport the protection of the critical infrastructures is necessary. As \nyou rightly note, finding the right balance is critical. Investing in \nprinciples is important. My top three principles are (1), sustained, \nskilled human partnerships with local election officials; (2), \ninvestment in technology that is easier to defend and provides the \nservices voter expect; (3), investments in audits that can prove \nconclusively that trusted and true results are attainable even in the \nevent of software failure. Providing some administrative autonomy to \nthe States and local election officials in satisfying the principles \ncan help those Government bodies own the principles and the management \nof the project. Retaining some requirements and measurements ensures \nthat the States are accountable for the Federal tax investment.\n       Questions from Honorable Sheila Jackson Lee for Jake Braun\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. No.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. Yes. It is also important to note that the local \njurisdictions' voter registration databases are nearly as important as \nthose at the State level.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. To my knowledge, there are no fail-safe technology measures \nto accomplish this. Many election officials regularly back up their \nsystems and/or use an auditing regime to increase the likelihood that \nthey will be able to detect an attack and restore data that were \ndeleted or changed. However these procedures are not foolproof and \ntheir implementation at the local level is just as important as at the \nState level, yet far from uniform. That being said, same-day voter \nregistration would likely be a sound defense against this attack.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. I do not know. However, local laws are, in general, unequal \nto the threat State and locals are facing.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. According to the Brennan Center for Justice, at least 34 \nStates plus Washington, DC used electronic pollbooks as of 2017.\\1\\ \nWhile it is is possible that some of those States have chosen to \ndiscontinue their use due to the 2018 DEF CON report, our preliminary \nresearch suggests the opposite. With updated information from State \naction taken over the last 2 years, there are now at least 41 States \nthat have implemented the use of electronic pollbooks, conducted a \npilot program for their use, or approved funds to purchase them for \nfuture use. There is no up-to-date accounting for how many \njurisdictions within each of those States uses electronic pollbooks, as \nof 2018. The Brennan Center reports that 5 of the 34 States using \nelectronic pollbooks in 2017 were using them State-wide.\n---------------------------------------------------------------------------\n    \\1\\ ``VRM in the States: Electronic Poll-books.'' Brennan Center \nfor Justice, February 6, 2017. Accessed March 14, 2019. \nwww.brennancenter.org/analysis/vrm-states-electronic-poll-books.\n---------------------------------------------------------------------------\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. Yes. In our research at DEF CON, untrained hackers (with no \nspecialized skills or previous access to the machines) found that such \ndevices are vulnerable to hacks via wireless networks, bluetooth, or \ncellular connections. These vulnerabilities give hackers the ability to \ncompromise such connections and intercept communications between the \njurisdiction's main database and a cloud backup service, such as Amazon \nWeb Service (AWS). If attackers can gain access to this cloud backup, \nthey can view the database and potentially control functions along the \nline of communication. As a result, a single compromised connection in \na single polling place could result in unrestricted access to the \nentire jurisdiction's voter registration database--thereby compromising \nnames, birth dates, addresses, social security numbers, driver's \nlicense numbers, addresses, and voting history linked with the \nindividual's signature. In 2017, just such a security lapse was \ndiscovered in Illinois when a cybersecurity analyst discovered a \ndatabase containing sensitive information for more than 1.8 million \nIllinois voters that was downloadable from a publicly-available AWS \nstorage site controlled by ES&S, one of the major election equipment \nvendors in the United States.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ O'Sullivan, Dan. ``The Chicago Way: An Electronic Voting Firm \nExposes 1.8M Chicagoans,'' Upguard (blog), December 13, 2018, https://\nwww.upguard.com/breaches/cloud-leak-chicago-voters.\n---------------------------------------------------------------------------\n    In addition, software vulnerabilities have been discovered by DEF \nCON researchers in a line of Diebold electronic poll books, ExpressPoll \n5000, which was purchased and is currently operated by ES&S. \nInvestigators at DEF CON discovered that not only were administrator \nand root passwords to the pollbook's system stored without encryption, \nbut they could directly access and modify election parameters using a \nfree, widely available program called SQL Lite.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ University of Chicago Harris Cyber Policy Initiative. DEF CON \n25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in \nU.S. Election Equipment, Databases, and Infrastructure. Chicago: The \nUniversity of Chicago Harris Cyber Policy Initiative, 2017. Accessed \nFebruary 26, 2019. https://www.defcon.org/images/defcon-26/\nDEF%20CON%2026%20voting%20vil- lage%20report.pdf, The University of \nChicago Harris Cyber Policy Initiative. DEF CON 26 Voting Village: \nReport on Cyber Vulnerabilities in U.S. Election Equipment, Databases, \nand Infrastructure. Chicago: The University of Chicago Harris Cyber \nPolicy Initiative, 2018. Accessed February 26, 2019. https://\nwww.defcon.org/images/defcon-26/DEF%20CON%2026%20- \nvoting%20village%20report.pdf.\n---------------------------------------------------------------------------\n    The biggest concern with compromising these devices is not just \ncorrupting data but also the multi-hour long lines for Election Day and \nearly voting it could cause as confused poll workers try to sort out \nwho can vote and who can't. These lines would further add to a sense \nthat the system doesn't operate properly or is ``rigged'' against the \nvoter's preferred candidate.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. To my knowledge, such recovery plans vary dramatically \nacross jurisdictions. In previous elections, we advocated strongly to \nhave paper-based back-up poll books kept on-site in case there was a \nproblem with the machines. However, we often met strong resistance in \nadopting even this simple fix.\n    Question 8. How well does same-day voter registration during early \nvoting and on election day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. Same-day voter registration may be the only nearly fail-\nsafe option available today for mitigating voter registration database \nand e-poll book attacks.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. I am sorry, I do not understand the question.\n    Question 10. Do election administrators plan for 100% voter \nparticipation during early voting or on election day? If not, why not?\n    Answer. No. Election administrators use several methods to predict \nvoter turnout, including looking at past voter history; consulting \nturnout tables, which calculate a probability that an individual will \nturn out to vote, based on her age and previous voting history; and \nbuilding regression models.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ Malchow, Hal. ``Predicting Turnout in a Presidential \nElection.'' Campaigns & Elections 25 (2004): 38-40.\n---------------------------------------------------------------------------\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. Yes. There is a tool maintained by MIT (here) that can help \nan election administrator determine the optimal assets needed for a \nprecinct to administer an election.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. Not to my knowledge. However, in past elections we \nencouraged election administrators to treat as an ``emergency'' any \npolling place with a line over 30 minutes long.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. Multiple locations provide voters various options to \nincrease ease of voting. It has worked well with early voting but would \nprovide challenges for Election Day voting, especially as it may \nnecessitate more internet connections to devices being used to find \npeople in the registration database.\n       Questions from Honorable James R. Langevin for Jake Braun\n    Question 1. What can be done to improve the relationship between \nthe cybersecurity research community and the election system vendors \nand ensure that the work of voting security researchers is not ignored \nby vendors?\n    Answer. First, vendors can eliminate restrictions on third-party \nsecurity testing from their contracts. It's ridiculous that in order to \nbuy election equipment, local election officials have to sign away \ntheir rights to have independent audits of equipment that they own. It \nalso creates significant risk for security researchers who want to work \nwith election officials, all of which is unnecessary.\n    Second, vendors could donate or sell voting equipment for us to \ninspect at DEF CON and other such events. Fortunately some of the \nvendors now seem interested in participating in events like DEF CON. \nFurther, there are many local election officials who have expressed \ninterest in holding cyber assessments of their systems, including \nmachines and software from the vendors but have not pursued such \nefforts from fear of lawsuits from the vendors. Vendors should allow \nand even facilitate this type of activity instead of quash it. The \nindustry needs all the help it can get with security and as NSA's Rob \nJoyce said, ``Head-in-the-sand security is not security at all.''\n    Possibly the best way to improve relations with the vendors and \nresearch community is to fund the development and piloting of open-\nsource voting software. Open-source voting software would allow all \ninterested security researchers to audit and suggest security \nimprovements to our election systems 365 days a year, not just the 3 \ndays of DEF CON. In fact, DHS recently posted an RFP for grants to \nvendors and researchers, requesting bids for building a ``voting system \nof the future,'' which could have included open-source voting \nequipment. Unfortunately, for an undisclosed reason, that RFP was taken \ndown and no one was allowed to bid on it. DHS should repost that RFP \nand solicit bids to build an open-source voting system.\n    Further, I applaud DARPA's recent announcement of significant grant \ndollars being disseminated to researchers to build a secure, open-\nsource voting system. In a welcome departure from the stance of current \nvendors, the firms who received the DARPA funds have already reached \nout to DEF CON attendees to engage us early in the process.\n    Question 2. Our system is only as strong as its weakest link, and \nwe need to ensure everyone has this ``cyber hygiene'' knowledge. Have \nyou found that there's a general lack of knowledge of security \nvulnerabilities and best practices at the staff level?\n    Answer. As of 2017, there was a 350,000-person shortage in cyber \nprofessionals Nationally.\\5\\ That number is projected to grow to more \nthan 3.5 million world-wide by 2021.\\6\\ It is nearly an impossible task \nto hire the cyber professionals necessary to put in place the basic \ncyber hygiene necessary to protect a network much less train the lay \npeople on staff as to their basic hygiene. Moreover, misconceptions as \nto election officials' relative security, caused in part by words \nerroneously used by the vendors like ``air-gapped,'' further lead to \nconfusion or a false sense of security.\n---------------------------------------------------------------------------\n    \\5\\ ``Cybersecurity Jobs Report 2018-2021.'' Cybersecurity \nVentures, May 31, 2017. Accessed March 13, 2019. https://\ncybersecurityventures.com/jobs/\n    \\6\\ ``Cybersecurity Jobs Report 2018-2021.'' Cybersecurity \nVentures, May 31, 2017. Accessed March 13, 2019. https://\ncybersecurityventures.com/jobs/\n---------------------------------------------------------------------------\n    Question 3. The risk and vulnerability assessments offered by DHS \ncan be extremely valuable for States and localities. Have you found \nthese assessments for States and local election officials to be useful \nas you work to secure your election systems, and have you implemented \nDHS's recommendations?\n    Answer. I think these assessments have been invaluable in assisting \nelection officials to understand the depth and breadth of their risk. \nThe assessments also help dispel misconceptions promulgated by industry \nas to the level of security each jurisdiction has achieved. The most \nimportant improvement to make in the assessments is to increase the \nnumber of them for local election jurisdictions, as they are the ones \nwho administer elections.\n    Question 4. Do you have the resources you need to implement the \nrecommendations, and if not, what more do you need to do so?\n    Answer. I believe this question is for the election officials. \nHowever, in general, I believe the EAC money was an order of magnitude \nlower than what is needed to begin to effectively mitigate this \nproblem. All the voter registration databases in the country should be \nmoved to one or more secure, American-owned and -operated clouds like \nAWS, Google, or Microsoft (among others). Second, touchscreen voting \nmachines should be banned (except for use by the disabled) in favor of \npaper ballots counted by secure optiscan machines. The DHS assessment \nteams should be quintupled so that all 50 States and the top 30 largest \nlocal jurisdictions (which vote nearly 85% of the U.S. population) can \nbe assessed biannually, and the other nearly 8,000 jurisdictions can \nget at least a remote assessment once every other year. Further, these \nteams should help train local IT staff to plan and implement \nremediation plans based on the DHS assessments, especially including \nelection night reporting website security and breach protocols. \nFinally, funding should be allocated for DHS to disseminate grants for \nresearch and development on building the voting machines of the future.\n           Question From Honorable Dina Titus for Jake Braun\n    Question. When speaking with State and local election officials in \nNevada, I have heard that while urban areas like Las Vegas may have the \nIT workforce available to recruit individuals to implement new \ncybersecurity measures like Albert sensors, rural areas have been \nstruggling to find trained personnel. Have you experienced this \nshortage in other parts of the country, and do you believe further \ninvestment in STEM education is necessary to effectively mitigate this \nskills gap and secure our most vulnerable election sites?\n    Answer. As of 2017, there was a 350,000-person shortage in cyber \nprofessionals Nationally.\\7\\ That is projected to grow to more than 3.5 \nmillion world-wide by 2021.\\8\\ It is a LITERALLY impossible task to \nhire the cyber professionals necessary to put in place the basic cyber \nhygiene necessary to protect an election system. They simply can't \ncompete with industry and the Federal Government for the workforce. \nMoreover, misconceptions as to election officials' relative security, \ncaused in part by words erroneously used by the vendors like ``air-\ngapped,'' further lead to confusion or a false sense of security. While \nfurther investment in STEAM is undoubtedly critical to solving this \nproblem long-term, those investments could take a decade to bear fruit. \nWe should still make the investments.\n---------------------------------------------------------------------------\n    \\7\\ ``Cybersecurity Jobs Report 2018-2021.'' Cybersecurity \nVentures, May 31, 2017. Accessed March 13, 2019. https://\ncybersecurityventures.com/jobs/\n    \\8\\ ``Cybersecurity Jobs Report 2018-2021.'' Cybersecurity \nVentures, May 31, 2017. Accessed March 13, 2019. https://\ncybersecurityventures.com/jobs/\n---------------------------------------------------------------------------\n    However, we must find creative ways to ``hack'' the work force \nproblem for election officials. HB1 has a creative solution with its \nprovision for a bug bounty program, akin to ``Hack the Pentagon,'' that \ncrowdsources security for local election officials. Further, specifying \nthat some of the R&D funding in HB1 be allocated for development of \nopen-source voting equipment, would enable thousands of security \nexperts to audit the code of voting equipment and suggest fixes. Open-\nsource equipment offers an inexpensive, persistent, and adaptable \nopportunity to dramatically increase the cyber workforce without local \nelection officials being required to recruit, hire, and retain cyber \nprofessionals. Finally, outsourcing voter registration database \nsecurity by providing State and local election administrators grants to \nmigrate their data to a secure, American-owned and -operated cloud like \nAWS, Google, or Microsoft would remove database security burdens from \nlocal election officials and assign it to organizations who can afford \nto recruit and retain the best security professionals in the business.\n    Questions From Honorable Sheila Jackson Lee for John H. Merrill\n    Question 1. Are we taking a fail-safe approach to determining which \nelection systems or processes are critical to the successful conduct of \na public election?\n    Answer. No. The Alabama Secretary of State's Office believes that \nthe only effective method to determine which election systems are \ncritical to the process is with direct guidance and input from the \nSecretaries of State.\n    Question 2. Would you consider State-wide Centralized Voter \nRegistration Databases a critical system to the administration and \nconduct of any public election?\n    Answer. State-wide Centralized Voter Registration Databases are the \nmost critical component to the current democratic institutions that we \nhave created for the people of this country to voice their political \npreferences. These provide detailed information that allows Secretaries \nof State to effective plan an election for the people of their State, \ncounty, or local municipality.\n    Question 3. What fail-safe measures are in place to assure that if \nthe voter registration database is compromised and thereby make data \nrecords untrustworthy; or rendered unavailable for early voting or on \nelection day the casting of ballots will continue?\n    Answer. There is no true fail-safe to ensure that a compromise does \nnot occur; however, a systematic approach to augment any system or user \ndata damage can only be accomplished with daily system back-ups, \nadditional layers of security including two-factor authentication, and \nverification that even in the event of total loss of access or systems \nlocally would not eliminate the existence of those records and that can \nbe restored to a system without any down time.\n    Question 4. How many States have plans in place to hold or continue \nan election should their voter registration databases become \ncompromised?\n    Answer. Alabama does.\n    I am unable to answer this question, but I am hopeful that each and \nevery State has a plan in place should their voter registration \ndatabases be compromised.\n    Question 5. How many States and jurisdictions within each State use \nelectronic poll books?\n    Answer. As Alabama's Secretary of State I can only speak for \nAlabama and at this time there are 30 of 67 Alabama counties utilizing \nthe electronic poll book systems.\n    Question 6. Are there instances when electronic poll books have \nfailed to operate as intended?\n    Answer. With a few minor exceptions electronic poll books have \nworked as intended. Those minor exceptions have involved age-related \ncamera issues where the camera used to scan barcodes was not strong \nenough to pick up the driver's license barcode in low light and another \nissue occurred when a county employee failed to complete all of the \nsteps to load a voter's list onto the system.\n    Question 7. What recovery plan is in place should a polling \nlocation's electronic poll books fail or for periods of time not \nfunction?\n    Answer. The Secretary of State's Office recommends that every \ncounty retain a paper copy of that precinct's poll list at each polling \nsite, but ultimately that is left up to the discretion of the Judge of \nProbate in each county.\n    Question 8. How well does same-day voter registration during early \nvoting and on election day create meet fail-safe objectives for the \nsuccessful conduct of a public election?\n    Answer. In Alabama it does not meet or create fail-safe objectives, \nit simply creates a system without security mechanisms and attempts to \npass it off as a solution.\n    Question 9. Are you providing any guidance on security and wireless \nnon-voting system technology?\n    Answer. We provide guidance and require cybersecurity and ethics \ntraining to all the State and county users that work in the Secretary \nof State's Office or have access to the voter registration system.\n    Additionally, Alabama's system utilizes paper ballots which once \nvoted are retained for at least 22 months following an election, as \nrequired by Federal law.\n    Question 10. Do election administrators plan for 100% voter \nparticipation during early voting or on election day? If not, why not?\n    Answer. In Alabama, electronic voting machines must be placed at \neach polling location based on the number of voters assigned to that \npolling place (2,400 voters per machine). So, pertaining to machines, \nthere is no projection involved. It is a set number.\n    Regarding the printing of ballots and ballot styles, some counties \nchoose to print the exact number of ballots for voters assigned to that \npolling location, and some counties prefer to project the turnout, \nobviously leaning towards the highest projected turnout number to \nensure enough ballots. The reason some counties would not print one \nballot per voter is due to the cost of ballots.\n    It is also important to have an understanding with the local ballot \nprinting vendor that they will deliver, in-person on election day, \nadditional ballots to any polling place that is getting low. This has \nhappened in the past in Alabama, and the vendor has done their part to \nensure enough ballots. Some States may not have the ballot printing \nvendor in their State and would be forced to print one ballot per \nvoter.\n    Question 11. Are there best practices that should be used to \ndetermine the number of ballots and ballot marking technology, or \nvoting machine that should be provided to support voting?\n    Answer. In Alabama according to State law and administrative rule, \nan electronic voting machine must be assigned for every 2,400 voters in \neach polling place. Working with vendors to determine the number of \nvoters that should be associated with a machine for proper flow on \nElection Day is a must, as well as the number of ballots and ballot \nstyles should be printed for that polling place.\n    Question 12. Are there best practices to address when a natural or \nman-made event makes a polling location unavailable for voting?\n    Answer. The best practice is preparation. In Alabama, County \nCommissions should identify emergency back-up polling locations in each \narea in the case that one or more assigned polling locations is \ndamaged. In the case in which a polling place must change, the county \nwould need to hold an emergency meeting, designate the new polling \nplace(s) to be used and the electronic voting machines to be placed in \nthose polling places, and provide the list of new polling places to the \njudge of probate and board of registrars. Immediately upon changing the \npolling place, the county must notify all affected voters and publicize \nthe change via newspaper and any/all other effective means of \ncommunication including social media.\n    Question 13. How does allowing voters to vote at locations other \nthan at a single voting location impact the ability of election \nservices to serve voters in a county or State?\n    Answer. Alabama State law requires voters to vote at the polling \nplace assigned to them. Also, in Alabama, electronic voting machines \nmust be placed at each polling location based on the number of voters \nassigned to that polling place (2,400 voters per machine).\n    The preparation and planning for the number of voting machines, \nballots, ballot styles, poll books and electronic books, election \nworkers, election supplies, parking and disabled ballot marking devices \nper polling place is one of the most important aspects of an election. \nUnderstanding the number of voters assigned to a specific polling place \nand planning resources around that number is vital in our election \npreparation.\n     Questions From Honorable James R. Langevin for John H. Merrill\n    Question 1. Our system is only as strong as its weakest link, and \nwe need to ensure everyone has this ``cyber hygiene'' knowledge. Have \nyou found that there's a general lack of knowledge of security \nvulnerabilities and best practices at the staff level?\n    Answer. No. We have an outstanding team here at the Alabama \nSecretary of State's Office, however, it is difficult to hire staff \nthat we can compensate based on the current salary schedule that is \navailable from the private sector.\n    Question 2. The risk and vulnerability assessments offered by DHS \ncan be extremely valuable for States and localities. Have you found \nthese assessments for States and local election officials to be useful \nas you work to secure your election systems, and have you implemented \nDHS's recommendations?\n    Answer. We have utilized the assessments from DHS on more than one \noccasion to review our system and to ensure that any vulnerabilities \nthat existed were resolved prior to an election.\n    Question 3. Do you have the resources you need to implement the \nrecommendations, and if not, what more do you need to do so?\n    Answer. In all of the instances reported to the Secretary of \nState's office we have had the resources to implement the \nrecommendations that were made from the cyber assessments. However, \nmany of those would not have been possible without the grant funds \nalready allotted to the Secretary of State's office.\n    Additionally, recently DHS has begun to undertake a review of \ncounty offices. Many of those recommendations will be for things that \nare much more expensive, and many are hesitant to schedule their review \nbecause they know they will be made aware of a large number of issues.\n         Question From Honorable Dina Titus for John H. Merrill\n    Question. When speaking with State and local election officials in \nNevada, I have heard that while urban areas like Las Vegas may have the \nIT workforce available to recruit individuals to implement new \ncybersecurity measures like Albert sensors, rural areas have been \nstruggling to find trained personnel. Have you experienced this \nshortage in other parts of the country, and do you believe further \ninvestment in STEM education is necessary to effectively mitigate this \nskills gap and secure our most vulnerable election sites?\n    Answer. Investment in education in rural areas is something that \nwould benefit the people of those locations but that would help solve \nthe problem in the long term. Short-term solutions to this problem \nrequire additional resources and smart hiring processes.\n     Questions From Honorable Yvette D. Clarke for John H. Merrill\n    Question 1a. Last year, the FBI uncovered that a Russian oligarch, \nwith close ties to President Putin, had acquired an ownership interest \nin a vendor which hosted State-wide election data for Maryland.\\1\\ \nUntil the FBI alerted them, State election authorities were unaware of \nthe vendor's ties to Russia. Even if no tampering occurred, this raises \nimportant questions about foreign ownership of firms providing \nelection-related services.\n---------------------------------------------------------------------------\n    \\1\\ https://www.baltimoresun.com/news/maryland/politics/bs-md-\nelection-russia-20180713-story.html.\n---------------------------------------------------------------------------\n    To the best of your knowledge, does your State have any election-\nrelated contracts with vendors backed by Russian or Chinese investors?\n    Answer. To the best of my knowledge the State of Alabama does not \nhave any vendors backed by Russian or Chinese investors.\n    Question 1b. What measures, if any, does your State undertake to \nassess foreign ownership of election vendors prior to signing contracts \nwith them?\n    Answer. The Alabama Secretary of State's office reviews all the \nfinancial documentation associated with each company before entering \ninto a contract with them. Additionally, we require all business that \ndo business with us to be registered with the State of Alabama before \nwe enter into an agreement for services. The contract for Alabama's \ncurrent voter registration system is about to be put up for bid again \nand will include requirements for all companies to disclose any foreign \nownership or investment in their company before they are considered by \nthe office for use in Alabama.\n     Question From Honorable Michael T. McCaul for John H. Merrill\n    Question. Foreign states, including Russia and other malicious \nactors have and will continue to attempt to interfere with U.S. \nelections. In fact, I encouraged, in a Classified space, both the Obama \nadministration and the Trump administration to call out Russia for \ntheir targeted attacks on our Nation. Their activities have injected \nchaos and doubt into foundation of our democracy. An issue of this \ngravity requires Congress to act in a deliberate and bipartisan manner. \nNow, all eyes are on 2020. How has the cooperation with DHS and \nDirector Krebs strengthened California's election security?\n    Answer. The Alabama Secretary of State's Office has benefited from \nthe increased relationship with the Department of Homeland Security. \nThis relationship has allowed us to secure our systems by implementing \na multitude of security equipment and tools to strengthen the States' \nelection systems. Additionally, DHS has provided a team from the \nDepartment of Homeland Security that has been present with our IT staff \non election day to provide direct contact in the event of a breach or \nother system problem.\n\n                                 [all]\n</pre></body></html>\n"