[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                  2020 ELECTION SECURITY - PERSPECTIVES FROM 
                   VOTING SYSTEM VENDORS AND EXPERTS

=======================================================================

                                 HEARING

                               BEFORE THE

                           COMMITTEE ON HOUSE
                             ADMINISTRATION
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               ----------                              

                            JANUARY 9, 2020

                               ----------                              

      Printed for the use of the Committee on House Administration
      
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                       Available on the Internet:
         http://www.govinfo.gov/committee/house-administration
         
         
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
41-318                  WASHINGTON : 2020                     
          
--------------------------------------------------------------------------------------         
                  
                  Committee on House Administration

                  ZOE LOFGREN, California, Chairperson
JAMIE RASKIN, Maryland               RODNEY DAVIS, Illinois,
SUSAN A. DAVIS, California             Ranking Member
G. K. BUTTERFIELD, North Carolina    MARK WALKER, North Carolina
MARCIA L. FUDGE, Ohio                BARRY LOUDERMILK, Georgia
PETE AGUILAR, California
                           
                           
                           C O N T E N T S

                              ----------                              

                            JANUARY 9, 2020

                                                                   Page
2020 Election Security--Perspectives From Voting System Vendors 
  and Experts....................................................     1

                           OPENING STATEMENTS

Chairperson Zoe Lofgren..........................................     1
    Prepared statement of Chairperson Lofgren....................     3
Hon. Rodney Davis, Ranking Member................................     5
    Prepared statement of Ranking Member Davis...................     7

                               WITNESSES

Tom Burt, President and CEO, Election Systems & Software.........    10
    Prepared statement of Mr. Burt...............................    13
John Poulos, President and CEO, Dominion Voting Systems..........    22
    Prepared statement of Mr. Poulos.............................    24
Julie Mathis, President and CEO, Hart InterCivic.................    28
    Prepared statement of Ms. Mathis.............................    30
Liz Howard, Counsel, Brennan Center for Justice..................    66
    Prepared statement of Ms. Howard.............................    68
Matt Blaze, Professor of Law, Georgetown University Law Center...   120
    Prepared statement of Mr. Blaze..............................   122
Juan Gilbert, Ph.D., Banks Family Preeminence Endowed Professor, 
  University of Florida..........................................   138
    Prepared statement of Dr. Gilbert............................   140
Rev. T. Anthony Spearman, President, North Carolina NAACP........   158
    Prepared statement of Rev. Spearman..........................   160
Hon. Don Palmer, Commissioner, Election Assistance Commission....   166
    Prepared statement of Hon. Palmer............................   168
Michael C. Gianasi, County Clerk and Recorder, Christian County, 
  Illinois.......................................................   172
    Prepared statement of Mr. Gianasi............................   174

                        QUESTIONS FOR THE RECORD

Tom Burt, President and CEO, Election Systems & Software, answers 
  to submitted questions.........................................   182
John Poulos, President and CEO, Dominion Voting Systems, answers 
  to submitted questions.........................................   216
Julie Mathis, President and CEO, Hart InterCivic, answers to 
  submitted questions............................................   237
Liz Howard, Counsel, Brennan Center for Justice, answers to 
  submitted questions............................................   269
Matt Blaze, Professor of Law, Georgetown University Law Center, 
  answers to submitted questions \1\.............................
Juan Gilbert, Ph.D., Banks Family Preeminence Endowed Professor, 
  University of Florida, answers to submitted questions..........   281
Rev. T. Anthony Spearman, President, North Carolina NAACP, 
  answers to submitted questions.................................   284
Hon. Don Palmer, Commissioner, Election Assistance Commission, 
  answers to submitted questions.................................   286

                       SUBMISSIONS FOR THE RECORD

Securing the Vote: Protecting American Democracy, The National 
  Academies of Sciences, Engineering, Medicine, a Consensus Study 
  Report.........................................................   291
Electronic Privacy Information Center, Letter....................   472

                               __________
                               
\1\ Mr. Blaze did not answer submitted questions for the record by the 
time of printing.

 
  2020 ELECTION SECURITY--PERSPECTIVES FROM VOTING SYSTEM VENDORS AND 
                                EXPERTS

                              ----------                              


                       THURSDAY, JANUARY 9, 2020

                          House of Representatives,
                         Committee on House Administration,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 10:03 a.m., in Room 
1310, Longworth House Office Building, Hon. Zoe Lofgren 
[Chairperson of the Committee] presiding.
    Present: Representatives Lofgren, Raskin, Davis of 
California, Butterfield, Fudge, Aguilar, Davis of Illinois, and 
Walker.
    Staff Present: Sean Jones, Legislative Clerk; Jamie Fleet, 
Staff Director; Mariam Malik, Staff Assistant; Hannah Carr; 
Staff Assistant; Stephen Spaulding, Elections Counsel; Georgina 
Cannan, Elections Counsel; Peter Whippy, Communications 
Director; Eddie Flaherty, Chief Clerk; David Tucker, Senior 
Counsel and Parliamentarian; Courtney Parella, Minority 
Communications Director; Jen Daulby, Minority Staff Director; 
Cole Felder, Minority General Counsel; Tim Monahan, Minority 
Deputy Staff Director; and Nick Crocker, Minority Director, 
Member Services.
    The Chairperson. Welcome, everybody, and good morning. We 
are waiting for Committee Members to arrive any moment, but 
while we are waiting we will begin with our opening statements.
    I would like to note that our Committee is charged with 
overseeing the administration of Federal elections. Today's 
hearing will help us fulfill that responsibility by providing 
an opportunity to hear from the vendors of most of our 
country's voting systems. This is the first time the Chief 
Executive Officers of the three major vendors have appeared 
together in a congressional hearing. The companies they 
represent provide at least 80 percent of the estimated 350,000 
voting machines in use today, reaching over 100 million 
registered voters.
    However, despite their outsized role in the mechanics of 
our democracy, some have accused these companies of obfuscating 
and, in some cases, misleading election administrators and the 
American public. Others suggest there is an insufficient 
regulatory structure for this sector.
    In the Committee's May 2019 hearing on election security, 
Lawrence Norden of the Brennan Center for Justice wrote in his 
testimony that, and I quote, ``there are more Federal 
regulations for ballpoint pens and magic markers than there are 
for voting systems and other parts of our election 
infrastructure.'' There may be more work to do and much for 
Congress to learn about this industry.
    Many have concerns about voting systems with remote access 
software, and I think we want to make sure that companies no 
longer sell voting machines that have network capabilities. In 
2019, according to a report in Motherboard, a group of election 
security experts, they uncovered that backend election systems 
in at least 10 states were connected to the internet despite 
one company's claim that its systems were not.
    We need also to understand supply chains. In December 2019, 
a study released by Enteros, a supply chain monitoring company, 
showed that one-fifth, or 20 percent, of the components in a 
popular voting machine came from China-based companies. 
Furthermore, close to two-thirds or actually 59 percent of 
suppliers within that machine's supply chain had locations in 
either China or Russia. Enteros didn't name the vendor that 
manufactured the voting machine but said that it was widely 
used.
    I have also heard concerns about the ownership and control 
of voting machine vendors. Public reporting indicates that all 
three of the major voting system vendors represented here today 
are privately held or are partially controlled by private 
equity firms. I believe it is in the public interest for 
Congress to better understand who could financially benefit 
from the administration of our elections.
    There are also, of course, threats to our voting 
infrastructure. We learned in Special Counsel Mueller's report 
that Russia intelligence officers targeted employees of a 
voting technology company that developed software to manage 
voter rolls and installed malware on the company network. We 
also know that our own voluntary voting system guidelines have 
not been substantially updated since 2005 before the iPhone was 
even available. It then took the EAC another decade to make 
small changes, which were adopted in 2015, almost 5 years ago.
    So there is more we have to do together to bolster public 
confidence and trust in our election systems. That is why this 
Congress has acted. Last June, the House passed H.R. 2722, the 
SAFE Act, that would require individual durable voter verified 
paper ballots. It would require strict cyber security 
standards. It would require risk-limiting audits, prohibit 
wireless and internet connectivity, and create accountability 
mechanisms for election technology vendors. The bill awaits 
consideration in the Senate.
    Just last month, Congress appropriated $425 million to the 
States to improve election security. This builds on the $380 
million Congress appropriated in 2018. Securing our elections 
should not be a partisan issue. Election security is about 
upholding a democracy of, by, and for the people, the American 
people, be they Republican, Democratic, third party, or no 
party at all. Our democracy is resilient, but it relies on 
everyone having their vote counted as cast.
    I now recognize our Ranking Member, Mr. Davis, for any 
opening statement he may wish to make.
    [The statement of The Chairperson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Davis of Illinois. Thank you, Madam Chairperson. 
Especially, also thank you for holding this necessary, long 
overdue hearing that I've been looking forward to since the 
beginning of this Congress. I also want to thank all of our 
witnesses for taking the time to be here today to discuss the 
very important issues regarding elections and election security 
and elections administration.
    My agenda since becoming the Ranking Member of this 
Committee has been and continues to be focused on nonpartisan 
and effective oversight of our Nation's elections, which are 
maintained by the States, not the Federal Government. But that 
does not mean that this Committee and the House itself does not 
have an important oversight role to play in securing elections.
    Our witnesses here today have state, county, and local 
jurisdictions as clients who know their electorate best. We 
also have witnesses who have experience with running those 
elections, but we know that threats from foreign actors to our 
Nation's elections are not going away.
    It should be noted from the Senate Intelligence Committee's 
report on the 2016 election, there were, quote, ``no 
indications that votes were changed, vote tallying systems were 
manipulated, or that any voter registration data was altered or 
deleted,'', by Russia or any foreign actor.
    DHS Assistant Secretary Jeanette Manfra said in the Senate 
Intel's opening hearing in June of 2017 that, quote, ``we do 
not--we do have confidence in the overall integrity of our 
electoral system because our voting infrastructure is 
fundamentally resilient.''. While we have faith in the 
electoral system, we still have a responsibility to strengthen 
the relationship between States and the Federal Government to 
ensure that Americans' votes are and will continue to be 
protected.
    There has been some disagreement with my colleagues across 
the aisle on how best to accomplish this mission, but I believe 
our goal is the same. Instead of getting into a long-winded 
debate today between paper versus electronic, State versus 
Federal, let's instead focus our efforts on areas within our 
Federal reach that need improvement, areas where we may come to 
a bipartisan agreement as we have seen in this Committee and 
many times in the past.
    This Committee created and passed the Help America Vote Act 
of 2002 (HAVA), which provided much-needed funds to states so 
that they could update their election security and voting 
infrastructure and created the Election Assistance Commission 
or EAC. One notable requirement of HAVA was for the EAC to 
create a set of specifications and requirements against which 
voting systems can be tested called the Voluntary Voting 
Systems Guideline, or VVSG. The EAC adopted the first VVSG in 
December of 2005 and approved an updated version, VVSG 1.1, in 
January of 2016. Now we are currently waiting for the EAC to 
produce the newest guidelines, the VVSG 2.0.
    This year, our Committee should hold a hearing with the EAC 
to discuss this voting guideline development process and 
several other processes within our jurisdiction.
    Perhaps we should not only focus on the EAC but, instead, 
HAVA itself. The Help America Vote Act was originally created 
in 2002 following the 2000 Presidential election and its many 
issues with paper ballots and ballot marking devices, much like 
we will be discussing today.
    There have been many developments in voting systems 
technology that are not addressed in the original HAVA language 
like e-pollbooks and securing online registration databases. It 
has been almost 20 years since this law has been updated, and 
with the recent developments in election security and 
technology, it is time to modernize these laws again and 
incentivize new, more secure infrastructure development from 
vendors like each of you.
    Also, let's recognize the steps we have taken this Congress 
alone to secure our elections. As Chairperson Lofgren said, the 
Fiscal Year 2020 National Defense Authorization recently 
enacted last month contained several provisions related to 
election security. Most involved providing Congress, Federal, 
or State agencies with information about election interference, 
something that was in the election security bill I introduced, 
H.R. 3412, the Election Security Assistance Act. It also 
requires the Director of National Intelligence, in coordination 
with several other agencies, to develop a strategy for 
countering Russian cyberattacks against U.S. elections, another 
provision I had in my bill.
    In addition to the NDAA, the recent appropriations, as 
Chairperson Lofgren said, included $425 million for payments to 
States, territories, and the District of Columbia to make 
general improvements to the administration of Federal elections 
including upgrades to election technology and security.
    Much has been done, but we still have much to do, which is 
why you are all here with us today. A fundamental right of our 
Nation's ability is to choose our leaders. The American people 
deserve that right to be protected. We should secure and 
protect our Nation's elections without partisan politics, and I 
hope we can remember that not only during this hearing but also 
for the duration of this Congress.
    Thank you, Madam Chairperson. I yield back.
    [The statement of Mr. Davis of Illinois follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you.
    The gentleman yields back.
    All other Members are invited to submit an opening 
statement for the record without objection.
    At this point, I would like to welcome our witnesses. Thank 
you for being here today. Joining us are the President and CEO 
of Election Systems & Software, Mr. Tom Burt; President and CEO 
of Dominion Voting Systems, Mr. John Poulos; and President and 
CEO of Hart InterCivic, Julie Mathis.
    I would like to introduce each of the witnesses. First, Mr. 
Burt. Tom Burt became President and CEO of Elections Systems & 
Software in 2015. He joined E&S in 2008, leading sales, 
customer services, operations, and the product departments. 
Before joining ES&S, Mr. Burt developed his general management 
and sales leadership at McMaster Carr, a supply company, and 
Anderson Consulting where he served in a variety of executive 
management roles.
    John Poulos is the founding President and CEO of Dominion. 
In this role, he leads the company's overall business strategy 
and operations. Since its inception in 2003, Dominion has grown 
to support over 1,200 jurisdictions across North America. He 
holds a Bachelor of Arts degree in electrical engineering from 
the University of Toronto as well as a Master's of Business 
Administration degree from INSEAD, Fontainebleau, France.
    Julie Mathis joined Hart in 2014 but became its CEO just 9 
days ago, so congratulations. She has previously served as 
President and CFO of the company. Prior to joining Hart, she 
served as Vice President of finance at Dell. Ms. Mathis holds a 
Bachelor of Business Administration degree in accounting from 
the University of Texas at Austin and is a Certified Public 
Accountant.
    I would at this point ask unanimous consent that all 
Members have 5 legislative days to revise and extend their 
remarks and their written statements be made part of the 
record.
    And, without objection, that is so ordered.
    I would also like to remind witnesses that their entire 
written statements will be made part of the record and that the 
record will remain open for at least five days for additional 
materials to be submitted.
    At this point, I would ask each of the witnesses to stand 
and raise their right hand.
    [Witnesses sworn.]
    The Chairperson. The record will reflect that all three 
witnesses answered in the affirmative.
    We will first recognize you, Mr. Burt, for your testimony.

 TESTIMONY OF TOM BURT, PRESIDENT AND CEO, ELECTION SYSTEMS & 
  SOFTWARE, OMAHA, NEBRASKA; JOHN POULOS, PRESIDENT AND CEO, 
 DOMINION VOTING SYSTEMS, DENVER, COLORADO; AND JULIE MATHIS, 
       PRESIDENT AND CEO, HART INTERCIVIC, AUSTIN, TEXAS.

                     TESTIMONY OF TOM BURT

    Mr. Burt. Thank you.
    Chairperson Lofgren, Ranking Member Davis, and Members of 
the House Administration Committee, thank you for the 
opportunity to testify on the vitally important subject of 
election security. My name is Tom Burt, and I am CEO of 
Elections Systems & Software. I'm encouraged to see the growing 
attention to stronger security for elections, and I'm thankful 
for the additional recent funding to the States provided by 
Congress under your leadership.
    Founded 40 years ago, ES&S' headquarters are in Omaha, 
Nebraska, where roughly half of our 490 employees live and 
work. Others live locally in or near the States where we 
provide products and services, including employees who reside 
in California, Georgia, Illinois, Maryland, North Carolina, and 
Ohio.
    Let me be clear and unequivocal with you: ES&S is committed 
to doing everything we can to safeguard our Nation's election 
security. It is what every one of our employees wakes up and 
goes to bed thinking about. For us, every single day is 
election day.
    Additionally, I want to make clear that ES&S strongly 
supports Federal mandates for the following three policies: 
first, an auditable paper record for every vote cast; second, 
post-election audits of these paper records; and, third, more 
rigorous standards for the programmatic security testing of 
voting equipment by a federally controlled regulatory body.
    I'd like to elaborate on a few of the many examples ES&S 
has raised--ways that ES&S has raised the bar on itself for 
election security and called on Congress to raise the bar on 
the entire industry. First, as mentioned, it is important that 
an auditable paper trail be required for every vote cast. ES&S 
has stopped selling new voting machines that do not produce an 
auditable paper record at the primary voting device.
    Second, we support and applaud the increase in dedicated 
resources coming from Congress, State, and local officials, the 
Election Assistance Commission, and the Department of Homeland 
Security. We embrace our partnerships with these bodies because 
we believe that collectively we can provide necessary and 
continuous improvement in election security.
    While the recent appropriations bill included additional 
elections-related funding from Congress, we believe the Federal 
Government needs to devote these resources to State and local 
jurisdictions on an annual basis.
    Third, I'd like to highlight just a few of the many 
important steps ES&S takes to bolster election security. Every 
ES&S system we field undergoes rigorous testing by independent 
Federal test labs accredited by NIST. Since 2009, ES&S has 
certified 22 unique voting system releases through this Federal 
testing program. Our standard procedure is to conduct thorough 
and pervasive penetration testing of our hardware and software 
using the same modern security tools that hackers use to make 
sure our equipment is secure before it ever enters the Federal 
program. We recommend increased EAC funding for security 
testing managed at the Federal level with standards and testing 
methods that are applied evenly and comprehensively to all 
providers.
    All ES&S tabulation firmware and software are not only 
housed domestically but are also written exclusively inside the 
United States. ES&S engages an independent third party to 
regularly test samples of the components inside our voting 
equipment that are programmable logic devices. We do this to 
validate the security of our supply chain and to ensure that no 
backdoor tampering has occurred. ES&S voting machine components 
are produced in ISO 9001 certified manufacturing facilities, 
and the entire voting system is managed by a secure engineering 
change order control process. All final hardware configuration 
of our voting machines is performed exclusively in Omaha, 
Nebraska.
    We are working with our fellow industry providers seated 
with me here today to create the Nation's first coordinated 
vulnerability disclosure program for elections equipment, 
designed to provide for even greater independent testing of 
voting systems through the use of ethical hackers. Because we 
strive for continuous improvement in all facets of our 
business, our actions related to election security are 
continuous, ongoing, and dynamic.
    Finally, I want to be clear that we do not believe we are 
perfect. On rare occasions, machines falter, and humans make 
mistakes. When these circumstances arise, we always do 
everything possible to remedy the issue and ensure that final 
election reports--results are reported accurately.
    As I noted previously, we strongly urge Congress to require 
an auditable paper record for every vote cast as a matter of 
law to improve even more the integrity of our elections. While 
we are very proud of the actions we have taken to date in 
support of safe and secure elections, we recognize that this is 
a race that has no finish line. ES&S is committed to 
continually enhancing the security of our products for the long 
run. We take nothing more seriously than our role in supporting 
our Nation's democracy.
    Thank you for your time, and I look forward to your 
questions.
    [The statement of Mr. Burt follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much.
    We'd be pleased to hear from you, Mr. Poulos.

                    TESTIMONY OF JOHN POULOS

    Mr. Poulos. Thank you very much. Chairperson Lofgren, 
Ranking Member Davis, and distinguished Members of the 
Committee, thank you for the opportunity to testify today. My 
name is John Poulos, and I'm the Chief Executive Officer of 
Dominion Voting Systems. We are a U.S.-owned company that 
currently provides voting systems and services to jurisdictions 
across 30 States and Puerto Rico.
    I agree with the importance of this--of the issues being 
raised by the Chairperson and Ranking Member regarding election 
security and integrity at today's hearing. American elections 
safeguard and preserve the freedoms and rights guaranteed by 
the U.S. Constitution. At Dominion, we take pride in our small 
role in assuring voters that they can have confidence in 
election results. We go to work every day understanding this 
important responsibility.
    By way of background, I formed the company with my partners 
in 2003 as an engineer and entrepreneur living in Silicon 
Valley. We were one of 76 new entrants innovating in the post-
HAVA era, and we are one of the only ones independently 
operating of those 76 in the industry today.
    Dominion was founded on three key pillars: security, 
transparency, and accessibility. The company abides by these 
principles to this day, driving innovations and advancements 
for auditability and resilience directed by Federal, State, and 
local election officials.
    Supporting elections is a full-time proposition for our 
company. This past year alone, Dominion assisted State and 
local election officials in conducting nearly 300 elections 
complete with the rigorous public scrutiny that comes with it. 
Dominion is constantly innovating and certifying enhancements 
and new features per State and local requirements. For 2020, we 
have been working closely with jurisdictions seeking to upgrade 
their voting systems. Older, end-of-life technology is being 
replaced with certified solutions that produce paper records 
for auditing and resilience. This comports with recommendations 
by DHS.
    Consistent with our founding tenets, Dominion works hard to 
promote a company culture of security. This starts with our 
people, including annual mandatory background checks and 
cybersecurity awareness training for every employee in the 
company. It includes companywide adoption of advanced digital 
protections and a defense-in depth approach to cybersecurity. 
Moreover, we actively engage with the EAC, DHS, and other 
trusted third parties to maintain and enhance our enterprise 
security, including potential supply chain risks.
    Finally, we meet all independent testing requirements, 
including EAC standards developed in conjunction with NIST and 
requirements set forth by individual States. This includes 
source code reviews, penetration testing, and post-election 
audits.
    In terms of transparency, Dominion systems fully support 
independent third-party audits and reviews of all election 
data. For example, in 2018, the State of Colorado used Dominion 
systems in conducting the first statewide risk-limiting audit 
in the United States. This effort was so successful, it has 
become a benchmark for other States in verifying with high 
confidence that equipment tallies are accurate and reliable.
    To round out our company mission, we are committed to voter 
accessibility. Our systems ensure Federal protections for 
privacy and equal voting rights and ballot casting options for 
all, including American servicemembers abroad.
    The existence of nation-state threats means that we must 
actively defend against any attempts to undermine faith in our 
democratic institutions. In this regard, we hope to see 
Congress continuing its work with State and local election 
officials to keep election systems secure. We commend Congress 
on its bipartisan investment of an additional $425 million to 
help election officials modernize their infrastructure.
    In closing, we remain fully committed to providing 
technology that supports free and fair elections. This includes 
support for an industry wide coordinated vulnerability 
disclosure program for voting systems. We urge you to continue 
supporting and incentivizing real-time threat information 
sharing from the intelligence community, streamline 
certification options for patching and updating, and reliable 
baseline security standards for voting systems. All of these 
efforts will help make the voting process more secure.
    Thank you again for the opportunity to share our company's 
perspective.
    [The statement of Mr. Poulos follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you so much for your testimony.
    And now our final witness on this panel, Ms. Mathis. We'd 
be pleased to hear from you for five minutes.

                   TESTIMONY OF JULIE MATHIS

    Ms. Mathis. Chairperson Lofgren, Ranking Member Davis, and 
Members of the Committee, thank you for the opportunities to 
speak with you today. My name is Julie Mathis, and I'm the CEO 
of Hart InterCivic. Hart InterCivic is based in Austin, Texas, 
where we have been located since our inception over a hundred 
years ago. Hart began as a paper ballot printer and over the 
past 20 years has grown organically one new customer at a time 
to become one of the top three voting system providers in the 
country. Our customers are local election officials, and our 
business is built on partnering with them every day to help 
solve their problems, enhance their processes, and ensure they 
deliver secure, accessible, and transparent elections.
    Our products include the software and devices that these 
election officials use to create ballots, capture votes, 
tabulate votes, and audit the results. Our systems are 
regulated as each is submitted to Federal certification through 
the EAC as well as the State certification processes before any 
local jurisdiction purchases them.
    It's also important to know which aspects of the election 
ecosystem Hart does not serve. Hart does not build the products 
that manage voter registration, voter check-in at the polling 
place, the public recording of election night results, or any 
other aspect of election or data administration. These aspects 
of the election system and their vendors are not currently 
regulated.
    I am in Washington, D.C., this morning because Hart 
strongly believes that voting system companies are one of the 
many critical players ensuring American elections are 
accessible, transparent, and secure. I can tell you much has 
improved over the past few years for Hart and for the industry, 
but we know that challenges remain, and we must continue to 
evolve and adapt.
    So what has improved? First, what has improved as a company 
is our products. We are proud that our Verity voting system is 
one of the newest and, we believe, most secure line of election 
products on the market. Rather than patch updates on older 
technology, Verity is a wholly new product designed from its 
core to meet modern security standards. Verity's robust 
security strategy is further described in my written testimony.
    Second, what has improved as an industry? The election 
industry is far better informed, better supported, and more 
agile when it comes to cybersecurity threats as a direct result 
of the Department of Homeland Security's designation of the 
American election system as critical infrastructure. Because of 
that designation, we're a founding member of DHS' Sector 
Coordinating Council, a group of diverse elections-related 
vendors under DHS' stewardship to address resilience policies 
and practices. Similarly, we're a founding and engaged member 
of the ICS-ISAC as well as an active member of the EI-ISAC. All 
offer a range of valuable programs, free assessments, and 
educational materials, but the biggest improvements have been 
to our ability to community and coordinate around cyber threat 
information and disclosures.
    So where else can we all continue to evolve and adapt? 
Number one, continual evolution of the voting system 
guidelines. We strongly support the process to roll out updated 
national standards. We have submitted our comments during the 
public comment period draft of the draft VVSG 2.0 and are in 
regular communication with the EAC to provide further insights 
to inform the new standard.
    We share your frustration over the slow adoption of the new 
standards, yet Hart has proactively enhanced the security of 
our products while awaiting the release of the 2.0 standards. 
In addition, we encourage Congress and the EAC to continue to 
explore ways to apply Federal oversight to other election 
technology, especially areas of higher vulnerability, such as 
voter registration, electronic pollbooks, and election night 
results reporting.
    Number two, speed up the Federal certification process at 
the EAC. We are optimistic that Congress' recent increase in 
funding may allow additional resources to be dedicated to the 
ongoing overhaul of the VVSG and to enhance certification of 
resources at the EAC. The more resources and funding that 
Congress can dedicate to the EAC and NIST, the sooner we will 
be able to bring the next generation of products to market.
    Number three, ongoing vigilance over cybersecurity 
practices within our companies and within local jurisdictions. 
The most important shift in institutional attitudes towards 
securing the integrity of election systems is that security is 
not a static process. At Hart, we recognize that cybersecurity 
threats will evolve, and so we, along with local jurisdictions, 
must continually adjust to new risks and adapt with new 
technology, new processes, and new policies.
    In conclusion, much has improved over the last few years. 
Not only are there new products on the market with enhanced 
security protocols, but the election industry is much better 
informed, more coordinated, and more aware. But this enhanced 
awareness also highlights the clarity that securing the 
American election system is a race with no finish line. It will 
take constant vigilance, funding, partnership, and coordination 
across all aspects of the election ecosystem to ensure that 
elections are secure each and every year.
    At Hart, our goal is and always has been to provide 
election officials with accessible and secure technology. We 
dedicate significant time and resources, ensuring our products 
meet or exceed the latest security standards. And because of 
this, we are a trusted partner of the local officials who run 
elections in our country.
    Thank you, and I look forward to answering any questions 
you may have.
    [The statement of Ms. Mathis follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much, and thanks to all of 
our witnesses for your verbal testimony as well as your written 
testimony.
    We'll now go to the time in our hearing where Members have 
an opportunity to ask questions for as long as five minutes, 
and I'll start.
    We all know and recognize that concern about election 
security has been heightened since the 2016 election--we've had 
reports from our intelligence community that we should be on 
the alert for threats, especially foreign threats to the 
security of our systems. Right now, there are no Federal 
reporting requirements that mandate disclosure of crucial 
information about some of your key business practices or 
experiences. And I'd like to know from each of you, and this is 
going to be a yes-or-no question, would you support 
requirements concerning the following five items: first, your 
cybersecurity practices, including incident response 
procedures; two, any cyberattacks you've experienced; three, 
personnel policies and procedures, including whether background 
checks and other procedures are in place to safeguard against 
inside attacks; four, details of corporate ownership and 
foreign investment; and, finally, supply chains, for example, 
where parts, software patches, installations come from, how 
they're transported, and how they are kept secure? Would you--
if you could answer whether you would agree to all, or if there 
are some that you would object to, why?
    Mr. Burt. Madam Chairperson, I would say yes, that we would 
support a requirement for all five of those requirements that 
you listed.
    The Chairperson. Thank you.
    Mr. Poulos. Madam Chairperson, we would agree with that as 
well.
    The Chairperson. Thank you.
    Ms. Mathis. As would we.
    The Chairperson. That's very helpful. As you know, we have 
passed a pretty robust bill in the House that's pending in the 
Senate, and perhaps your testimony will encourage them to move 
forward.
    I'd like to talk about supply chains. As I mentioned in my 
opening statement, the concern has been raised about 
components. The Enteros report showed that a majority of 
suppliers within a widely used voting machine supply chain had 
locations in either Russia or China. They didn't indicate which 
company. So I'd like to ask each of you. Do you have components 
in your supply chain that come from either Russia or China?
    Mr. Burt. Madam Chairperson, we do not have components that 
come from Russia. We do have a limited number of components 
that come from China.
    The Chairperson. What percentage would that be?
    Mr. Burt. I can't give you a percentage, but with respect 
to this issue, the potential for a backdoor threat really 
doesn't pertain to inert items like a piece of plastic or a 
piece of metal. What we really should be concerned about are 
the programmable logic devices.
    The Chairperson. What type of components come from China? 
Can you tell me the nature of the components?
    Mr. Burt. Sure. I'll give you one example. Our DS200, which 
is a----
    The Chairperson. Well, no. I don't want examples. Do any of 
your chips or software come from China, or are the Chinese 
components just pieces of plastic?
    Mr. Burt. In our DS200, we have one of the nine 
programmable logic devices that we actually source from a U.S. 
company based in Milpitas, California, in the heart of Silicon 
Valley that produces that programmable logic device in a--in a 
factory in China.
    The Chairperson. Okay. Thank you.
    Mr. Poulos. Thank you for the question. It wasn't our 
company in Enteros' report, but we do have components in our 
products that come from China, and I don't know the exact 
percentage. I can certainly get that to the Committee through 
my staff. Happy to work with you on getting the exact number. 
Our products--our tabulated products have always been 
manufactured in the United States, and so if you look at----
    The Chairperson. Well, can you--before you go forward, what 
are the components that you get from China?
    Mr. Poulos. So, for example, LCD components, the actual 
glass screen on the interface down to the chip component level 
of capacitors and resistors. Several of those components, to 
our knowledge, are not even--there's no option for 
manufacturing of those in the United States. We would welcome 
guidelines and best practices from the Committee and from the 
Federal Government in terms of this is not a problem that's 
unique to the election industry.
    The Chairperson. Thank you.
    Ms. Mathis.
    Ms. Mathis. Yes. Similar feedback here. We take the 
security of our supply chain very seriously, and we actively 
monitor and assess all aspects of that supply chain, including 
country of origin.
    The Chairperson. So do you have components from China or 
Russia?
    Ms. Mathis. We do not have components from Russia, but we 
do have--similar to my colleagues, we do have components from 
China.
    The Chairperson. And what would be the nature of those 
components?
    Ms. Mathis. Similar: resistors, capacitors. They're the 
global supply chain for technology components for that----
    The Chairperson. And what percentage, do you know?
    Ms. Mathis. I don't have that.
    The Chairperson. We'll follow up with that.
    I'll turn now to Mr. Davis for his five minutes.
    Mr. Davis of Illinois. Thank you, Madam Chairperson, and 
thank you again to the witnesses who are here. Each of you, 
just a simple yes or a no. Is there any method of voting that's 
a hundred percent secure?
    Mr. Burt. No.
    Mr. Poulos. No.
    Ms. Mathis. No.
    Mr. Davis of Illinois. To your knowledge, has a foreign 
state ever successfully breached or hacked any of your vote 
tallying election machines? Mr. Burt.
    Mr. Burt. No.
    Mr. Davis of Illinois. Mr. Poulos.
    Mr. Poulos. No.
    Ms. Mathis. No.
    Mr. Davis of Illinois. What, then, was the primary target 
of our foreign adversaries in the 2016 election? Mr. Burt.
    Mr. Burt. Well, Ranking Member, I think there are 
potentially differing public views on that, but what I can say 
is that, as you asked a minute ago, we've seen no evidence that 
any of our voting systems have been tampered with in any way.
    Mr. Davis of Illinois. Mr. Poulos.
    Mr. Poulos. I would agree with that statement. We feel the 
same way. I can't speak to what the primary purpose was of the 
attacks, but there's, to our knowledge, no evidence on our 
systems as well.
    Mr. Davis of Illinois. Well, you guys already answered 
that.
    Ms. Mathis, do you know what was attacked during 2016?
    Ms. Mathis. I do not have personal awareness of that.
    Mr. Davis of Illinois. Okay. I believe reports say there 
were centralized voter registration systems, even one in my 
home State of Illinois. Where do these centralized State voter 
registration system databases come from?
    Mr. Burt. Ranking Member, they--it's various, depending 
on----
    Mr. Davis of Illinois. Do they come from any of your 
companies?
    Mr. Burt. We do host voter registration systems for a 
limited number of States, yes.
    The Chairperson. How about you, Mr. Poulos?
    Mr. Poulos. We do not.
    Ms. Mathis. We do not.
    Mr. Davis of Illinois. Okay. They're actually a requirement 
in the Help America Vote Act.
    And, also, Mr. Burt, to your knowledge, are there any 
parameters within HAVA that require basic security around the 
State voter registration databases?
    Mr. Burt. I believe the language in HAVA as it relates to 
voter registration is limited at best, and I'm not aware 
offhand of any specific language that pertains to----
    Mr. Davis of Illinois. Great. And I'll stick with you 
because you're the only one that actually deals with 
centralized voter registration, and the other two do not. Do 
you find this concerning and believe it's something that we 
should address in HAVA?
    Mr. Burt. I do. I think it's a gap in the oversight of the 
election administration or Election Assistance Commission, and 
I believe you could put electronic pollbooks into the same 
bucket with voter registration.
    Mr. Davis of Illinois. Okay. Are you members of the Sector 
Coordinating Council?
    Mr. Poulos. Yes.
    Ms. Mathis. Yes.
    Mr. Davis of Illinois. Okay. As well as the IT-ISAC and the 
EI-ISAC?
    Mr. Burt. Yes.
    Mr. Poulos. Yes.
    Mr. Davis of Illinois. Okay. How have these entities 
increased vulnerability disclosure? Mr. Burt.
    Mr. Burt. You know, prior to 2016, there was virtually no 
communication between vendors and those entities, and there is 
regular sharing of information, threat information as well as 
routine meetings, many face-to-face, to make sure that the 
lines of communication are open at all times.
    Mr. Davis of Illinois. Okay. Mr. Poulos, how many different 
vulnerability disclosure programs are there currently?
    Mr. Poulos. To my knowledge, we're part of one and 
currently working on several more with my colleagues here to 
create further disclosure programs.
    Mr. Davis of Illinois. Okay. Ms. Mathis, how do we ensure 
that these new programs are adequate to disseminate known 
vulnerabilities to those that need to know?
    Ms. Mathis. I think it's important that we continue to work 
together with cybersecurity experts that have already been 
involved through the designation as critical infrastructure. 
It's really assisted us with ensuring that we understand kind 
of the appropriate disclosures.
    Mr. Davis of Illinois. Would you all agree that there are a 
lot more people, both in the media and public interest groups 
and Congress, for that matter, writing on the topic of election 
security since the 2016 election?
    Mr. Burt. Yeah.
    Mr. Davis of Illinois. Would you all agree?
    Mr. Poulos. Yes.
    Mr. Davis of Illinois. I'm actually happy for this 
increased attention. I believe it's put an important issue to 
the forefront. I'm concerned about the incentive for outside 
groups to mischaracterize the threats facing our elections. Is 
this a concern that each of you share?
    Mr. Poulos. Yes.
    Mr. Davis of Illinois. I got one yes.
    Mr. Burt. Yes.
    Ms. Mathis. Yes.
    Mr. Davis of Illinois. Thank you. I didn't think C-SPAN 
could see you guys nodding your heads.
    Ms. Mathis. Yes.
    Mr. Davis of Illinois. Over the past several years, DEFCON 
has garnered a lot of publicity. Have any of you reached out to 
DEFCON to participate?
    Mr. Burt. Ranking Member, we have had discussions with 
them, but we have not provided our equipment to them for 
testing.
    Mr. Davis of Illinois. Okay.
    Mr. Poulos.
    Mr. Poulos. Ranking Member, we reached out to DEFCON this 
year in 2019, interested in a more collaborative penetration 
testing with stakeholders. We reached out with one organizer 
and had a plan. We actually did send our modern certified 
equipment to DEFCON, but in the days leading up to that event, 
I think that there was an internal disagreement within the 
conference. So we ended up not working at that conference, but 
if it's----
    Mr. Davis of Illinois. Okay.
    Mr. Poulos [continuing]. Not DEFCON, we're committed to 
that.
    Mr. Davis of Illinois. How about you, Ms. Mathis?
    Ms. Mathis. We have actually submitted our systems through 
the DHS' penetration testing process through Idaho National 
Labs, so we've--we've gone that route.
    Mr. Davis of Illinois. But not DEFCON.
    Ms. Mathis. Not DEFCON.
    Mr. Davis of Illinois. Okay. Thank you. I yield back.
    The Chairperson. The gentleman yields back.
    I now recognize the gentleman from Maryland, Mr. Raskin, 
for five minutes.
    Mr. Raskin. Madam Chairperson, thank you very much.
    The Consumer Product Safety Commission advises 
manufacturers of consumer products to identify all reasonably 
foreseeable hazards associated with use of their products and 
to include safety warnings and steps to reduce risk of accident 
in the user guides. And there are requirements like this for 
motor vehicles and warnings put in lots of different owner 
manuals. Would you support a requirement for voting system 
vendors to identify security risks associated with use of your 
voting equipment and recommendations for users to mitigate 
those risks, such as manual audits of paper ballots? And just 
go down the line. Mr. Burt, we'll start with you.
    Mr. Burt. Thank you, Congressman. We would support that. 
And as a global comment, I think we would support any 
requirement that applies to all vendors in our industry that 
would help educate both the users of our systems and anyone who 
interacts with them.
    Mr. Raskin. Thank you.
    Mr. Poulos. Congressman, I would agree with that statement 
as well. We would support any initiative that Congress puts 
forward.
    Mr. Raskin. Okay.
    And Ms. Mathis.
    Ms. Mathis. And we agree also with that.
    Mr. Raskin. All right. Very good. There has been some 
reporting recently about the lobbying practices of election--of 
technology vendors in the election field. The City Controller 
in Philadelphia issued an investigative report that showed 
serious flaws in the voting system procurement process, which I 
think resulted in ESS getting the $29 million contract. The 
reports indicate that ES&S spent $425,000 lobbying city 
officials dating back to 2013 before being awarded the 
contract. Is this just standard practice in the industry and 
with your business, Mr. Burt?
    Mr. Burt. Well, Congressman, starting about a year and a 
half ago, we actually hired our first ever Federal consultant 
to help us spend time in Washington educating Federal officials 
on who we are as a company, how we go about our business 
practices. We use consultants at the State level for the same 
purposes, to educate decisionmakers.
    Mr. Raskin. Well, in this case, it was used to help procure 
a contract, right?
    Mr. Burt. It was used to educate any of those involved 
about who we are as a company, the values we hold, and how we 
conduct our business.
    Mr. Raskin. Okay. Do you also get involved in making 
campaign finance contributions or expenditures?
    Mr. Burt. No, we do not.
    Mr. Raskin. Okay. Mr. Poulos, do you guys engage----
    Mr. Poulos. No, we don't make campaign finance 
contributions.
    Mr. Raskin. You do spend money on the lobbying side?
    Mr. Poulos. Yes, we do.
    Mr. Raskin. At the State and local level?
    Mr. Poulos. Correct.
    Mr. Raskin. Okay.
    And Ms. Mathis.
    Ms. Mathis. Our involvement in lobbyists has been very 
minimal and primarily related to helping educate us on local 
procurement processes within certain jurisdictions.
    Mr. Raskin. Okay. I'm curious about whether each of your 
companies engaged in adversarial testing of your voting 
systems.
    Mr. Poulos. do you----
    Mr. Poulos. We have in the past. It's something that we're 
looking to expand in the future.
    Mr. Raskin. Okay. Mr. Burt.
    Mr. Burt. We do routinely. We've hired third parties to 
perform penetration testing as Ms. Mathis mentioned earlier. We 
also participated through a DHS program with the Idaho National 
Lab to perform penetration testing on our equipment.
    Mr. Raskin. Okay. And Ms. Mathis.
    Ms. Mathis. Yes, and we have been involved in that same 
penetration testing approach by the DHS' recommended Idaho 
National Labs.
    Mr. Raskin. Okay. So do you routinely allow academic 
researchers to test the quality and security and integrity of 
your products without prescreening them? In other words, do you 
generally permit outside investigators to come in check it out?
    Mr. Burt. We have not involved academics who haven't been 
prescreened. With the coordinated vulnerability disclosure 
program that we're working on with our colleagues, the idea is 
to have a firm be able to manage a network of white hat ethical 
hackers to broaden the access to our systems without making 
this information open to the public.
    Mr. Raskin. Okay.
    Mr. Poulos.
    Mr. Poulos. Congressman, we have done that in the past, as 
far back in New York in 2009. We found that the exercise was 
useful, and we are looking forward to doing more of that within 
the confines of a reality-based scenario of testing.
    Mr. Raskin. Okay.
    And Ms. Mathis.
    Ms. Mathis. And we would support the appropriate disclosure 
of that information. It's important that we not undermine voter 
confidence in ensuring that we actually evaluate and assess 
kind of the type of disclosures necessary.
    Mr. Raskin. Okay. And, finally, I remember from my days in 
Annapolis that there was sometimes conflict between the 
disability rights community and the champions of security in 
the process. And I wonder, Mr. Poulos, will you just try to 
illuminate that, if you could?
    Mr. Poulos. Sure. Most recently, with a lot of the public 
commentary around ballot marking devices, there is a concern 
regarding the formality of how the ballots are printed for 
voters as the voter record, and that sometimes is a natural 
conflict between universal accessibility and security 
initiatives.
    Mr. Raskin. I yield back.
    The Chairperson. The gentleman's time has expired.
    The gentleman from will North Carolina, Mr. Walker, is 
recognized for five minutes.
    Mr. Walker. Thank you. Thank you, Madam Chairperson.
    I believe each of you mentioned in your written testimony 
frustration with the voluntary voting system guidelines update 
that is ongoing at the Elections Assistance Commission. This 
frustration has been shared by others in the election industry, 
as well as this issue seems to have a lot to do with antiquated 
HAVA or Help America Vote Act. Where can we as a Committee 
focus to help update the HAVA?
    I'll start with you, Mr. Burt.
    Mr. Burt. Thank you for your question, Congressman.
    I think that the EAC, given the resources and funding they 
have, do a very good job. And sometimes it amazes me how much 
they are able to accomplish given the resources they have. I 
think we should ask them to broaden the scope and purview of 
their oversight, and to do that, of course, they need more 
funding and more support.
    Mr. Walker. Okay.
    Mr. Poulos.
    Mr. Poulos. I would--I would agree with Mr. Burt's 
comments, and I would add to that a particular example as it 
pertains to patching specifically of third party software, such 
as Windows, where a patch is readily available, and it's 
sometimes very cumbersome and timely to get that tested patch 
to end customers.
    Mr. Walker. Thank you.
    Ms. Mathis, anything to add to that?
    Ms. Mathis. I would agree with those comments.
    Mr. Walker. Okay. All right. How has your relationship with 
the DHS evolved? How have State and local authorities responded 
to DHS? I'll put up a couple of these, and who wants to take 
it? Is DHS helping to secure foreign supply chains? And what 
type of services does DHS currently offer you?
    Mr. Poulos, let me start with you. Let's start with what 
type of services does DHS currently offer you?
    Mr. Poulos. It offers several different programs. We've 
taken part of a physical security review. They offer product 
testing. And in terms of the evolution of that relationship, I 
would say it was zero 4 years ago, and it's been very helpful 
for not only us but the customers we serve.
    Mr. Walker. Mr. Burt, is DHS helping you to secure foreign 
supply chains?
    Mr. Burt. They are not, and I think that's a real 
opportunity whether it's through DHS or Department of Defense 
or somewhere else in the Federal Government. As Mr. Poulos 
mentioned, I think the vendors are eager to work in partnership 
with the Federal Government to make sure that we're following 
best practices and we safeguard to the best of our abilities 
our Nation's voting equipment.
    Mr. Walker. Just reiterating this again, in working with 
DHS, as well as your own companies, any evidence that China or 
Russia has hacked any portion or part of this, either has the 
DHS discovered any of that or assumed or even suggested that, 
or anything of those nature?
    Mr. Burt. No. We've never--we've never received any 
evidence or even commentary that suggests that these systems 
have been hacked.
    Mr. Poulos. No. No.
    Mr. Walker. Ms. Mathis.
    Ms. Mathis. No.
    Mr. Walker. I've got a question here, and if you can 
expound a little bit on this. Have each of you hired an 
executive level chief information security officer? Mr. Burt.
    Mr. Burt. We have.
    Mr. Walker. Mr. Poulos.
    Mr. Poulos. We have.
    Mr. Walker. Ms. Mathis.
    Ms. Mathis. We have an extended internal security team, and 
we have a CISSP expert on our staff.
    Mr. Walker. Mr. Poulos, what are the qualifications for 
such a position? What are the requirements of that? What are 
you looking for there?
    Mr. Poulos. Well, we have--we have that bifurcated in terms 
of corporate IT assets and product security, and there are two 
different sets of requirements. I can--I don't--can't list them 
to you off the top of my head, but I can----
    Mr. Walker. Mr. Burt.
    Mr. Burt. Congressman, we were fortunate enough to find the 
gentleman who was the chief information security officer for 
Health and Human Services at the Federal level, and he's been 
with us now for a couple of years. So he has vast experience 
working with various government agencies in that capacity as a 
chief information security officer.
    Mr. Walker. Let me stay with you, Mr. Burt. I want to 
unpack this a little bit more. Why is a position like this 
especially relevant in developing equipment for modern 
elections?
    Mr. Burt. I think as we look forward, it is necessary for 
someone with deep technical expertise to advise the company in 
its actions, to do everything it can to make sure that we are 
making the right decisions to protect the security of our 
equipment and our services.
    Mr. Walker. Mr. Poulos.
    Mr. Poulos. I agree with those comments in terms of a 
deeper understanding of best practices and where the state of 
the art is evolving to. It really benefits the security of the 
products.
    Mr. Walker. Real quickly, for the three of you there, if 
you were to give yourselves a grade, 1 out of 10, 10 being 
excellent, the highest mark, as far as your attentiveness to 
make sure there's no corruption or nothing nefarious, any kind 
of behavior going on, how would you score your company as far 
as the time, the attention, the resources that you're putting 
into this, Mr. Burt?
    Mr. Burt. Congressman, we spend a great deal of time on a 
regular basis. Our effort--I can honestly say our effort is as 
strong as we are capable of. We are always looking to find ways 
to improve our effort and to partner with other agencies to 
improve our ability to mitigate any risks that might be there.
    Mr. Walker. Mr. Poulos.
    Mr. Poulos. The security of our products and our 
infrastructure is a key priority for us. It always has, and it 
is reflected in not only the amount of time and resources we 
spend to do it.
    Mr. Walker. Ms. Mathis.
    Ms. Mathis. Same thing. We absolutely dedicate--it's in our 
DNA. It's pervasive across our people, our process, our 
procedures, our product.
    Mr. Walker. Thank you very much. And if this doesn't work 
out, you may have a career in politics since none of you gave 
me a number answer to the question. So I yield back to my 
chairwoman.
    The Chairperson. The other gentleman from North Carolina, 
Mr. Butterfield, is recognized for five minutes.
    Mr. Butterfield. Thank you, Chairperson Lofgren, for 
convening this very important hearing today. I cannot think of 
a hearing except for the debate on the War Powers Act that we 
could be having right now. This is critically important to our 
democracy, and certainly thank you to the three witnesses for 
your testimony today.
    Mr. Burt, let me start with you, sir, and I want to talk 
specifically about North Carolina. You know I represent a 
district in North Carolina. There's been a lot of controversy 
surrounding your company's recent dealings with elections 
officials in my State. Some have referred to what transpired as 
a bait and switch. I don't know if that's warranted or 
unwarranted. I hope it's unwarranted. Can you please explain to 
me why you waited so long to tell North Carolina election 
officials that you did not have enough voting systems to cover 
the 2020 primaries?
    Mr. Burt. Thank you for your question, Congressman. I have 
read that bait-and-switch comment. The situation in North 
Carolina, we applied for certification for our system in North 
Carolina roughly five years ago. We went through all of our 
testing. The report was written. It went to the State board for 
approval. And at that point in time, the State board 
essentially dissolved. There was not a quorum at the state 
board for over four years.
    That system that we got tested five years ago finally got 
approved this year. Because it was five years old, we 
immediately went in after that and got our latest and most 
secure system updated. And it is that system, the most recently 
certified system, that we've delivered to the citizens of North 
Carolina. So, if a bait and switch means that we decided to 
send the most recent and most secure system to the citizens of 
North Carolina, that is what we did.
    Mr. Butterfield. All right. I'm informed that your company 
admitted installing remote access software on some of its 
election systems that it sold over a six-year period. Were any 
remote wireless-equipped systems sold to elections officials in 
my State?
    Mr. Burt. Congressman, that practice happened between the 
year 2000 and 2006. No system that we have brought through the 
EAC program since the year 2007 has been equipped with any kind 
of remote access software. We have confirmed that there is no 
system out there in the country being used today that has a 
remote access system attached to it.
    Mr. Butterfield. All right. Ms. Mathis, do you support 
Federal legislation to expand the use of post-election audits 
like risk-limiting audits in Federal elections?
    Ms. Mathis. We absolutely do.
    Mr. Butterfield. Mr. Poulos.
    Mr. Poulos. Absolutely.
    Mr. Butterfield. And Mr. Burt.
    Mr. Burt. Yes.
    Mr. Butterfield. Thank you. Do you think that all manual 
audits of paper records can be conducted on all the voting 
systems that you currently sell?
    Ms. Mathis. We have a portion of--a subset of our product 
that actually does not permit risk-limiting audits. There are 
other audits and other testing that fulfilled a fully ability 
to confirm the accurate results.
    Mr. Butterfield. All right. Let me ask you, Mr. Poulos. 
What do you do to ensure that your subcontractors and your 
manufacturers follow industry best practices on cybersecurity? 
In other words, do you conduct background checks and the like 
on your subcontractors?
    Mr. Poulos. On our direct subcontractors, yes, we do. And 
for our manufacturing partners, we make sure that they adhere 
to ISO standards.
    Mr. Butterfield. Mr. Burt.
    Mr. Burt. We do the exact same thing. We perform background 
checks on the contractors that we hire directly, and any of our 
manufacturing partners are all ISO certified.
    Mr. Butterfield. This is not a--not a cursory background 
check? You do an indepth----
    Mr. Burt. A criminal--yeah, a detailed background check, 
and that's part of the ISO certification.
    Mr. Butterfield. And Ms. Mathis, you as well.
    Ms. Mathis. Yes.
    Mr. Butterfield. All right. Are you aware of any 
cyberattacks in which the attacker gained unauthorized access 
to your internal systems, corporate data, or consumer data? Ms. 
Mathis.
    Ms. Mathis. We are not.
    Mr. Butterfield. Do you have any evidence that this has 
happened?
    Ms. Mathis. We do not, no.
    Mr. Butterfield. All right.
    Mr. Poulos.
    Mr. Poulos. No, we do not.
    Mr. Butterfield. And Mr. Burt.
    Mr. Burt. No, we do not.
    Mr. Butterfield. Thank you. Let's see how I'm doing on 
time. All right.
    Back to you, Mr. Burt. We know you're committed to no 
longer sell paperless machines, but you are selling the Express 
Vote with an AutoCast feature that has the voter skip--that has 
the voter to skip the verification of the paper record. Given 
that the primary criticism of paperless machines was that they 
did not have a voter verified paper audit trail, do you think--
do you think it's--it's correct to say that you will no longer 
sell paperless machines, but you are selling a machine that can 
record votes without a paper trail?
    Mr. Burt. Congressman, I don't believe--I'm not aware off 
the top of my head of any customers who are using that 
particular product in an AutoCast fashion. I believe all the 
customers who are using that product present the ballot back to 
the voter for verification in one way or another, either 
through a screen or by taking out the piece of paper.
    Mr. Butterfield. All right. And, finally, for Ms. Mathis, 
currently listed on your website in the products that you sell 
are the paperless DRA machine called the Verity Touch. I guess 
I have that right, Verity Touch. Meanwhile, there is a clear 
consensus among experts that the paper ballots are needed to 
ensure that voters' votes are counted properly. Why do you 
think--why do you continue to sell a machine we all know puts 
the integrity of the voters' ballot at risk?
    Ms. Mathis. We actually believe our DREs are secure, and 
it's not just Hart's belief. We have had those products 
federally certified through the EAC. They've gone through 
extensive accredited test lab testing. Certain States have 
certified those. They comply with all VVSG standards, and they 
comply with all our extensive security protocols that we have 
throughout the Verity--throughout the Verity platform including 
extensive multilayer defense-in-depth security protocols.
    Mr. Butterfield. Thank you. I'm out of time.
    I yield back.
    The Chairperson. The gentleman's time has expired. We'll 
have a second round of questions so that we can further explore 
this.
    The gentlelady from Ohio is recognized for five minutes.
    Ms. Fudge. Thank you very much.
    The Chairperson. The Chairwoman of our Elections 
Subcommittee.
    Ms. Fudge. Thank you very much, Madam Chairperson. Thank 
you all so much for your testimony.
    All right. Just a couple of questions, really, but let me 
just first say I understand that this is a business with you 
all, but I think my colleague, Mr. Butterfield, said it best: 
``It is critical to our democracy, and your equipment is 
purchased with taxpayer dollars.'' So there are some things 
that we do expect, and there is some information that we expect 
you to give us.
    So, as I say that, let me just also say that I'm from 
Cuyahoga County, Ohio. We have ES&S machines, but in the State 
of Ohio, we have 13 different voting systems. And so, when we 
talk about ensuring the security of our systems, what we find 
is that we probably need more trained examiners because we have 
so many different systems. So let me first ask, do you support 
increasing the number of testing labs so that we can test 
voting equipment examiners?
    Mr. Burt. Yes, we do.
    Ms. Fudge. Okay.
    Mr. Poulos. Absolutely.
    Ms. Mathis. Yes.
    Ms. Fudge. Secondly, it's my understanding that the testing 
standards that we currently use date back as far as 2005. We're 
in 2020, but we're using standards. And so what we have done is 
basically said to the Windows people: You determine what the 
upgrades in security should be because you're dancing to their 
tune, not to the EAC.
    Is that how you see it as well?
    Mr. Burt. Congresswoman, I think there is certainly an 
opportunity to update the voting systems standards and actually 
to broaden the program to include more security specific 
testing. That's what we would like to see.
    Ms. Fudge. Everybody.
    Mr. Poulos. I'm sorry, Congresswoman. I don't understand 
the question.
    Ms. Fudge. Well, you're doing upgrades to your systems on a 
regular basis, not based upon what we think is a security issue 
but what Windows is telling you you need to do because that's 
the operating system.
    Mr. Poulos. Both--both is true, actually. So we are 
regularly innovating new features that are--that come from 
local jurisdictions and State officials based on evolving 
threats and evolving state of the art of the technology. In 
addition, we do use Windows and Microsoft products that do have 
their own patches. That's not core to the tabulation product as 
well. We do not have off-the-shelf Windows.
    Ms. Fudge. I'm not suggesting that.
    Mr. Poulos. Okay.
    Ms. Fudge. What I'm suggesting is that when you do--when 
Microsoft calls you and tells you ``you need to do this 
upgrade,'' you do it.
    Mr. Poulos. We implement it. We test it. We submit it for 
certification. We do not implement it, for example, in a county 
in Ohio until it is tested.
    Ms. Fudge. I'm not suggesting that you don't test it.
    Mr. Poulos. Okay.
    Ms. Fudge. My point is that you don't do it based upon what 
we believe is a security issue; you do it upon what Microsoft 
believes is one.
    Mr. Poulos. Right. I--okay.
    Ms. Fudge. You don't have to defend Microsoft. I'm not 
trying to do anything to Microsoft. I'm just making the point 
that we need to be more involved in the process.
    Mr. Poulos. No, that's true. That's true.
    Ms. Fudge. Okay. Will all of you commit today to allowing 
researchers to test your products without prescreening or hand-
picking those researchers to do it?
    Mr. Burt. Congresswoman, we're not interested in hand- 
picking. What we're interested in is making sure that we 
attract hackers who can make our systems better without 
requiring that the information that they discover be put into 
the public domain. So what we'd like to see is for the EAC to 
actually manage a coordinated vulnerability disclosure program 
and have the EAC choose the researchers and assemble the team 
and manage the program. We think that's----
    Ms. Fudge. So that's a yes?
    Mr. Burt. Yes. We would like to see the EAC manage that 
program.
    Ms. Fudge. The only reason I'm cutting you off, I have five 
minutes.
    Mr. Burt. Sure. Understood.
    Ms. Fudge. I ask each of you. What do you do to ensure that 
your subcontractors and manufacturers follow best practices on 
cybersecurity? Mr. Butterfield already asked you about your 
background checks. If you could answer the first part of the 
question.
    Mr. Poulos. Well, in our case, for example, our lead 
manufacturer manufactures products for the Department of 
Defense and has accreditations under ISO, and so we look for 
that as a prerequisite to doing business with that 
manufacturer.
    Ms. Mathis. Very similar, yes. We look at ISO standards. We 
also have deep quality reviews and ensure that we're managing 
our suppliers very, very closely.
    Ms. Fudge. Very good. I work for the Federal Government 
too. I don't trust everybody else that works for the Federal 
Government. So I want to be sure that you're looking at them, 
not just hiring them because they work for the Federal 
Government.
    Mr. Poulos. Fair enough.
    Ms. Fudge. I yield back, Madam Chairperson.
    The Chairperson. The gentlelady yields back.
    The gentleman from California, Mr. Aguilar, is recognized 
for five minutes.
    Mr. Aguilar. Thank you, Madam Chairperson. I wanted to talk 
a little bit about products and defects, and we can go down the 
line. Mr. Burt, if you'll indulge me by starting. Do you have 
built-in systems and practices that look for--specifically look 
for defects along the way? And can you describe the evolution 
of how long it takes to find a defect, create a solution, and 
then implement that solution?
    Mr. Burt. We do have built-in systems ranging from various 
source code reviews to penetration testing to functional 
testing. In the event--if a system has been fielded, been 
approved by the EAC and delivered to a State and has been 
fielded, and there's a--there's a functionality--piece of the 
functionality that we want to change, that process to make the 
change currently--have to go through the Federal testing 
program and redeploy to the State--can be six months to a year 
depending on the scope and depth of the changes being made.
    Mr. Aguilar. Do you inform the customer when that happens--
--
    Mr. Burt. Yes.
    Mr. Aguilar [continuing]. If a defect or something--are 
they under an obligation to pay for a fix?
    Mr. Burt. No. No. In those cases, those are covered under 
licenses, and we make the changes and roll them back out to the 
customer.
    Ms. Aguilar. Mr. Poulos.
    Mr. Poulos. Similar with Dominion. We comprehensively do 
situational testing on all of our products, and that is an 
ongoing thing in the company on all current products. Any issue 
that we find is immediately disclosed. That's actually 
regulated in some States such as your home State within a very 
specific time period, depending on the severity of the issue.
    Mr. Aguilar. And then, per the license, they would--you 
would----
    Mr. Poulos. It would not be an extra charge, no.
    Ms. Mathis. Very similar. We disclose any of those types of 
critical election day type malfunctions to the EAC. So that's 
all--that's all regulated right now.
    Mr. Aguilar. Great. I appreciate it. Shifting gears to--you 
talked about the Idaho National Lab and some of the DHS testing 
work that you've done. With respect specifically to 
cyberattacks, and we all understand the stakes here and what's 
involved, as do you. Can you talk specifically about how you 
work with the Federal Government when cyberattacks potentially 
occur? Do you report those potential intrusions to your 
customers or to the Federal Government? And do you believe you 
have an obligation to provide timely notification to customers 
when a security breach of that product or your company happens? 
Mr. Burt.
    Mr. Burt. We do. We have--we share information with the MS-
ISAC and the EI-ISAC. So we don't, for example, share that a 
specific IP address has been identified as an attempt to 
penetrate a firewall. Of course, that happens thousands of 
times a day from all over the world. So that sort of 
information isn't useful. But through the coordination with DHS 
and the MS-ISAC, they help us to identify and understand sort 
of potential attacks that might be exceptionally dangerous.
    Mr. Aguilar. What would that look like? In the last 60 
days. How many times would you notify a customer or the----
    Mr. Burt. We don't notify customers of the MS-ISAC, but 
many of the customers participate and receive the same 
information, so it's sort of--it's not specific to our 
business. It's commentary about what's going on around the 
country.
    Mr. Aguilar. So there's no way for a customer to know that 
there was a potential breach? I'm not talking about a ping at 
an IP address. I'm talking about a breach and a potential 
intrusion into your system.
    Mr. Poulos. We've had no breaches to report.
    Mr. Aguilar. What's that dialogue like with DHS, with any 
Federal entity through your systems? How often is that----
    Mr. Burt. There is a process if a breach were to occur. DHS 
has issued guidelines in terms of the communication. We 
practice those through national tabletop exercises. We actually 
have the Department of Homeland Security travel to Omaha to 
conduct a tabletop exercise on premise so that we can 
essentially practice in the event that a breach did occur to 
make sure that we would be in position to communicate it 
effectively.
    Mr. Aguilar. Mr. Poulos.
    Mr. Poulos. Very similar, Congressman. We have not had any 
potential breaches. So we actually haven't reported anything to 
a customer. But our policy is absolutely that we would 
immediately communicate any potential breach to a customer.
    Mr. Aguilar. Ms. Mathis.
    Ms. Mathis. Very similar. We have not had any breaches, but 
we've created a very robust incident response plan that has 
been updated to include disclosures and notification all 
directions--DHS, the customer--to ensure that we've got the 
appropriate communications.
    Mr. Aguilar. At what level would you, Ms. Mathis, would you 
flag for DHS? I understand that all of you are saying, you 
know, you haven't been breached.
    Ms. Mathis. Right.
    Mr. Aguilar. But at what level--there's a difference 
between being breached----
    Ms. Mathis. Right.
    Mr. Aguilar [continuing]. And being pinged by an IP 
address----
    Ms. Mathis. Right.
    Mr. Aguilar [continuing]. In a foreign country.
    Ms. Mathis. Right.
    Mr. Aguilar. Give me--talk with me about that spectrum of 
intrusion on the cyber side.
    Ms. Mathis. Right. Well, we actually are erring on the side 
of, if anything, too much disclosure, if there is such a thing. 
We actually had an example where a customer contacted us with a 
potential breach, and we actually contacted the DHS and let 
them know of this whole situation. So it was not a breach. And, 
actually, it turned out that that particular county was 
exercising a test, and so it actually--the whole process 
worked. We did not know that, and so it was--we were happy to 
communicate that to DHS.
    Mr. Aguilar. Thank you, Ms. Mathis.
    Thank you, Madam Chairperson.
    The Chairperson. The gentleman's time has expired.
    As I mentioned earlier, we will have a second round of 
questions, and I will begin.
    In answer to a question from Mr. Butterfield, Mr. Burt 
testified under oath that they do not currently have voting 
systems in the United States with remote access software 
installed, if I heard you correctly.
    Mr. Burt. That is our belief, that none of the systems in 
use today----
    The Chairperson. Would that be true for the other two 
vendors?
    Mr. Poulos. Yes.
    Ms. Mathis. We have never had remote access.
    The Chairperson. Okay. Let me ask you this. Do you sell 
voting machines that have network capabilities installed?
    Mr. Burt. Can you be more specific, Madam Chairperson?
    The Chairperson. Yes. You don't have the software 
installed, but you have the capability of installing it.
    Mr. Burt. For remote access software?
    The Chairperson. Yes.
    Mr. Burt. We do not--we no longer install any remote access 
software. That process was discontinued in 2006 and is not 
allowed by any of the EAC testing.
    The Chairperson. Mr. Poulos.
    Mr. Poulos. Madam Chairperson, we've never had any kind of 
remote access in our Dominion products.
    The Chairperson. Capabilities.
    Mr. Poulos. Capabilities.
    The Chairperson. Okay.
    Mr. Poulos. I will say that I do want to draw a caveat. 
Some of our tabulators have the--are designed around the 
ability to have an external plug in modem to transmit 
unofficial results after polls close.
    The Chairperson. Okay.
    Ms. Mathis.
    Ms. Mathis. We do not have remote access capabilities, as 
you mentioned. So, similar to Mr. Poulos, we have, as required 
by certain States, a remote transmission capability as an add-
on.
    The Chairperson. So that's something that we may want to 
look at further.
    I want to talk about remote ballot marking devices. Some 
experts in election security have raised concerns to me about 
the risk of these devices that store information about the 
choice a voter has made in a nontransparent format, for 
example, a bar code or a QR code, so that when the voter 
doesn't actually--he may be checking something, but it's not 
what actually is going to be tabulated. Do you provide that 
equipment that does it in that way, any of you?
    Mr. Poulos. Yes.
    Mr. Burt. We do, yes.
    Ms. Mathis. We do not, actually. Our--our technology for 
our Verity Duo product actually captures--does not put any 
voter choice in a bar code. We have optical character 
recognition----
    The Chairperson. Okay.
    Ms. Mathis [continuing]. Technology.
    The Chairperson. I have a question. For over a decade, my 
smartphone has had the capability to prevent unauthorized, 
unsigned code from running on the device or interfering with 
its operating systems. Do all of your election systems 
currently in use prevent unauthorized code or altering--altered 
operating systems from running on them in this way?
    Mr. Burt. They do, Madam Chairperson. I'll give you one 
example. The memory stick that we purchased from a U.S. 
manufacturer, our election management system won't even operate 
unless they know that it's a particular serialized number 
memory stick. So, if you bought a memory stick from an Office 
Depot, it wouldn't recognize, it and the system would shut 
down.
    The Chairperson. How about you, Mr. Poulos?
    Mr. Poulos. Similar. All of our Dominion products that are 
certified are the same. The exception that I will point out to 
the Committee is we do support some legacy systems that are 
still in use that were designed in the remaining cases over 20 
years ago that do not have this capability.
    Ms. Mathis. Our Verity product line actually incorporates a 
feature called white listing which actually only allows the 
programs that we permit with our Verity design, so it actually 
blocks everything except for those. So it's the opposite of 
blacklisting. So it has actually even more secure.
    The Chairperson. I'd like to follow up with you, Mr. Burt, 
because from the previous testimony, your company is the only 
one that provides election infrastructure that is not just the 
voting machines itself. You have indicated your interest or 
suggestion that the EAC have greater jurisdiction over voter 
registration, election management systems, electronic poll 
books, and the like. I'd like to know that even without that 
jurisdiction, what are you doing right now to ensure that these 
products are safe, secure, up to date, and utilize current 
technology best practices?
    Mr. Burt. Thank you, Madam Chairperson. With respect to the 
poll books, all of the data is encrypted on the poll books. 
With respect to the voter registration systems which I think is 
more commonly a question for folks, we've recently worked with 
the Center for Internet Security to install Albert sensors 
which is a national monitoring system, and we've wrapped this 
around our voter registration systems that we--that we house.
    So, for example, Ranking Member Davis, the example that you 
brought up related to Illinois going back to the 2016 election, 
that's the kind of activity that an Albert sensor is meant to 
detect and prevent with respect to a voter registration system.
    The Chairperson. Thank you very much. I see that my time 
has expired. So I will turn to the Ranking Member for his 
additional five minutes.
    Mr. Davis of Illinois. Thank you, Madam Chairperson.
    And thanks again to the witnesses. I think all of our 
colleagues on both sides of the aisle have the same interest. 
We want to protect our elections. We want to make sure that all 
machines that are used to tabulate our free and fair elections 
are up to the task. So thank you, each of you, for being here 
today. I know some of the questions can be uncomfortable. I 
know there's been a lot of talk about supply chain issues. Yes 
or no questions. We'll start with you this time and go that 
way, Ms. Mathis. Is it currently possible to build an election 
machine entirely out of U.S. manufactured parts?
    Ms. Mathis. I don't believe that it is possible today.
    Mr. Davis of Illinois. Okay.
    Mr. Poulos.
    Mr. Poulos. Not to my knowledge.
    Mr. Davis of Illinois. Mr. Burt.
    Mr. Burt. I do not believe it's possible.
    Mr. Davis of Illinois. Do you see why that concerns all of 
us up here?
    Ms. Mathis. Absolutely.
    Mr. Burt. Absolutely.
    Mr. Davis of Illinois. Are the parts in your supply chain, 
Ms. Mathis, that come from abroad also used in other 
industries?
    Ms. Mathis. Yes, they are.
    Mr. Davis of Illinois. Okay.
    Mr. Poulos.
    Mr. Poulos. Yes, they are.
    Mr. Davis of Illinois. Mr. Burt.
    Mr. Burt. They are. They're used in a variety. Probably 
some of them are present in the room today in the various 
equipment that you see around the room.
    Mr. Davis of Illinois. Like?
    Mr. Burt. We see cameras. We see a variety of electronics. 
We see switches. There's almost nothing that we interact with 
from an electronics point of view. Of course, your phone. Thank 
you. That have parts that are made overseas and distributed to 
a variety of manufacturers.
    Mr. Davis of Illinois. So it's the critical components of 
your election machines that we're all concerned about. And 
you've testified earlier because we have a global supply chain, 
you're not able to--you're not able to comprehend a machine 
that can be built right now with completely U.S. parts. So tell 
me, tell us, make us feel comfortable here in this country that 
your machines with the critical components are U.S. 
manufactured or they're going to be able to not be compromised.
    Ms. Mathis.
    Ms. Mathis. I believe that that is an ongoing challenge 
that we all have, and we're open to getting feedback from--as 
we mentioned earlier, from DHS to help us understand what our 
capabilities and opportunities might be to source alternatives.
    Mr. Davis of Illinois. Mr. Poulos.
    Mr. Poulos. That's been an ongoing discussion at the EAC in 
terms of the next generation of standards on how they address 
in the guidelines that we would follow to those practices.
    Mr. Davis of Illinois. Mr. Burt.
    Mr. Burt. Again, I think this is an opportunity for the 
voting system vendors to partner better with the Federal 
Government. Surely, there is deep talent and expertise in the 
Federal Government that could be brought to bear on the supply 
chain management and the voting system industry. We would 
welcome that dialogue and assistance.
    Mr. Davis of Illinois. We look forward to working with you 
in that field.
    Earlier, it was mentioned about the campaign contributions 
and lobbying activities. Mr. Burt, you mentioned that ES&S does 
not make campaign contributions at the Federal level, right?
    Mr. Burt. We actually have a policy that every one of our 
employees, vice president and above, as well as anyone engaged 
in sales and marketing activities are strictly prohibited from 
making district campaign contributions.
    Mr. Davis of Illinois. Okay.
    Mr. Poulos, do you--are you able to make campaign 
contributions in your company?
    Mr. Poulos. We had a policy that all employees were not 
able to make any campaign contributions.
    Mr. Davis of Illinois. All right.
    Ms. Mathis.
    Ms. Mathis. Similar.
    Mr. Davis of Illinois. Similar. Are you guys all 
corporations?
    Mr. Burt. Yes.
    Mr. Poulos. Yes.
    Mr. Davis of Illinois. Registered corporations in the 
United States?
    Okay. Well, it's nice to see that we have a lot of 
agreement here amongst Republicans and Democrats in regard to 
election security. I find it interesting during the first round 
of questions Chairperson Lofgren talked about some of the areas 
where you all agree that the Federal Government needs to work 
with you. She mentioned a robust bill sitting in the Senate. 
Well, here is the problem with the top-down approach from 
Washington when it comes to our own election infrastructure 
process. That robust bill sitting in the Senate may force you 
as corporations to actually give campaign contributions to 
Members of Congress because, in that robust bill, there's a 
provision that would take corporate funds from corporate 
malfeasance which, I would argue, you would be eligible for 
with election infrastructure if something went wrong, and it 
would go into a Freedom from Influence Fund that was concocted 
by the Majority, and that would force the first ever corporate 
dollars into congressional campaigns. So my point of bringing 
this up is you don't allow campaign contributions now by any of 
your employees because you don't want that to affect anyone 
who's in charge of running free and fair elections in this 
country, right?
    Mr. Burt. Correct.
    Ms. Mathis. Correct.
    Mr. Poulos. Correct.
    Mr. Davis of Illinois. Why in the world would this 
institution at the Federal level in turn possibly require you 
and require any corporation to give the first ever corporate 
dollars to individual Members of Congress' campaigns? That's 
why, when we talk about robust bills, we all have the same 
goals, but let's not kid ourselves in thinking that there are 
provisions in bills that are going to always benefit free and 
fair elections rather than benefiting individual members of 
Congress.
    I yield back.
    The Chairperson. The gentleman yields back.
    I just--before yielding to Mr. Raskin, obviously, 
everyone's entitled to their own opinion, but the matter 
referenced is a fine collected by the Federal Government, which 
would then be put into a fund, not a contribution from 
corporations.
    I yield to the gentleman from Maryland for five minutes.
    Mr. Raskin. Madam Chairperson, thank you very much. Let me 
pursue the line of questioning by my friend from Illinois, and 
I asked those questions originally about lobbying and campaign 
contributions and so on. I just saw this report from ProPublica 
which says, in August 2018, Louisiana announced it would 
replace its old voting machines and awarded a $95 million 
contract to a rival of ES&S which was the lowest bidder. ES&S 
filed a complaint that accused the State of writing its request 
for proposals so that only the other companies' machines would 
satisfy the terms. Shortly after, Governor John Bell Edwards 
cancelled the deal, effectively siding with ES&S and forcing 
the State to start the process over again. Quote: ``The 
Governor's administration just sided with the company that was 
$40 million more expensive,'' Louisiana Secretary of State Kyle 
Ardoin said in a statement after the cancellation. In a 
statement, the Governor's office said the cancellation was 
justified. The office laid the blame at the feet of the 
Secretary of State's office, which it said had added additional 
requirements to the bid just days before responses were due. 
Louisiana campaign finance records showed that an ES&S lobbyist 
in Baton Rouge had donated $13,250 to Edwards' campaigns since 
2014.
    I noted, Mr. Burt, you said that you have a ban on campaign 
contributions by the top-level officials in your company. Is 
that right?
    Mr. Burt. Correct.
    Mr. Raskin. But it doesn't go all the way down, and it 
doesn't apply to lobbyists that you would employ in the various 
States. Is that right?
    Mr. Burt. It does not apply to lobbyists, yes.
    Mr. Raskin. So what's your specific practice, Mr. Poulos? 
None of your employees can make----
    Mr. Poulos. Correct.
    Mr. Raskin [continuing]. Contributions at any level? And 
Ms. Mathis, how about you?
    Ms. Mathis. Correct.
    Mr. Raskin. I wonder if one of you would be interested in 
opining about why you have that practice and whether you think 
that should be in Federal law for all of the reasons that were, 
you know, suggested by my colleague about the importance of 
keeping election administration completely separate. I mean, 
you know, we've got two dangers here. One is paranoia where, 
you know, we have politicians running around saying it's all 
fraud, right. The other is complacency where we don't pay 
sufficient attention. But can you explain what the basis of 
that policy is that you have, Mr. Poulos, for example?
    Mr. Poulos. Sure. The basis is very clear. We want as a 
company and our stakeholders to be completely independent of 
the election officials that are making selections in terms of 
what's best for their State and localities. Congressman, in 
your example of Louisiana, Louisiana happens to be a State that 
currently has legacy voting systems of the type that is being 
discussed at this Committee level, and they were seeking to 
update with more modern certified systems, and, unfortunately, 
that's been delayed.
    Mr. Raskin. I assume you mean by virtue of the change in 
the vendor.
    Mr. Poulos. There was no change. There was just--because of 
that process, it was all delayed, and as a result, they're 
using the legacy voting systems in the 2020 election.
    Mr. Raskin. Gotcha.
    Ms. Mathis.
    Ms. Mathis. I'm sorry. What is the question?
    Mr. Raskin. Well, I guess the question is what's the basis 
of your policy of not--of preventing all employees, and I don't 
know if it extends to consultants.
    Ms. Mathis. It's just important for to us ensure that we 
are objective and independent in all elections. We don't run 
elections. Local election officials run elections, so we're not 
engaged in the running of the election, but it's just important 
for us to ensure that we're staying objective and independent.
    Mr. Raskin. I remember that there was a big controversy 
about the company Diebold, and I think one of your companies 
took over Diebold. Was that ES&S?
    Mr. Burt. A little complicated, Congressman.
    Mr. Raskin. Oh, okay.
    Mr. Burt. We made a purchase, and then my colleague, Mr. 
Poulos here, ended up buying the intellectual property of that.
    Mr. Raskin. Okay. So both of you got a piece of it. But I 
remember that they were actually politically involved, and I 
think it was the President who had sent out a campaign 
solicitation saying that they would do anything to see that one 
candidate got elected President at a time when their machinery 
was being used in different States. And that obviously creates 
a serious problem from the standpoint of public confidence in 
the integrity of the election.
    So all of this makes me think that it might be a good idea 
for us to formalize and to make comprehensive the practice that 
you seem to be moving towards which is that your job is to sell 
the technology, to make it as secure as possible, and not to be 
involved in the political process.
    I'm just wondering, finally, about why it seems that 
technology goes so wrong sometimes. In Georgia, ES&S owned 
technology was used where more than 150,000 voters inexplicably 
did not cast a vote for Lieutenant Governor, and then there 
were not paper backups. Why does that happen? Because that is 
one of the problems we have, that there are huge problems like 
this that take place on the one day or two days a year that the 
machinery has got work, and then it really undermines public 
confidence in the whole system.
    Mr. Burt. Congressman, the equipment that you speak about 
is actually not ES&S equipment. The company Diebold that went 
out of business that you spoke of a second ago----
    Mr. Raskin. Oh, I see. Okay.
    Mr. Poulos [continuing]. Is actually the manufacturer of 
that equipment.
    Mr. Raskin. All right. But in general, I think there were 
some other cases where that's happened as well. I mean, can you 
explain? Why does that happen? It only has to work once a year, 
once every two years, and then it breaks down. So I wonder if 
maybe one person could answer?
    I yield back.
    Mr. Poulos. Thank you for the question, Congressman. So the 
equipment that you are referencing was a legacy voting system 
originally sold to the State of Georgia by Diebold who is no 
longer in the elections business. But it is the type of voting 
machine that does not feature any kind of voter verified paper 
audit trail. So, in the event of something happening in an 
election, and that's not the only instance, by the way, where 
something plausible--or sorry--something possible but not 
plausible happens, it's difficult to have an audit for that if 
there's not any kind of paper record.
    The Chairperson. The gentleman's time has expired.
    I turn now to the gentleman from North Carolina, Mr. Walker 
for five minutes.
    Mr. Walker. Thank you, Madam Chairperson. Just a quick 
purpose of my colleague, Mr. Davis, talking about H.R. 1. A 
quick question along those lines. I'm assuming if you were 
fined by the Federal Government, those would be corporate 
dollars, and you would pay those fines. It makes me think of 
the great philosopher Yogi Berra who said, ``They give you 
cash, which is just as good as money.'' We will leave that for 
a different day.
    My question is: We're Federal elected officials. You guys 
are the experts in this industry, and I applaud you for the in-
depth testimonies that you've given today. Obviously, this is 
not just talking points; you know the stuff here. As I look 
into the future, and I want all three of you to kind of touch 
base on this. Where do you see the technology of election 
systems headed 5, 10, 15, 20 years down the road because, 
obviously, as the ranking member on another committee when it 
comes to intelligence and specifically even terroristic 
cybersecurity acts. So, as technology advances, where do you 
guys see the adaptations that need to be made over that 
distance of time? I'm going to start with Ms. Mathis and work 
right to left today.
    Ms. Mathis. Sure. I mean, unlike other industries in the--
other technology industries, the direction seems to be more 
back to paper. That wasn't the case a few years ago, and now 
the election industry actually has moved that way to more paper 
which is interesting from a technology perspective. I feel like 
that that will continue to evolve as preferences of local 
election officials evolve and as security continues to evolve. 
So I think that the answer is it will evolve.
    Mr. Walker. Right.
    Mr. Poulos.
    Mr. Poulos. I look at it them three ways: in technology, 
people, and process. On the first, on technology, I see evolved 
standards on security and how the technology comes to be in 
terms of manufacturing and supply chain. In terms of people and 
process, I think that I would like to see, I should say, 
further programs and continued work at the Federal and State 
level in terms of better eliminating barriers that 
jurisdictions have in modernizing their election infrastructure 
and things like poll worker training.
    Mr. Walker. Okay.
    Mr. Burt.
    Mr. Burt. I agree with Mr. Poulos' comments on security, 
and it highlights the fact that the burden on election 
administrators across the country from a technical capability 
perspective grows even greater. So I think the challenge for 
election administrators to be able to staff their respective 
offices with people who are competent in these fields will be 
an ever greater challenge going forward.
    Mr. Walker. Thank you very much. I yield the balance of my 
time to the Ranking Member.
    Mr. Davis of Illinois. Thank you. And I want to get back to 
the supply chain issue real quick because it concerns me. Have 
any of you had conversations with your U.S. suppliers of 
electronic products that go into your machines just like our 
TVs, our phones, and what have you? Have you talked to those 
suppliers you work with that may outsource some of their 
manufacturing to foreign countries? Have you talked to them 
about trying to develop a U.S.-made chip or electronic LCD 
product even though they may be a U.S. company?
    Mr. Burt. We have, Ranking Member, but the challenge is--
and I believe this is true for all of us. We are not a large 
customer to any of these major manufacturers, so take Texas 
Instruments, for example, which makes one of our programmable 
logic devices. We are a very, very small part of their 
business. So for them to retool their international operations 
for our benefit is just not realistic.
    Mr. Davis of Illinois. Mr. Poulos.
    Mr. Poulos. That's a hundred percent correct, and the 
infrastructure needed is--the change of infrastructure to be 
able to create all of the fabs and necessary manufacturing for 
100 percent components being manufactured in the United States 
is not a small effort.
    Mr. Davis of Illinois. Ms. Mathis.
    Ms. Mathis. It will take a whole sea change in the way that 
the global supply change works in the technology industry, I 
think, for that--for us to be able to take advantage of that.
    Mr. Davis of Illinois. Okay. Now, I asked if you were all 
corporations. Will you tell me, yes or no. Are you--any of you 
run by private holding companies, private equity companies?
    Mr. Burt. We are run by our executive management team, but 
we have 80 percent ownership by a local private investment 
group.
    Mr. Davis of Illinois. How about you?
    Mr. Poulos. Similar. We are run by a management team, and 
we are owned, I believe, 76 percent by a U.S. private equity 
firm.
    Mr. Davis of Illinois. All right.
    Ms. Mathis.
    Ms. Mathis. Similar structure.
    Mr. Davis of Illinois. Okay. Do you see why that's 
concerning to us on both sides of the aisle on election 
security? That's something that I think--obviously are going to 
be questions raised by both Republicans and Democrats in the 
future. Look, I appreciate you all being here. I appreciate you 
taking the time. We have the exact same interests on all sides 
here in Washington. We want to protect our elections. We want 
to make sure your machines are unhackable, and let's continue 
to work together to make that happen.
    I yield back.
    The Chairperson. The gentleman yields back. The gentlelady 
from California, Mrs. Davis, is recognized for five  minutes.
    Mrs. Davis of California. Thank you, Madam Chairperson, and 
thank you to all of you for being here. I'm sorry I had to walk 
out during the panel for another hearing, but I think many of 
the questions have been asked.
    I wanted to focus for a moment just on voter education and 
the responsibility, if anyyou all have, you know, through the 
companies. And also if you want to comment, Ms. Mathis. You 
know, what is that responsibility? Do you work with election 
officials? We were talking about some ballots that were 
misread, you know. How do we deal with that? You mentioned 
Diebold. That was related--that was related--that was what they 
did at that particular time, but we also know that sometimes 
ballots are just not constructed in a way that people actually 
see where they should go, you know, as they share their 
stories. So how--you know, what are we doing really to make 
sure that people are registered correctly, that they can check 
their votes, make sure that they, you know, voted the way that 
they want to? Often people are pressured by long lines. How can 
you help? What are you doing to really address these issues? 
And I know the second panel is also speaking to voter 
education.
    Ms. Mathis. We believe very strongly with a partnership 
with our local election officials, and so that extends to voter 
outreach, voter training, poll worker training. We work with 
our local election officials to ensure that they have best 
practices, that we provide them materials, you know, handouts. 
We also--we have webinars where we'll train the local election 
officials to provide additional media.
    Mrs. Davis of California. Can you think of an instance when 
you've actually picked up a problem, and they've corrected it?
    Ms. Mathis. If they what?
    Mrs. Davis of California. That you picked up a problem, 
pointed out something to them that could be an issue and that 
they changed it.
    Ms. Mathis. Yes. We have the benefit of best practices. We 
have, you know, customers all over the Nation. We'll provide to 
them: You know, hey, here is what we've seen in other 
jurisdictions that's worked really well. So this is an ongoing 
partnership, and you know, our customers, our local election 
officials rate us very highly. It's just an ongoing, you know, 
lifelong partnership with them. We absolutely are part of that 
solution.
    Mr. Poulos. Congressman, what we hear from our customers 
and what they value is the shared perspective of best practices 
from our experience around the country with experience that 
they at that local jurisdiction may not have seen, particularly 
as it pertains to the deployment of new equipment. Voter 
outreach and poll worker training is exceedingly important.
    We've been asked questions about can we build an un-
hackable voting system? And, really, you can have a very 
secure, reliable, accurate system that's transparent, but 
again, you have to understand the people and processes layered 
on top of that and pose additional risks. This is something 
that voting officials have known for decades. That's why we 
have poll watchers. It's why warehouses are bipartisan, and 
boards of election are bipartisan. The poll worker training and 
the train the trainer is something that is exceedingly 
important in the ongoing vigilance of the migrating threats 
that we see.
    Mr. Burt. Congresswoman, you mentioned the importance of 
voter education. We agree. For some, unfortunately, interacting 
with a piece of technology such as a touch screen or even a 
voting machine can be somewhat intimidating, and we don't ever 
want that to be a reason that someone would choose to not go 
and vote. So starting with making sure that our customers 
understand at a very deep level how these machines operate and 
then assisting them, going out in the public. For example, with 
the city of Philadelphia, we made our machines available in 
many public squares and invited citizens prior, months in 
advance of the first election where this equipment would be 
used so that people could kind of remove the intimidation 
factor from interacting with a new piece of equipment and make 
sure that they are comfortable so that they would be encouraged 
to be able to come out and exercise their right to vote.
    Mrs. Davis of California. Thank you. I certainly hope we 
don't hear about some of those horror stories that have 
occurred from time to time, and it's not all your 
responsibility, of course, but where you can help I think is 
helpful.
    In the interest of transparency, could you share just this 
quickly how much of your annual profits, and if you could tell 
us, you know, what are your annual profits? How much of that 
money comes from sales of new voting machines, and how much of 
it comes from service contracts for existing machines?
    Mr. Burt. Congresswoman, that varies very substantially 
from year to year. There are years or there have been years, 
even recent years where we've sold very minimal amounts of 
hardware. And, of course, last year in the recent run up in 
preparation for 2020, I believe all three of our companies sold 
a disproportionate amount of hardware because of the actions 
that jurisdictions were taking. But there is no--unfortunately, 
I wish there were. There is no even or normal in terms of the 
mix between hardware and services in this industry.
    Mrs. Davis of California. Annual profits? I think my time 
is up.
    Mr. Burt. Congresswoman, we're a private company, so we'll 
keep that information private.
    Mrs. Davis of California. Madam Chairperson, if you want 
to--does that really represent kind of where you're at as well 
in terms of----
    Mr. Poulos. Correct.
    Mrs. Davis of California. All right. Thank you. Thank you, 
Madam Chairperson.
    The Chairperson. The gentleman from North Carolina is 
recognized for five minutes.
    Mr. Butterfield. Thank you, Madam Chairperson.
    Madam Chairperson, the first round went very quickly, and I 
was unable to ask my final question, and so let me pose it at 
this time. To all three of you, do your tabulators have 
wireless modems capacity?
    Mr. Burt.
    Mr. Burt. We do field some tabulators with wireless modem 
capability, yes.
    Mr. Butterfield. Do you have any concerns about whether or 
not that poses any security threats?
    Mr. Burt. I think that there's always a concern. That's 
something that we've discussed with our--with our technology 
partners and our government partners. We recently assisted with 
the State of Rhode Island to test a new service where Verizon 
has a private network that does not travel on the normal 
internet highway. It's blocked by firewalls on either side. 
They involved their--their National Guard in these tests and 
determine that these systems were, in fact, very low risk and 
that they wanted to continue using them.
    Mr. Butterfield. Does Dominion use wireless modems?
    Mr. Poulos. Yes, Congressman. So, in relation to the 
precinct level machines, we use them insofar as a State has a 
regulation and requirements to report unofficial results 
remotely. And the way we do it, so to answer your question on--
in terms of a concern, there are additional risks that are 
posed when you have remote transmission of results. We work to 
mitigate them with State and local officials. All of our modems 
have--work on a private network.
    Mr. Butterfield. Ms. Mathis, do you have modems as well?
    Ms. Mathis. Yes. We do similar.
    Mr. Butterfield. I'm going to run out of time this time 
around. Finally, the Ranking Member raised a few minutes ago 
our concerns, our bipartisan concerns about private equity. 
Would you be willing to submit to--each one of you to submit in 
writing after this hearing a list of all individuals and 
entities with at least a 50 percent or more--5 percent or more 
ownership? They said 80 and 76. So I thought I would raise it 
to 50. Let's say 5 percent or more ownership or controlled 
interest in your company including private equity.
    Mr. Poulos. Congressman, we regularly make that exact 
disclosure to our customers.
    Mr. Butterfield. But it is 80 percent.
    Mr. Poulos. Oh. It's 5 percent, anything over 5 percent. We 
actually answer all questions to our customers.
    Mr. Butterfield. Didn't you say earlier that 80 percent of 
your ownership is with----
    Mr. Poulos. Ours is--I think it's 76, yeah.
    Mr. Butterfield. Someone said 80 percent? All right. You 
are not in a position to provide a list of those investors?
    Mr. Poulos. Oh, no. We are.
    Mr. Butterfield. All right. All right. it's part of the 
public record currently.
    Mr. Poulos. I don't know if jurisdictions publish it, but 
we're certainly not adverse to it.
    Mr. Butterfield. If you give it to the customers, then you 
can certainly give it to this Committee.
    Mr. Poulos. Of course.
    Mr. Butterfield. Would you do that?
    Mr. Poulos. Of course.
    Mr. Burt. Congressman, just to clarify, I believe your 
question was to disclose anyone who owned 5 percent or more of 
the business. And my answer is, yes, we will supply that, and 
we have actually supplied that information to your State of 
North Carolina.
    Mr. Butterfield. All right.
    And Ms. Mathis.
    Ms. Mathis. Yes. Same feedback. So, as far as greater than 
5 percent, we have provided that.
    Mr. Butterfield. All right. Thank you. I yield back.
    The Chairperson. The gentleman from North Carolina yields 
back.
    The gentlelady from Ohio is recognized for five minutes.
    Ms. Fudge. Thank you. Again, thank you for being here. I 
really don't have a question for them. I just have a comment, 
Madam Chairperson. I'm glad that we agree on the fact that 
persons who work in your particular companies and in your field 
should not be making contributions to Members of Congress, but 
I'm always amused by how we change positions from day to day. 
One day my colleagues say: Corporations are people, my friend, 
you know, and they should be able to make contributions.
    So I don't know why you shouldn't be able to.
    Then they'll say: It's a First Amendment right for people 
to make contributions.
    They oppose campaign finance reform, and then they contort 
the language of H.R. 1. I'm just always confused about where 
they stand, so I appreciate your position. I think that it is 
the correct position, but I don't want you to get crosswise 
because corporations are people, my friend.
    I yield back.
    The Chairperson. The gentlelady yields back.
    The gentleman from California is recognized for five 
minutes.
    Mr. Aguilar. Thank you, Madam Chairperson.
    Just one last question to follow up on Mrs. Davis, who 
asked a little bit about your company's annual profits. And I 
think it's fair to say that the revenue derived by the 
companies comes from--would it be fair--let me start there. 
Would it be fair to say that the revenue that your companies 
derive comes from those two main sources which is selling 
machines and then providing services, contracts for services 
related to those machines and their use. Is that fair?
    Mr. Poulos. That's fair.
    Mr. Burt. Yes.
    Mr. Aguilar. So, if the three of you control 80 percent of 
the market, my concern is what portion of your revenue do you 
invest in research and development to produce better, more 
secure, more cost-effective machines? Because what I don't want 
to get to is a position where you three control--we have the 
same hearing in 2 years, 4 years, and you control 95 percent, 
and you collectively decide, well we're just going to you know, 
sell a few machines, provide those contracts to those, and 
we're going to kind of work with each other to make sure that 
we don't innovate, you know, continue to grow.
    I'm not saying that you folks do. I'm saying that, you 
know, it wouldn't shock you to say--it wouldn't shock you to 
hear that folks have come to Congress in the past when their 
proportionate share of a business gets a little too large, and 
members have concerns about where that could go.
    Mr. Burt, can you talk a little bit about research and 
development?
    Mr. Burt. Sure. I think you raise a very important concern. 
There are new entrants into our marketplace, however, and some 
have been quite successful as of late. We've been presented 
this question before in terms of a percentage of revenue that 
we reinvest for research and development. Historically, we're 
somewhere around 19 percent of revenue that gets reinvested as 
research and development.
    Mr. Aguilar. Mr. Poulos.
    Mr. Poulos. Congressman, innovation is critical for us. We 
are only as good as our--the products that we come out with and 
certify. Depending on the year because of our revenue 
fluctuation, it's anywhere from 20 percent as high as 35 
percent.
    Mr. Aguilar. Ms. Mathis.
    Ms. Mathis. Yeah. Very similar on our side. Innovation is 
critical to us, and as far as, you know, the--we are trusted 
election partners to our local election official customers. So 
it's imperative to us that we're continuing to innovate and 
make sure that we're keeping up with or staying ahead of the 
technology.
    Mr. Aguilar. I didn't hear the percentage or the range.
    Ms. Mathis. We--ours also varies just depending on kind of 
the year, but----
    Mr. Aguilar. I heard 19 percent. I heard 20 to 35 percent.
    Ms. Mathis. Yes. We're closer to the 25 percent.
    Mr. Aguilar. Okay. Thank you. I appreciate it.
    Thank you, Madam Chairperson.
    The Chairperson. The gentleman yields back, and that is all 
of our questions for moment. However, as I mentioned in my 
opening statement, we may follow up with written questions 
after this hearing. If we do that, we do ask that you respond 
promptly. We thank you very much for your testimony today, and 
you are excused.
    I'd like to call up the next panel, and maybe we can--it's 
a big panel. We need to put a few more chairs up.
    I would like to invite the next panel to take their seats, 
and I will begin introducing this panel. First, if we can ask 
the panelists to sit. It's a little crowded, but we've got some 
great witnesses. First, I would like to introduce Liz Howard. 
She serves as Counsel for the Brennan Center's Democracy 
Program. Her work focuses on cyber security in elections. Prior 
to joining the Brennan Center, Ms. Howard served as Deputy 
Commissioner for the Virginia Department of Elections. During 
her tenure, she coordinated many election administration 
modernization products, including the decertification of all 
paperless voting systems.
    Dr. Matt Blaze is a researcher in the area of secure 
systems, cryptography, and trust management. He is currently 
the McDevitt Chair of Computer Science and Law at Georgetown 
University Law Center. He is a co-founder of the DEFCON Voting 
Village.
    Dr. Juan E Gilbert. Dr. Gilbert is the Banks Preeminence 
Chair in Human-Centered Computing and Chair of the computer and 
information science and engineering department at the 
University of Florida, where he leads the Human Experience 
Research Lab. He was part of the committee of experts and 
academics who wrote ``Securing the Vote: Protecting American 
Democracy'' for the National Academy of Sciences, Engineering, 
and Medicine. Dr. Gilbert also created an open-source voting 
system that is used in Federal, State, and local elections.
    The Reverend Dr. T. Anthony Spearman is a member of the 
Guilford County Board of Elections in North Carolina. He was 
elected President of the North Carolina NAACP in October 2017. 
In 2016, Dr. Spearman played an important role in the voter 
suppression litigation that challenged suppressive voter ID 
requirements and other legislation that would suppress votes in 
communities of color and other represented communities.
    Commissioner Donald Palmer was confirmed to the EAC in 
2019. He is a former Bipartisan Policy Center fellow where he 
provided testimony to State legislatures on election 
administration and voting reforms concerning election 
modernization. Commissioner Palmer was appointed secretary of 
the Virginia Board of Elections by former Virginia Governor Bob 
McDonald in 2011, and he served as the Commonwealth's chief 
election officer until 2014. He formerly served as the Florida 
Department of State's director of elections, and prior to his 
work in election administration, he served as a trial attorney 
with the Voting Rights Section of the Department of Justice's 
Civil Rights Division. He was a U.S. Navy intelligence officer 
and Judge Advocate General and was awarded the Navy Meritorious 
Service Medal and the Navy Commendation Medal and the Joint 
Service Commendation Medal.
    Finally, I'm going to turn to our Ranking Member, Mr. 
Davis, to introduce Mr. Gianasi.
    Mr. Davis of Illinois. Thank you, Madam Chairperson.
    And, Mr. Palmer, thank you for your service in the JAG 
Corps. I'd be remiss if I didn't mention Cole Felder, who is 
sitting behind me, our General Counsel on this Committee, will 
be leaving to join the JAG Corps just next week, so this will 
be his last hearing.
    So, Cole, thank you for what you've done here. Thank you 
for your service-to-be for our country.
    I'm really proud to announce our last witness, my home 
election official, county clerk and recorder in Christian 
County, Illinois, Michael Gianasi. Prior to his appointment and 
election--appointed in 2017 and elected in 2018--he was also in 
the private sector but was our Supervisor of Assessment, so not 
necessarily the most fun job in the county courthouse to deal 
with property tax assessments, but he did a great job. And I 
want to tell you: Mike's here because I believe his testimony 
is going to provide an interesting perspective given his 
experience as a local county official who has actually 
administered elections.
    I've known Mike almost my entire life, probably from 
playing youth sports together in the same hometown to 
graduating high school together and working together as he was 
a fixture at the courthouse when I was working back in 
Illinois. Mike and I are good friends. Mike's a Democrat and 
I'm a Republican. I know that a guy like Mike Gianasi, the only 
thing he cares about when it comes to administering elections 
in my home county where I vote is to get it fair, make sure 
everybody has access to vote, and to ensure that there's no 
problems, especially on election night. Now, I know that's the 
concern of everyone. I think Mike's going to give a unique 
perspective even coming from a small rural county about how 
something that may be a good idea here in Washington, how it 
may impact their ability to actually run that election as 
efficiently and as effectively as possible. This is Mike's 
first trip to D.C. too. I got to take him on a nice tour of the 
Capitol last night.
    So, Mike, that you enjoy the rest of your trip. I just want 
to thank you for your opening testimony, and I really want to 
thank you for your insight that you're going to be able to give 
to this Committee, to this city, and to this country about what 
it takes to run an election in places like central Illinois.
    And, with that, thanks again for coming, Buddy.
    I yield back.
    The Chairperson. Thank you very much.
    As you heard with the prior panel, each of you will be 
asked to testify for five minutes, but your full written 
statement will be made part of the record.
    At this point, I'd like to ask each of you to stand and 
raise your right hand.
    [Witnesses sworn.]
    The Chairperson. The record will note that each witness 
responded in the affirmative.
    So we will turn first to you, Ms. Howard, and we will hear 
from each of the witnesses.

 TESTIMONY OF LIZ HOWARD, COUNSEL, BRENNAN CENTER FOR JUSTICE, 
  WASHINGTON, D.C.; MATT BLAZE, PROFESSOR OF LAW, GEORGETOWN 
 UNIVERSITY LAW CENTER, WASHINGTON, D.C.; JUAN GILBERT, ANDREW 
BANKS FAMILY PREEMINENCE ENDOWED PROFESSOR & CHAIR, UNIVERSITY 
  OF FLORIDA, GAINESVILLE, FLORIDA; REV. T. ANTHONY SPEARMAN, 
 PRESIDENT, NORTH CAROLINA NAACP, GREENSBORO, NORTH CAROLINA; 
THE HONORABLE DONALD PALMER, COMMISSIONER, ELECTION ASSISTANCE 
 COMMISSION, SILVER SPRING, MARYLAND; AND MIKE GIANASI, COUNTY 
CLERK AND RECORDER, CHRISTIAN COUNTY OF ILLINOIS, TAYLORVILLE, 
                           ILLINOIS.

                    TESTIMONY OF LIZ HOWARD

    Ms. Howard. Thank you. Thank you, Chairperson Lofgren, 
Ranking Member Davis, and Members of the Committee for holding 
this hearing and providing me with the opportunity to testify 
about the ongoing efforts to secure voting systems across the 
country and the challenges to this progress stemming from a 
lack of vendor oversight. Today's unprecedented hearing is a 
much appreciated continuation of this Committee's work to 
improve the security of our Nation's election infrastructure 
and an important step towards comprehensive vendor oversight to 
address the significant security gaps that remain.
    Today, I hope to convey three main points: First, election 
vendors play a critical role in our democracy but have received 
little or no congressional oversight. Second, despite this lack 
of oversight, significant progress has been made in improving 
election security since 2016. Third, there's still more to do 
to further strengthen our election systems ahead of the 2020 
election and beyond. Congress has a critical role to play in 
that process, including oversight of the vendors that are so 
important to the security and accuracy of our elections.
    The absence of Federal oversight negatively impacts 
election officials' ability to further strengthen our election 
infrastructure and is felt most acutely in times of crisis, as 
I know from my own experience. In 2017, roughly months before a 
high-profile election, paperless voting machines used across 
Virginia were publicly hacked at DEFCON, and a password for one 
of these machines was publicly reported. Even though I was the 
deputy commissioner of elections, I didn't know if the vendors 
knew about the vulnerabilities exploited by the hackers, if the 
vendors had taken any steps to address these vulnerabilities, 
who owned or controlled the vendors, or if they would promptly 
and fully respond to any of my questions as they are not--as 
they were not then and are not now--subject to comprehensive 
Federal oversight.
    In no other subsector designated as critical infrastructure 
are private vendors allowed to serve critical functions without 
commonsense oversight. Election officials, voters, and the 
public deserve answers to questions about our election system 
vendors.
    While the ongoing work of election officials in this 
Committee has resulted in significant election security 
progress across the country, these efforts are no substitute 
for comprehensive oversight of the wide variety of election 
vendors that play a critical role in the administration of our 
elections yet are currently subject to little or no Federal 
oversight or regulation. The comprehensive vendor oversight 
framework we recommend applies not only to voting system 
vendors but also to vendors that program and maintain those 
systems that count and tally votes and build, manage, and 
maintain voter registration databases and electronic poll books 
that allow election officials to judge who is eligible to vote.
    I was gratified to hear the CEOs of the three leading 
voting machine vendors embrace these recommendations for 
comprehensive reform earlier today. We hope that Congress can 
move quickly to adopt these reforms but understand that it may 
take a while to fully implement them. In my written testimony, 
I outline the steps that we recommend Congress take in the 
short term, which include oversight of the $425 million 
recently allocated for election security, paying particular 
attention to if the money is being spent on building robust 
resiliency plans to detect and recover from successful breaches 
to ensure that, regardless of whether there is a successful 
attack, voters will still be able to vote and have their vote 
counted accurately. In addition, I included steps that Congress 
should take to protect our election infrastructure after 2020, 
which include expansion of the EAC's oversight role to include 
more robust monitoring and disclosure of the security practices 
and ownership of election system vendors.
    While the lack of vendor oversight is a significant 
concern, and this Committee and election officials across the 
country have much work to do before and after the 2020 
election, it's important to acknowledge the progress made in 
strengthening our election infrastructure, including our voting 
systems, since 2016. For example, almost half of the States 
using paperless voting machines in 2016 have transitioned to 
now using paper-based voting systems. Congress has allocated 
almost--a little bit over, actually--$800 million to bolster 
election security in the States. Awareness of the risk to our 
election infrastructure has increased dramatically, and 
election officials across the country are implementing a 
variety of measures to make our voting systems more resilient 
and secure.
    Thank you for your time. I look forward to your questions.
    [The statement of Ms. Howard follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much.
    Dr. Blaze, we'd love to hear from you.

                    TESTIMONY OF MATT BLAZE

    Mr. Blaze. Thank you, Chairperson Lofgren and Ranking 
Member Davis, for convening this hearing on the urgently 
important topic of securing America's elections.
    I come here today as a computer scientist who's spent the 
better part of the last quarter-century studying election 
system security.
    As you are well aware, the integrity of elections across 
the U.S. depends heavily on the integrity of computers and 
software systems that are embedded across our election 
infrastructure. Complex software lies at the heart not just of 
vote-casting equipment used at polling places but also the 
information systems used by local authorities to manage 
everything from voter registration records to the tallying and 
reporting of election results, to the creation of ballots and 
so forth.
    Unfortunately, much of this infrastructure has proven 
dangerously vulnerable to tampering and attack and, in some 
cases, in ways that cannot be easily detected or corrected 
after the fact. These vulnerabilities can create practical 
avenues for corrupt candidates or foreign adversaries to do 
everything from cause large-scale disruption on election day to 
potentially undetectably alter election outcomes in some cases.
    Now, for the purpose of my testimony, it's helpful to 
consider voting machines and election management infrastructure 
separately. Let me begin with the voting equipment itself.
    To be blunt, it's a widely recognized indisputable fact 
that every piece of computerized voting equipment in use at 
polling places today can be easily compromised in ways that 
have the potential to disrupt election operations, compromise 
firmware and software, and potentially alter vote tallies in 
the absence of other safeguards.
    This is partly a consequence of historically poor design 
and implementation by equipment vendors, but it's ultimately a 
reflection of the nature of complex software. It's simply 
beyond the state of the art to build software systems that can 
reliably withstand targeted attack by a determined adversary in 
this kind of an environment.
    The vulnerabilities are real, they're serious, and, absent 
a surprising and very fundamental breakthrough in my field, 
which I would welcome but I don't see coming soon, probably 
inevitable.
    Fortunately,--this is not all bad news--there is now 
overwhelming consensus among experts on how we can conduct 
reliable elections despite the inherent unreliability of the 
underlying software. This requires two things.
    The first is that the voting technology retain a reliable 
paper record that reflects the voters' intended choices. 
Fortunately, equipment that has this property exists today, and 
it's, in fact, the simplest of the voting equipment available. 
And I refer here to paper ballots that have been preferably 
marked by hand, when possible, that are fed into an optical 
scan ballot reader when the vote is cast and the original voter 
ballot is retained.
    But this isn't sufficient by itself, because the software 
in the ballot scanners is, itself, vulnerable to tampering or 
error.
    The second requirement is that the election be reliably 
audited to ensure that the software is reporting the correct 
outcomes of each race as defined by the ballots that the voter 
has marked. And there's a statistically rigorous technique 
called risk-limiting audits that you've heard about that can 
accomplish this effectively and quickly. But this has to be 
routinely performed after every election in order to provide 
meaningful assurance.
    Unfortunately, only a handful of States currently conduct 
these audits. And it's urgent that both of these safeguards--
paper ballots and risk-limiting audits--recognized by experts 
universally as essential for election integrity, be adopted 
quickly and widely throughout the Nation.
    The second technology is the election management 
infrastructure in use by jurisdictions. We give most of the 
attention to vulnerabilities in voting machines, but that's not 
the whole story. Each of the more than 5,000 jurisdictions 
responsible for running elections across the Nation must 
maintain a number of critical information systems that are 
attractive targets for disruption by adversaries. Most 
important of these are voter registration databases, the 
systems that report final results and so forth.
    Unfortunately, there are even fewer standards for how to 
secure these systems. The administration of these systems 
varies widely. And the threats against these systems are often 
even more acute than the threats against individual voting 
systems.
    You know, just as we don't expect the local sheriff to 
single-handedly defend against military ground invasions, we 
shouldn't expect county election IT managers to defend against 
cyber-attacks by foreign intelligence services, but that's 
precisely what we've been asking them to do.
    Thank you again for your attention to these important 
issues. This is a vitally important topic, and I'm grateful 
that you've invited me to testify.
    [The statement of Mr. Blaze follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much, Dr. Blaze.
    Dr. Gilbert.

                   TESTIMONY OF JUAN GILBERT

    Mr. Gilbert. Chairperson Lofgren, Ranking Member Davis, 
Members of the Committee, I am honored to share with you my 
expertise in voting system security, accessibility, and 
usability.
    I have worked in elections for more than 15 years, 
conducting research, developing innovative technologies, and 
conducting studies with various election stakeholders.
    In 2003, I created Prime III, an open-source universally 
designed system. To my knowledge, Prime III is the only open-
source voting system to be used in State, Federal, and local 
elections in the United States. New Hampshire adopted Prime 
III, renamed it as ``One4All,'' and Butler County, Ohio, uses 
it as their accessible absentee system. Furthermore, voting 
machine vendors have created ballot-marking systems modeled 
after Prime III.
    While I am appearing today in my capacity as an expert in 
voting systems, I would like to take this opportunity to share 
some key recommendations from the 2018 National Academies of 
Science, Engineering, and Medicine consensus report titled 
``Securing the Vote: Protecting American Democracy.''
    I was a member of the committee that authored the report, 
but I would emphasize that any opinions expressed about the 
report and its recommendations are my own and do not 
necessarily represent positions of the National Academies.
    ``Securing the Vote'' was the result of a two-year National 
Academies study conducted by experts from election 
administration and policy, cybersecurity, accessibility, and 
law. Over the course of the study, the committee reviewed 
extensive background materials. It held five meetings where 
invited experts spoke to the committee about a range of topics, 
including voter registration, accessibility, voting 
technologies, market impediments to technological innovation, 
cybersecurity, post-election audits, and the education and 
training of election workers.
    The committee did not have access to classified information 
but instead relied on information in the public domain, 
including State and Federal Government reports, published 
academic literature, testimony from congressional hearings, and 
presentations to the committee.
    Issues related to voting such as voter identification laws, 
foreign and domestic disinformation, and other similar topics 
were outside the charge of the committee and, therefore, are 
not included in the report.
    The Academies' report recommended that elections be 
conducted using human-readable paper ballots. It said that 
these ballots may be marked by hand or by machine using a 
ballot-marking device and that they may be counted by hand or 
by machine using an optical scanner.
    The report further recommended that recounts and audits 
should be conducted by human inspection of the human-readable 
portion of the paper ballots and that voting machines that do 
not provide the capacity for independent auditing--for example, 
machines that do not produce voter-verifiable paper audit 
trails--should be removed from service as soon as possible.
    Currently, there's no known way to secure a digital ballot. 
At this time, any election that does not employ paper ballots 
cannot be secure. Therefore, the report recommended that 
internet voting and specifically the electronic return of 
marked ballots should not be used at this time.
    The Academies' report also recommended that vendors and 
election officials should be required to report any detected 
efforts to probe, tamper with, or interfere with election 
systems, including voter registration systems. Each State 
should require a comprehensive system of post-election audits 
of processes and outcomes. A detailed set of cybersecurity best 
practices for State and local election officials should be 
continuously developed and maintained. Congress should provide 
funding to help State and local governments modernize their 
election systems and improve cybersecurity capabilities.
    Congress should authorize and provide funding for a major 
research initiative on voting. Recommendation 7.3 of the 
Academies' report says that ``Congress should authorize and 
fund immediately a major initiative on voting that supports 
basic, applied, and translational research relevant to the 
administration, conduct, and performance of elections. This 
initiative should include academic centers to foster 
collaboration both across disciplines and with State and local 
election officials and industry.''
    This recommendation is bold, calls for research and 
development that provides solutions to issues identified in the 
report. I believe that a minimum of $25 million in funding over 
a five -year period would be needed to establish a national 
center.
    As a Nation, we have the capacity to build an election 
system for the future, but doing so requires focused attention 
from citizens, Federal, State, and local governments, election 
administrators, and innovators in academia and industry. It 
also requires a commitment of appropriate resources.
    Representative democracy only works if all eligible 
citizens can participate in elections and be confident that 
their ballots have been accurately cast, counted, and then 
tabulated.
    Thank you for the opportunity to be here.
    [The statement of Mr. Gilbert follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much.
    Reverend Spearman, we'd love to hear from you.

             TESTIMONY OF REV. T. ANTHONY SPEARMAN

    Rev. Spearman. Good afternoon, Chairperson Lofgren, Ranking 
Member Davis, and Committee Members.
    I am indeed honored to be here, for, unlike the previous 
participants on these panels, I am neither a voting systems 
vendor nor an expert. I'm an activist, one who was raised in a 
household where the vote was held sacred.
    I'm the president of the North Carolina State Conference of 
Branches of the National Association for the Advancement of 
Colored People and the only county board of elections member of 
color from Guilford County, North Carolina. And while not an 
expert in election security, I rely on the findings of those 
scientists who are and urge my colleagues on county boards 
across the Nation to do so as well. We must listen to 
scientists, not vendor marketing claims.
    Dr. Alex Halderman just published research and finds that 
electronic ballot-marking devices do not create ballots that 
can be reasonably audited, which is consistent with the 
recently expanded study by Dr. Philip Stark, Dr. Richard 
DeMillo, and Dr. Andrew Appel concluding that electronic 
ballot-marking devices cannot be relied on to produce elections 
that assure the will of the people.
    Dr. Duncan Buell, along with others, has studied how voting 
machines and their allocation can create lines that frustrate 
and disenfranchise voters.
    Let me hasten to say that I am not anti-technology, but I 
agree with the scientists who argue that election security can 
be compromised by placing an electronic device between a voter 
and the ballot.
    While the election security defenses needed to detect and 
stop cyber-attacks may seem impossibly complex and 
overwhelming, there's a practical, low-tech, traditional answer 
to mitigating the greatest threats, assuring that any attacks 
can be detected and cannot be ultimately achieved or effective.
    That's where I come in. I was first elected to the Guilford 
County Board of Elections in 2017 for a two-year term and 
reelected in January 2019 for another two-year term. During my 
first term, I was the only member of the board without a legal 
degree. All I had sitting at the table with me was my activism, 
passion for voters, and my experience working in elections.
    Prior to my election to a seat on the Guilford County 
board, my volunteerism as a precinct worker began as an 
election day specialist around 2017 in Catawba County after a 
growing number of members began venting their frustrations with 
the voting process.
    Coincidentally, this was the same year that tremendous 
advances for voters occurred in the State of North Carolina. 
Same-day registration began allowing voters to cast ballots 
during the early-voting period, which led to an increase in 
voter participation during the November 8, 2008 Presidential 
election. In Catawba County, voters used hand-marked paper 
ballots.
    In 2014, when I was appointed to a church in Greensboro, an 
opportunity to work at a precinct in Guilford County presented 
itself. And there I worked as a judge and on to becoming the 
chief judge, or overseer, of FEN1, one of the largest precincts 
in the county.
    In Guilford County, iVotronics, or direct recording 
electronics, DREs, were in use. And among my growing concerns 
while serving the precinct were problems that arose with the 
touch-screen or iVotronic devices.
    I was the overseer, chief overseer, of the sixth-highest 
voter precinct in Guilford County, with 3,800 voters. As one of 
my friends has convinced me, the first line of defense is the 
local county bipartisan election board, like the one I sit on 
in Guilford County, North Carolina. Across the Nation, they are 
authorities for selecting voting systems and reviewing the 
ballot tabulations before they certify the election results.
    If voters, campaigns, political parties, and candidates 
insist that these boards, one, select only hand-marked paper 
ballots as standard equipment; two, maintain ballot chain of 
custody; three, distribute an accurate paper backup pollbook to 
the polls; and, four, conduct vigorous reviews of the election 
returns and tabulations before certifying, cyber- attacks 
cannot be successful. They can't be prevented, but the 
jurisdiction can recover from them and verify the will of the 
people. I'm talking first line of defense.
    As a first-time witness of the process for voting machine 
certification, I must admit I was highly disturbed that the 
demonstration was conducted in what I viewed as an inconvenient 
place, off the beaten path for most voters. As I drove to the 
site, I became overwhelmed with how un-user-friendly this 
location was for minorities, and, as I recall, I was the only 
person of color in attendance.
    But not only that, when I reviewed the agenda and saw how 
the demonstration was to be conducted, with the majority of 
time allotted to county board members and only a few minutes 
left for the public to view systems, I immediately called the 
director of elections and expressed my displeasure with the 
setup. By the time I arrived, the necessary adjustments had 
been made, and everyone moved through the demonstrations 
together.
    Elections belong to the people, and the more the people are 
included in the process, the more we may gain their trust and 
confidence.
    Thank you for allowing me to share.
    [The statement of Rev. Spearman follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much.
    Commissioner Palmer.

            TESTIMONY OF THE HONORABLE DONALD PALMER

    Mr. Palmer. Good afternoon, Chairperson Lofgren, Ranking 
Member Davis, and Members of the Committee. I'm thankful for 
the opportunity to testify before you today on the important 
work being done by the United States Election Assistance 
Commission in preparation for the 2020 Federal elections.
    As prescribed by the Commission's enabling legislation, the 
Help America Vote Act of 2002, HAVA, the EAC is focused on 
State and local election officials across the United States and 
providing secure, accessible, and accurate elections. Under 
that act, the EAC works to implement election reforms, assist 
States in certifying voting systems, advance voting 
accessibility, disburse HAVA funds, and serve as a 
clearinghouse of election information and best practices in the 
laboratory of States.
    In pursuit of this mission, we collaborate closely with 
State and local election officials, Federal partners, and 
others in the election community.
    I am grateful that the expert and vendor witnesses 
testifying before you today have shared their insight on the 
important topic of election security.
    I would like to begin by thanking Congress for your recent 
efforts to increase funding in this area. The addition of $425 
million in HAVA grant funds, with a 20-percent State match, 
will go a long way toward enhancing election technology and 
improving security in State and local elections.
    Simultaneously, the 40-percent increase in the EAC budget 
will allow us to bolster existing programs and enhance 
resources. I should note that EAC's distribution of $380 
million in 2018 HAVA funds to the States in the lead-up to the 
midterm elections was and continues to be, critically important 
to helping officials secure the elections infrastructure.
    I would like to highlight an important update to our 
testing and certification program. The testing and 
certification program manual allowed for minor, de minimis 
changes, software changes, without the overhead of a full-blown 
voting system certification campaign. In November of 2019, the 
EAC's testing and certification program issued a notice of 
clarification, providing clear guidelines on submitting these 
minor changes for certification. The EAC expects that this 
process will be used by vendors to rapidly update the security 
of their systems with the latest software patches and operating 
system updates.
    Tremendous progress was also made in 2019 toward the 
adoption of voluntary voting system guidelines, what we call 
VVSG 2.0. VVSG 2.0 will represent a significant leap forward in 
defining new standards that will serve as the template for the 
new generation of secure and accessible voting systems.
    The hard work of NIST staff and EAC personnel culminated in 
the presentations of these draft requirements to the Technical 
Guidelines Development Committee. This committee is now 
considering the recommendations to the EAC on adoption.
    My fellow commissioners and I are committed to a 
transparent and thorough deliberation on the path to 
implementing VVSG 2.0. The EAC Standards Board and the Board of 
Advisors will meet in April of 2020 to consider these new 
requirements, and after their key input, it is my hope that the 
VVSG 2.0 will be finalized and voted on in the upcoming months.
    As the Nation focuses on the 2020 election this year, so 
does the EAC. On January 14, we are bringing together election 
officials and experts in election security and accessibility to 
kick off our #2020Focus campaign at the National Press Club. 
The topics for discussion will include the security 
environment, the need for enhanced poll-worker training, and 
ensuring accessible elections for all Americans.
    The increased fiscal year 2020 appropriations for the EAC 
will allow us to fill critical staffing vacancies within the 
agency as well as bolstering our staff to meet rising demands. 
I am pleased to report that the EAC is in the process of 
identifying candidates for a new general counsel and additional 
communication personnel. The statutory process for identifying 
candidates for executive director is well underway.
    We also plan to add staff in our testing and certification 
program. Expansions to this program will enhance the capability 
of handling frequent voting system security updates through the 
de minimis process while fulfilling its other duties of 
conducting training for election administrators, performing on-
site audits of voting system manufacturing and test lab 
facilities, and overseeing a risk-limiting audit assistance 
program.
    HAVA has set forth an ambitious agenda for the EAC, one 
rooted in protecting the very foundation of our Nation's 
democracy. Despite very real and persistent resource challenges 
in recent years, the EAC has fulfilled its obligation and even 
expanded the support it provides to election administrators and 
voters.
    With strong support from the Congress in the recent 
appropriations cycle and the reestablishment of a quorum of 
commissioners, the EAC is ready for its next chapter. We look 
forward to working with the Congress as we continue our efforts 
to help America vote.
    I am happy to answer any questions you may have following 
today's testimony.
    [The statement of Mr. Palmer follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you very much.
    And last but certainly not least, Mr. Gianasi.

                   TESTIMONY OF MIKE GIANASI

    Mr. Gianasi. Thank you.
    Chairperson Lofgren, Ranking Member Davis, and all the 
other honored Committee Members here today, thank you for the 
invitation to come and speak before you.
    As stated previously, Ranking Member Davis and I are 
friends. We've grown up in the same town. It's in central 
Illinois. It's the town of Taylorville, which is the county 
seat of the county of Christian in Illinois. Also as stated 
previously, I was appointed as the county clerk and recorder in 
2017 upon the retirement of that previous clerk and recorder. 
Subsequently, I was elected as the county clerk and recorder in 
2018, of which I currently serve as today.
    The introduction of my tenure as the election authority was 
rather swift and, at that time, being in the 2017-2018 
timeframe, focused on an increase in cybersecurity-related 
responsibilities. I had not been a participant in this arena 
prior to that time period, so although there were a lot of 
discussions and a lot of other situations that had occurred 
previously, I was not a party to that. However, as the new 
election authority, it has become my responsibility to take 
into account all of these situations and, now, all of the 
increasing responsibilities as the days go by.
    As the election authority, my primary concern on the topic 
of elections involves several categories, one being physical 
security of course. The election equipment that I have custody 
of is stored away in my courthouse in a locked room.
    That election equipment, by the way--I might as well make 
this comment--is being delivered today because, as of recently, 
I have been approved the ability to obtain new election 
equipment. My previous election equipment was the AccuVote and 
TSx-type model equipment from Diebold, which is no longer being 
used by Christian County. We have now upgraded our equipment to 
the new equipment provided by Unisyn Voting Solutions, 
Incorporated, who is not here today.
    In regards to meeting with my election vendor, who I have 
trusted for many, many years and previous clerks have trusted 
for many years, the choice of this election equipment was the 
correct choice and a sound choice.
    The election equipment that I have chosen is their 
equipment that provides a paper trail, as required by the State 
of Illinois, for all votes cast, whether it be cast manually 
through the paper ballot or using the touch-screen device, 
which produces a paper ballot in human-readable form at the end 
of the process, for which the person then has the opportunity 
to review that, and then they will, themselves, place that 
ballot into the ballot box for tabulation.
    Some of the other logistics that I have to also worry about 
include staffing of election judges. It is very difficult to 
always staff my election judges adequately, but we do the best 
we can. Christian County, not being a large jurisdiction, has 
30 precincts, and of those 30 precincts, we have 23 physical 
polling locations so five judges per precinct. And it sometimes 
is rather difficult, but we do our best to try to make sure 
that we have as much staffing as we can at those locations.
    The election equipment, as far as custody, it stays in that 
locked room. It's only accessed by myself or my staff whenever 
we need to do any upgrades as far as programming, which is 
involving, of course, our election vendor, because I do have 
that service as well. And then we release that equipment to the 
election judges prior to the election so that they can take it 
out, get it to the precincts, and then they will bring it back 
at the end of the election cycle.
    The cybersecurity-related responsibilities, as I described 
before, have become increasingly noticeable. I am a member of 
the MS-ISAC, the EI-ISAC, and the HSIN. I receive notices on a 
daily basis, multiple times a day, through emails from all of 
these organizations notifying me of vulnerabilities primarily 
to software packages but occasionally to other situations that 
would just allow for us to be on a heightened awareness of 
other attacks possibly directed to our firewall.
    The situation as far as funding, of course, as a local 
election authority, we do receive funding through the HAVA 
grants, which is funneled from the Federal money through the 
State down to us. And I can talk about that in more detail 
later if you would like.
    And that is all I have on my statement today. Thank you for 
your invitation.
    [The statement of Mr. Gianasi follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. Thank you.
    And thanks to all of you for your testimony as well as your 
written statement.
    We now have time for Members to ask a few questions. I'll 
first turn to the Ranking Member, Mr. Davis, for his five 
minutes of questions.
    Mr. Davis of Illinois. Thank you, Madam Chairperson.
    And thanks to all the witnesses. Very compelling testimony.
    Mr. Gianasi, I'll start with you, since you came out here 
at my request. Can you tell us--I understand you recently 
purchased some new machines for Christian County.
    Mr. Gianasi. Correct.
    Mr. Davis of Illinois. What decisions led you to purchase 
those specific machines?
    Mr. Gianasi. The original machines that Christian County 
had been using were purchased in 2004. And those machines, like 
I said before, the AccuVotes and such, TSX, were purchased 
using HAVA funds that were available at that time. Those 
machines, although doing well up through and including the most 
recent elections, have seen better days. They have outdated 
hardware that is no longer able to physically provide a dark 
print on the ballot----
    Mr. Davis of Illinois. So they were outdated. You----
    Mr. Gianasi. Yes.
    Mr. Davis of Illinois [continuing]. Needed to get some new 
ones. Did you use HAVA funds to get these new machines?
    Mr. Gianasi. I did not have any HAVA funds available to get 
these new machines. I was able to work through the county 
board, who had general obligation bond money available for this 
project----
    Mr. Davis of Illinois. How much did that cost you?
    Mr. Gianasi. I have signed what is a six-year lease on 
these machines. I chose not to purchase. And that six-year 
lease, approximately $322,000.
    Mr. Davis of Illinois. And knowing the size of our county, 
that's a pretty big impact to the county budget.
    Mr. Gianasi. As of Tuesday, I have 21,212 registered voters 
in my entire county.
    Mr. Davis of Illinois. Okay. Great.
    When you made the decision to purchase those machines, you 
didn't call anybody at the Federal Government and ask 
permission, right?
    Mr. Gianasi. I did not.
    Mr. Davis of Illinois. Okay.
    You mentioned in your testimony, too, about the Illinois 
Cyber Navigator Program. It's a program I've talked about in 
this hearing room many times. I think it's a great partnership 
between the U.S. Department of Homeland Security and the State 
of Illinois and, in turn, all local election officials, like 
yourself.
    How's this program been beneficial to your role as an 
election administrator in Christian County?
    Mr. Gianasi. The Cyber Navigator Program is beneficial, I 
believe, to all election authorities and, in particular, those 
that do not have the resources to maintain any form of IT 
staff, in particular, or those that just have an inability to 
continue to monitor all of the problems that are coming down 
the line and then be able to provide solutions to those 
problems.
    Mr. Davis of Illinois. So you don't have a dedicated IT 
staffer. You're that person, right?
    Mr. Gianasi. Correct. We don't have any IT staff. The 
county does hire an outside IT contractor to perform all IT-
related functions, including patch updates, firewall 
maintenance, email maintenance, et cetera.
    Mr. Davis of Illinois. Just for your office or for the 
whole county, all the offices?
    Mr. Gianasi. For the whole county, all offices.
    Mr. Davis of Illinois.So the treasurer, the county clerk, 
the sheriff, everybody, right?
    Mr. Gianasi. Correct.
    Mr. Davis of Illinois. Now, do you find that this Cyber 
Navigator Program, this partnership between DHS, funded by your 
Federal tax dollars, is good assistance to small, rural 
counties like your own?
    Mr. Gianasi. I do, because, again, with the changes that 
are happening, the Cyber Navigator who now is partnering with 
the county has given us the ability to promote different 
aspects of cybersecurity-related awareness. He's also currently 
directly assisting with the installation of new hardware which 
will provide secure access between our voter registration 
database server and the Illinois State Board of Elections' 
database server through what's called the Illinois Century 
Network.
    Mr. Davis of Illinois. Excellent. Thank you for your 
testimony today. Thanks for being here, Mike. Great to see you.
    Mr. Palmer, while I have some time left, one major element 
of the election infrastructure that I believe remains 
unaddressed are electronic pollbooks. It's my understanding 
that they're not currently regulated by HAVA, the Help America 
Vote Act, in any way. Are there security risks associated with 
electronic pollbooks?
    Mr. Palmer. Yes, there is. And you're right, it's not 
regulated currently under HAVA, although there are some 
instances where there may be some interaction with the voting 
system. I think the EAC is looking at electronic pollbooks as 
perhaps there's a way the EAC could do a review and, sort of, 
approval process for electronic pollbooks.
    There's a growing use of electronic pollbooks across the 
country. It's not universal, but more and more counties are 
using them because of the ease and the ability, the accuracy of 
electronic pollbooks. But there are some downsides to that, and 
so the EAC feels that we have an opportunity here.
    Mr. Davis of Illinois. While I have a few seconds left, can 
you give us one suggestion or two suggestions of what you think 
we could do to update HAVA?
    And, also, if I could ask the EAC to give us an opportunity 
to address some of the concerns you may have with HAVA in case 
this Committee and this institution wants to readdress what was 
passed years ago.
    Mr. Palmer. Well, I think that there's an opportunity for 
the EAC at the Federal Government level to sort of do a review 
and certification program for other election systems beyond 
voting systems.
    But the EAC and the commissioners, we would love to talk 
with the Committee as a whole and talk about ways that we 
believe, at the EAC, things that could be improved from a 
fundamental level.
    Mr. Davis of Illinois. Right. Thank you.
    The Chairperson. The gentleman's time has expired.
    I turn to Mrs. Davis, the gentlelady from California for 
five minutes.
    Mrs. Davis of California. Thank you.
    Thank you very much to all of you for being here and for 
your experience in dealing with all of these issues.
    Dr. Spearman, I wanted to just ask you, we've talked about 
the access issue, and you brought to the election personnel the 
concerns that you were having, and it sounds like they 
responded to you. But I'm wondering, with all of these issues, 
what you feel sometimes gets lost, sort of, on the radar screen 
in terms of what the needs of people, of voters really are in 
their communities that doesn't get addressed very well.
    Rev. Spearman. Well, as I stated--and thank you for your 
question, Congresswoman Davis. As I stated, I have--I guess I 
would respond to that by saying on the county board of Guilford 
County I am a rarity. I'm the only African American and I'm the 
only activist. I come with the concerns of the people, the 
concerns of the voter.
    And oftentimes it seems as if the voter has been last on 
the totem pole. And that's something that I have been 
advocating for since I've been on the board, to put the people 
on the radar. Because the elections, as far as I'm concerned, 
are the people's. And the more the people, the more humans are 
involved in the process, I think the better off we are going to 
be.
    As far as I am concerned right now, our democracy is an 
aberrant democracy. And in order to make that democracy and 
save our democracy, I think the people need to rise up and be 
counted.
    Mrs. Davis of California. Is there a specific change that 
you think could or should be made in terms of easier access or, 
again, more voting days? I don't know, vote by mail, if that's 
an issue in your area?
    Rev. Spearman. Well, I mean, we've been fighting for that 
in North Carolina since 2013, since after Shelby versus Holder, 
and we're going to continue to fight. We just recently won 
another lawsuit with regard to winning a preliminary injunction 
for voter photo ID, which has already been a lawsuit that we 
won previously but it seems that the General Assembly continues 
to come back, disguise it in different ways, and tries to get 
it through again.
    So, as it relates to access, one of the things that I 
believe would be helpful, especially to persons like myself, 
county board members, is more education, more training for the 
county board members, and just let the county board members 
know what it is that they are being elected to do.
    Mrs. Davis of California. Thank you.
    Dr. Blaze, I think it was also mentioned what should be 
done at this time to try and help with these processes. And yet 
we know that, in many cases, that's not going to happen before 
this next election in 2020. So what is it that you think we 
really need to be focused on very particularly in terms of 
hacking of any elections, intervention? What is it that you're 
most worried about?
    Mr. Blaze. Sure. Well, I think, you know, the things that 
I'm most worried about are a repeat of some of the types of 
attacks that we saw in 2016 against larger election 
infrastructure, not just voting machines themselves but the 
back-end systems that manage voter registration records and so 
on.
    We've been very fortunate that even in 2016 the attacks 
against our systems had a relatively light touch. A determined 
adversary who wanted to disrupt our elections would have a 
frighteningly easy task if they wanted to do so. And I worry 
that the over 5,000 election jurisdictions who maintain these 
systems throughout the country are not uniformly ready to 
respond to a sophisticated adversary like that. So, to the 
extent we can support them, that is an urgent priority.
    Mrs. Davis of California. And you mentioned that many 
counties don't audit. And is that because they feel that they 
don't have the resources to do that, they don't have additional 
funding? Or is it just an attitude as well?
    Mr. Blaze. Well, no, I think, you know, everybody is trying 
to do their best, but risk-limiting audits have not yet 
penetrated throughout most of the country. There are only a 
handful of States right now that do them. More States are 
starting to explore them. To the extent that we can encourage 
wider adoption of these, that will improve things 
significantly.
    Mrs. Davis of California. Yes.
    Thank you. My time is up.
    The Chairperson. Thank you.
    I just have a few follow up questions.
    First, I want to thank all of the witnesses, but also, Dr. 
Gilbert, the National Academies' report was enormously helpful 
to us, and I want to thank you for that. It really is the guts 
of what we ended up putting in our SAFE Act that's now pending 
in the Senate. Tremendous appreciation for you and the other 
scientists who worked on it.
    I want to talk about the ballot-marking devices. I don't 
love these systems. On the other hand, we need to have a 
capacity to allow the disability community to exercise their 
franchise freely, and that's an important element of providing 
for that.
    I am concerned about the QR codes and barcodes that cannot 
be read by the voter. And so, really, if you're checking the 
paper, it really doesn't prove anything in terms of whether or 
not the barcode reflects what is on the piece of paper.
    It's not possible that all of that will be changed between 
now and election day in November. What are your suggestions, as 
computer scientists, Dr. Blaze and Dr. Gilbert, for what could 
be done in the interim about that problem?
    Mr. Blaze. So--should I?
    Mr. Gilbert. Yes.
    Mr. Blaze. Okay.
    Ballot-marking devices were originally conceived purely as 
an assistive technology for voters who couldn't mark their own 
ballots for various reasons and were never originally----
    The Chairperson. Correct.
    Mr. Blaze [continuing]. Conceived as the primary method for 
people for voting. It took us a bit by surprise that systems 
that use ballot-marking devices as the primary method of voting 
were being deployed and purchased by people across the----
    The Chairperson. Correct. If I----
    Mr. Blaze [continuing]. Country, but there's been an----
    The Chairperson. Right.
    Mr. Blaze [continuing]. Explosion of research over the last 
year in whether voters can reliably verify them.
    What we found, most recently studied by Alex Halderman's 
group in Michigan, is that voters don't appear to be able to 
reliably confirm that their marks match what their intent was. 
And that's a significant--raises significant concerns----
    The Chairperson. I understand that. And it's, like, 7 
percent of the people, actually, according to that report.
    Mr. Blaze. That's right.
    The Chairperson. But what do we do about that?
    Ultimately, I think we ought to have paper ballots and 
these marking devices ought to be available to those who need 
them because of disability purposes.
    Mr. Blaze. Right.
    The Chairperson. Between now and when that is achieved, 
what do we do?
    Mr. Blaze. The best thing we can do is voter education. The 
Michigan paper has some concrete suggestions on interventions 
that aren't perfect but they can at least increase the ability 
for voters to check. And, you know, it's simply a matter of the 
instructions given to voters, whether they're given a personal 
reminder to check their ballot selections. And those appear to 
make, you know, a significant--not sufficient, but significant 
difference in how well they're verified.
    The Chairperson. Dr. Gilbert, do you have anything to add?
    Mr. Gilbert. Yes, I have a lot to add.
    So, to start, these studies--I want to make the record 
clear. The studies are saying that people did not verify their 
ballot; they didn't say they could not verify their ballot.
    So I would recommend, going to the Michigan study--notice 
that the Michigan study said, ``Remind the voter to review 
their ballot.''
    The Chairperson. It goes up to, like, 70 percent if you 
remind them.
    Mr. Gilbert. Yes. Well, try this: ``Would you please verify 
that your ballot selections were not changed?'' Rather than, 
``Review your ballot.'' Let's try that.
    The ballot-marking device--there were 16 million voters who 
voted with a disability in 2016. What was the margin of 
victory? Less than 3 million votes?
    The Chairperson. Yes.
    Mr. Gilbert. So if we were to design these machines so they 
are only used by people with disabilities, an adversary finds 
that as a happy day, because all you have to do is target a 
specific group.
    Universal design, meaning more people using those machines, 
gives you greater security. The likelihood of catching errors 
increases as a result of that.
    I will be honest. The universal design when HAVA was 
created, it was designed that each precinct would have at least 
one accessible voting machine.
    The Chairperson. Correct.
    Mr. Gilbert. I said that wasn't possible because you're 
going to have a separate-but-equal connotation. And they said, 
you can't have one machine that everyone uses. So we built it. 
Later this year, we'll have an announcement about a transparent 
voting machine, a new innovation, that will address these 
issues.
    So, in the Academies' report, we recommended that we have a 
national center to do research around these things. That is a 
necessity. This is an arms race. It's not just going to happen 
and end.
    To suggest that we should go back to hand-marked paper 
ballots is the same as saying, we had an accident on the 
highway and people unfortunately died, so we should return to 
horses and carriages.
    The Chairperson. My time has expired.
    But I do want to just mention, Ms. Howard, you have 
decertified machines that didn't meet standards. We know that 
we're not going to get to where we need to be between now and 
November. Do you have any suggestions on what interim steps we 
could take to make the systems safer?
    Ms. Howard. Well, yes. Thank you for the question.
    So two basic things, right? Voter education about how to 
use the machines is very important. And, additionally, there 
must be post-election audits which rely on the human-readable 
portion of the ballots even if the ballots do include barcodes.
    The Chairperson. Thank you.
    My time has expired. All time has expired.
    I would like to thank each of you for your testimony. Note 
that, because we didn't get a chance ask all our questions, we 
may follow up with written questions for you, and, in that 
case, we'd ask that you answer promptly.
    [The information follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairperson. And we do thank you once again for your 
service here as witnesses in helping us do a better job in 
securing our election systems for this all-important 2020 
election.
    And this hearing is, without objection, now adjourned.
    [Whereupon, at 12:43 p.m., the Committee was adjourned.]
    
                             [all]