[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY OF VOTING MACHINES
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON
INTERGOVERNMENTAL AFFAIRS
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 29, 2017
__________
Serial No. 115-64
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://oversight.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-295 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
Committee on Oversight and Government Reform
Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland,
Darrell E. Issa, California Ranking Minority Member
Jim Jordan, Ohio Carolyn B. Maloney, New York
Mark Sanford, South Carolina Eleanor Holmes Norton, District of
Justin Amash, Michigan Columbia
Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts
Blake Farenthold, Texas Jim Cooper, Tennessee
Virginia Foxx, North Carolina Gerald E. Connolly, Virginia
Thomas Massie, Kentucky Robin L. Kelly, Illinois
Mark Meadows, North Carolina Brenda L. Lawrence, Michigan
Ron DeSantis, Florida Bonnie Watson Coleman, New Jersey
Dennis A. Ross, Florida Stacey E. Plaskett, Virgin Islands
Mark Walker, North Carolina Val Butler Demings, Florida
Rod Blum, Iowa Raja Krishnamoorthi, Illinois
Jody B. Hice, Georgia Jamie Raskin, Maryland
Steve Russell, Oklahoma Peter Welch, Vermont
Glenn Grothman, Wisconsin Matt Cartwright, Pennsylvania
Will Hurd, Texas Mark DeSaulnier, California
Gary J. Palmer, Alabama Jimmy Gomez, California
James Comer, Kentucky
Paul Mitchell, Michigan
Greg Gianforte, Montana
Sheria Clarke, Staff Director
William McKenna, General Counsel
Troy Stock, Information Technology Subcommittee Staff Director
Sean Brebbia, Senior Counsel
Kelsey Wall, Professional Staff Member
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking
Darrell E. Issa, California Minority Member
Justin Amash, Michigan Jamie Raskin, Maryland
Blake Farenthold, Texas Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma Gerald E. Connolly, Virginia
Greg Gianforte, Montana Raja Krishnamoorthi, Illinois
------
Subcommittee on Intergovernmental Affairs
Gary Palmer, Alabama, Chairman
Glenn Grothman, Wisconsin, Vice Val Butler Demings, Florida,
Chair Ranking Minority Member
John J. Duncan, Jr., Tennessee Mark DeSaulnier, California
Virginia Foxx, North Carolina Matt Cartwright, Pennsylvania
Thomas Massie, Kentucky Wm. Lacy Clay, Missouri
Mark Walker, North Carolina (Vacancy)
Mark Sanford, South Carolina
C O N T E N T S
----------
Page
Hearing held on November 29, 2017................................ 1
WITNESSES
The Honorable Christopher C. Krebs, Senior Official Performing
the Duties of the Under Secretary, National Protection and
Programs Directorate, U.S. Department of Homeland Security
Oral Statement............................................... 5
Written Statement............................................ 8
The Honorable Tom Schedler, Secretary of State of Louisiana
Oral Statement............................................... 13
Written Statement............................................ 15
The Honorable Edgardo Cortes, Commissioner, Virginia Department
of Elections
Oral Statement............................................... 21
Written Statement............................................ 23
Matthew Blaze, Ph.D., Associate Professor of Computer and
Information Science, University of Pennsylvania
Oral Statement............................................... 28
Written Statement............................................ 30
Ms. Susan Klein Hennessey, Fellow in National Security,
Governance Studies, Brookings Institution
Oral Statement............................................... 48
Written Statement............................................ 50
APPENDIX
Representative Gerald E. Connolly Statement...................... 84
Letter of October 20, 2017, to the Department of Homeland
Security submitted by Ms. Kelly................................ 86
December 18, 2016, Detroit Free Press, Wisely and Reindl,
``Detroit's election woes: 782 more votes than voters''
submitted by Mr. Mitchell...................................... 88
Response from Mr. Krebs, DHS, to Questions for the Record........ 90
CYBERSECURITY OF VOTING MACHINES
----------
Wednesday, November 29, 2017
House of Representatives,
Subcommittee on Information Technology, Joint with
Subcommittee on Intergovernmental Affairs,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 2:29 p.m., in
Room 2154, Rayburn House Office Building, Hon. Will Hurd
[chairman of the Subcommittee on Information Technology]
presiding.
Present: Representatives Hurd, Palmer, Mitchell, Grothman,
Duncan, Amash, Walker, Kelly, Demings, DeSaulnier, Lynch, Clay,
and Krishnamoorthi.
Also Present: Representative Gabbard.
Mr. Hurd. The Subcommittee on Information Technology and
the Subcommittee on Intergovernmental Affairs will come to
order. And, without objection, the chair is authorized to
declare a recess at any time.
And now I am going to recognize myself for 5 minutes for my
opening statement.
Good afternoon. Thanks for being here. And it's been over
240 years since our forefathers declared independence and our
democratic experiment began. Throughout the entirety of our
existence, our adversaries, both internal and external, have
sought so suppress and destroy our democratic process.
Voting is one of our fundamental democratic rights and is
the cornerstone of American democracy. Our existence as a
democracy depends on free, fair, and accurate elections. Today,
we're here to talk about the best way to protect the integrity
of our voting systems through the cybersecurity of our voting
machines and election systems.
There are over 10,000 election jurisdictions nationwide
that administer elections, and even within States, counties use
different systems and different technologies to conduct
elections. A little over a year ago, last September. Ranking
Member Kelly and I held a hearing in the IT Subcommittee
entitled ``Cybersecurity: Ensuring the Integrity of the Ballot
Box.'' We discussed potential cybersecurity issues with the
upcoming election. It was an issue then and it remains an issue
now.
Former DHS Secretary Jeh Johnson has made clear that, to
the best of his knowledge, the Russian Government did not,
through any cyber intrusions, alter ballots, ballot counts, or
reporting of election results. However, our adversaries have
always sought to use our Nation's unique qualities to undermine
our robust and resilient democracy.
Just because Russia did not tamper with ballots or
reporting of election results during the last election, it
doesn't mean they or other adversaries won't try to do so in
the next election or the election after that. Like anything
else in this the digital age, electronic voting is vulnerable
to hacking. Our voting systems are no exception.
This past January, DHS designated the Nation's election
systems as critical infrastructure, something that was being
discussed at our hearing back in September of 2016. We are here
today to follow up on what impact the designation has had on
States. It is essential that States take appropriate steps to
secure their voting infrastructure. It's also essential that
States have the ability to audit their ballots for accuracy
whenever any kind of manipulation is suspected.
The State of Virginia, which held an election recently, has
joined the growing list of States that went to a paper system.
I'm curious to hear how that transition went and what our
witnesses think about moving to paper-based voting systems.
Additionally, what are the chances that a foreign entity could
tamper with the ballot box? These are all questions and issues
that I want to explore today.
I'm very interested to hear what our witnesses have to say
on this topic, and I thank the witnesses for being here today
and for their efforts as fellow citizens to ensure that our
country's elections are free and fair.
It's now a pleasure, I recognize the ranking member of the
Information Technology Subcommittee, my friend, Ms. Robin
Kelly, for 5 minutes in her opening remarks.
Ms. Kelly. Thank you, Mr. Chair. Welcome back. I hope you
had a good Thanksgiving.
Thank you, Chairman Hurd and Palmer, for holding this
important hearing today. There is no doubt that Russia, at the
direction of President Vladimir Putin, attempted to manipulate
our election and has worked to manipulate those of our western
allies. It was a broad and coordinated campaign to undermine
faith in democratic elections.
Earlier this year, the IT subcommittee explored the
Kremlin's efforts to use social media to influence voters.
Today, we are taking a look at another part of their effort to
undermine our democracy by hacking our voting machines and
election infrastructure.
More than 1 year ago, we held a hearing entitled
``Cybersecurity: Ensuring the Integrity of the Ballot Box.''
During that hearing, we took a look at State and Federal
preparations for any cyber attacks on our voting machines.
Today, we have a clearer picture of what transpired, but we're
still discovering new facts.
In September of this year, DHS notified 21 States that
hackers affiliated with the Russian Government breached or
attempted to breach their election infrastructure. In my home
State of Illinois, the hackers illegally downloaded the
personal information of 90,000 voters and attempted to change
and delete data. Fortunately, they were unsuccessful.
While we continue learning about the full scope of Russia's
election interference, one thing is clear: There will be
another attempt to manipulate our elections, whether it be
Russia, another nation state or a nonstate actor, even a
terrorist organization. The threats to our election
infrastructure are growing. So what are we going to do about
it?
Earlier this year, researchers at the DEFCON conference
successfully hacked five different direct recording electronic
voting machines, or DREs, in a day. The first vulnerabilities
were discovered in just 90 minutes. Even voting machines not
connected to the internet still contained physical
vulnerabilities like USB ports that can be used to upload
malware.
Alarmingly, many DREs lack the ability to allow experts to
determine that they have been hacked. Despite these flaws, DREs
are still commonly used. In 2016, 42 States used them. They
were more than a decade old, with some running outdated
software that is no longer supported by the manufacturer.
Updating our voting machines to audible, paper-based machines,
such as optical scanners, is a step we need to take right now.
Our election infrastructure is broad and contain numerous
vulnerabilities. If we are going to withstand a coordinated
attack, we need a coordinated defense. In January of this year,
DHS designated election infrastructure as critical
infrastructure. In this announcement, then DHS Secretary Jeh
Johnson was clear that this designation was not to be a Federal
takeover of State and local election infrastructure. Rather, it
was a designation intended to ensure that current State and
local officials have the resources necessary to secure their
elections.
Since then, former DHS Secretary and now White House Chief
of Staff, General John Kelly, has supported this designation.
This designation can help ensure that the cornerstone of our
democracy, our elections, remain fair and secure. But if this
designation is to be successful, we will all have to work
together. DHS and our State election officials must do a better
job of working together to detect and solve problems.
Again, I want to thank you, Mr. Chairman, for holding this
crucial hearing. Thank you to our witnesses for being here. I
look forward to hearing from all of you about how we can
continue protecting our democracy.
I yield back.
Mr. Hurd. It's always a pleasure to be with you,
Representative Kelly.
I'd like to thank my friend, Chairman Palmer, for the
Intergovernmental Affairs Subcommittee's cooperation and work
on this important issue. And now it's a pleasure to recognize
the ranking member of the Intergovernmental Affairs
Subcommittee, Mrs. Demings, for 5 minutes in her opening
remarks.
Mrs. Demings. Thank you so much, Chairman Hurd and Chairman
Palmer, for convening this hearing today. I'd also like to
thank Ranking Member Kelly for her leadership, and all of our
witnesses for joining us for this very important hearing.
I'm pleased that we're holding this hearing on a matter so
essential to democracy. While there are many issues that divide
us, the integrity of the voting process should not be in
question. Regardless of race, gender, sexual identity, ZIP
Code, income, every vote should count, every vote should count
the same. I believe that voting is the last true equalizer.
However, Russia's interference in the 2016 election and
intrusions in at least 21 State voter registration databases,
indisputable and confirmed by U.S. intelligence agencies that
forced us to acknowledge voting system security, has not kept
pace with the current and emerging threats from nations,
organizations, or even a single individual determined to
undermine our democracy.
Recently, I joined the Congressional Task Force on Election
Security. Just as we keep our homeland safe from physical harm,
so too must we harden our soft targets against cyber attacks.
The Task Force has heard from security professionals, academia,
and State and local elections officials. Their message is
clear: We must act now to protect our voting systems.
In over 40 States elections are carried out using voting
machines and voter registration databases created more than a
decade ago. These technologies are more likely to suffer from
known vulnerabilities that cannot be patched easily, if at all.
As we saw in the voting village setup at this year's DEFCON
hacking conference, even hackers with limited prior knowledge,
tools, and resources are able to breach voting machines in a
matter of minutes. We should not assume that State voting
machines are secure enough to withstand a state-sponsored cyber
attack. And there is no reason to believe that these attacks
will subside.
Congress must do its part--yes, we must--and help States
fund and maintain security election systems. This means funding
to purchase newer, more secure election systems and voting
machines with voter-marked paper ballots, helping establish and
certify baseline cybersecurity standards for those systems and
the vendors that service them, and encourage States to conduct
post-election risk limiting audits.
Our democratic process relies on voters' faith that their
vote does count. Election security is national security, and
our election infrastructure is critical infrastructure. With
just under a year until the 2018 midterm elections, it is
critical that we understand the vulnerabilities of the past and
secure our networks for the future.
I thank our witnesses again for sharing their testimony
today, and I look forward to this very important discussion.
Thank you so much.
With that, I yield back.
Mr. Hurd. Thank you, Ranking Member Demings.
And now I'm pleased to introduce our witnesses. First and
foremost, the Honorable Christopher Krebs, the senior official
performing the duties of the under secretary for National
Protection and Programs Directorate at the U.S. Department of
Homeland Security.
We have the Honorable Tom Schedler, Secretary of State for
Louisiana. Thank you for coming up here today.
Commissioner Cortes, the commissioner on the Virginia
Department of Elections. Sir, thank you for being here.
Dr. Matthew Blaze--excuse me--Blaze, associate professor of
computer and information science at the University of
Pennsylvania.
And Ms. Susan Klein Hennessey, a fellow in national
security and governance studies at the Brookings Institute.
Welcome to you all. And pursuant to committee rules, all
witnesses will be sworn in before you testify, so please rise
and raise your right hand.
Do you solemnly swear or affirm the testimony you're about
to give is the truth, the whole truth, and nothing but the
truth?
Thank you.
Let the record reflect that all witnesses answered in the
affirmative.
In order to allow time for discussion, please limit your
testimony to 4 minutes. Your entire written statement will be
made part of the record, and I appreciate you all's written
statements, especially all of you all had, you know, outlined a
number of interesting solutions to these problems, as well as
articulating the concerns that we have. So folks that are
interested in this topic, many of--all of these written
statements is valuable in understanding the state of where we
are.
As a reminder, also, the clock in front of you shows your
remaining time. The light will turn yellow when you have 30
seconds left. And when it starts flashing red, that means your
time is up. So please also remember to push the button to turn
your microphone on before speaking.
And we'd like to start with Mr. Krebs. You are now
recognized for 5 minutes--4 minutes, excuse me.
WITNESS STATEMENTS
STATEMENT OF HON. CHRISTOPHER C. KREBS
Mr. Krebs. Chairman Hurd, Chairman Palmer, Ranking Member
Kelly, and Ranking Member Demings, and the members of the
subcommittee, thank you for this opportunity to discuss the
Department of Homeland Security's ongoing efforts to enhance
the security of our elections.
In 2016, the United States saw malicious cyber operations
directed against U.S. election infrastructure and political
entities. Since January, we have reaffirmed the designation of
election systems as critical infrastructure and the clear-eyed
threats to our Nation's election systems remain an ongoing
concern.
The organization I lead, the National Protection and
Programs Directorate at the Department of Homeland Security, is
leading an interagency effort to provide voluntary assistance
to State and local officials. This interagency assistance
brings together the Election Assistance Commission, the FBI,
the intelligence community, NIST, and other DHS partners, and
is modeled on our work with other critical infrastructure
sectors.
Our Nation's election systems are managed by State and
local governments in thousands of jurisdictions across the
country. State and local officials have already been working
individually and collectively to reduce risks and ensure the
integrity of their elections. As threat actors become
increasingly sophisticated, DHS stands up in--stands in
partnership to support the efforts of election officials.
DHS offers three primary types of assistance: assessments,
information, and incident response. DHS typically offers two
kinds of assessments to State and local officials. First, the
cyber hygiene service for internet-facing systems provides a
recurring report identifying vulnerabilities in internet-
connected systems and mitigation recommendations. Second, our
cybersecurity experts can go onsite to conduct risk and
vulnerability assessments. These assessments are more thorough
and result in a full report of vulnerabilities and
recommendations allowing the testing. As we continue to
understand the requirements from our stakeholders, we'll refine
and diversify these voluntary offerings.
In terms of information sharing, DHS continues to share
actionable information on cyber threats and incidents through
multiple means. For example, DHS published best practices for
securing voter registration databases and addressing potential
threats to election systems.
We share cyber threat indicators and other analysis that
network defenders can use to secure their systems. The National
Cybersecurity and Communications Integration Center, the NCCIC,
works with the Multi-State Information Sharing and Analysis
Center to provide threat and vulnerability information to State
and local officials.
Election officials may also receive information and
assistance directly from the NCCIC or through field-based
cybersecurity advisors and protective security advisors.
Notably, we're offering security clearances initially to senior
election officials, and we're also exploring additional
clearances to other State officials.
In our third category, the DHS's NCCIC provides incident
response assistance to help State and local officials identify
and remediate any possible incidents. In the case of an
attempted compromise affecting election infrastructure, the
NCCIC shares anonymized information with other States to assist
their ability to defend their own systems in a collective
defense approach.
It is important to note that these relationships are built
and sustained on trust. Breaking that trust will have far-
ranging consequences in our ability to collaboratively counter
this growing threat.
To formalize and coordinate efforts with our Federal
partners and election officials, we have established the
Government Coordinating Council. We are similarly working to
formalize partnerships with private sector industry through a
sector coordinating council. Within this environment of sharing
critical threat information, risk management, best practices,
and other vital information, DHS is leading Federal efforts to
support and enhance security across the Nation.
Securing the Nation's election systems is a complex
challenge and a shared responsibility. There is no one size
fits all solution. In conversations with election officials
over the last year, in working with the EAC, NIST, DOJ, the
Department has learned a great deal.
First, as you'll hear from Louisiana and Virginia, election
officials already do great work. But like many other
institutions in government and the private sector, resources
remain a challenge. Not only budget for modernizing legacy IT,
but also workforce training and recruitment around these
critical skills. As we work collectively to address these and
other challenges, the Department will continue to work with
Congress and industry experts to support our State and local
partners.
Thank you for this opportunity to testify, and I look
forward to any questions.
[Prepared statement of Mr. Krebs follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Krebs.
And, Secretary Schedler, again, I want to thank you for
being flexible. I know this has been rescheduled a few times,
but your perspective and experience on this topic is important,
and thank you for being here. And, sir, you're now recognized
for 4 minutes.
STATEMENT OF HON. TOM SCHEDLER
Mr. Schedler. Thank you, Mr. Chairman, and thank you to
this committee for the invitation to participate today.
It's important for you to hear the perspective of those who
oversee elections across the country. My perspective comes from
serving as Louisiana's Secretary of State since 2010, and past
president of the National Association of Secretaries of State,
or NASS, which represents a majority of the Nation's chief
election officials.
Securing elections in the November 2018 and beyond is
critical and important to all of us and our Nation's
secretaries of state. We are not naive to the likelihood of
future cyber attacks, but we also know the use of paper ballots
can just as easily open up fraud vulnerabilities unless strong
protocols are followed by election officials. That's why all 50
States continue to prepare accordingly.
First, I'd like to share with you the important
developments taking place through NASS Election Cybersecurity
Task Force, which was established in February of this year.
This is a bipartisan body of the Nation's chief election
officials. In addition to helping States share information and
combat cyber threats, the task force assists in creating
partnerships with public-private stakeholders, including the
U.S. Department of Homeland Security and the U.S. Election
Commission as well.
NASS has been a key player in the development of new
Election Infrastructure Coordinating Council. This council is
required as a result of the new designation for elections as
critical infrastructure. The Council is designated or designed
to facilitate improved communications that, as you know, did
not go extremely well in 2016. NASS opposed the critical
infrastructure designation because our members were concerned
about the possibility of Federal overreach and because the
designation came without meaningful consultation with any
election officials.
My colleagues and I understood that we could continue to
get the same support and services from DHS without critical
infrastructure designation. So it seemed unnecessary. However,
the designation is still with us today, and we have made good-
faith efforts to work together with DHS. Part of that work
includes chief election officials obtaining security
clearances. We have often been told by DHS that they can't
share information because it is clarified--classified, excuse
me. Hopefully, these new clearances will address this problem.
Ensuring the integrity of the voting process is central to
the role of every chief elections officer, including myself.
And as some examples, in Rhode Island, Secretary Nellie Gorbea,
convened over 100 election and IT officials for a cybersecurity
summit. In West Virginia, Secretary Mac Warner has added an Air
National Guard cybersecurity specialist to his staff. Vermont
Secretary of State Jim Condos solicited a third party risk
assessment of data systems in 2015 that lead to his office to
build a new firewall and began regular penetration testing.
Colorado Secretary Wayne Williams' office provides end point
protection software for counties to install on their computers
to detect viruses and malware functions.
And many States have or are developing disaster
preparedness and recovery plans that include strategies on
election systems and data are disrupted. In Louisiana, our
hurricane season, we are one of those States for sure that is
very expert in that field.
In terms of voting machines security, you remember that
with the passage of the Help America Vote Act in 2002, States
were required to purchase at least one piece of accessible
voting equipment for each polling place. The Election
Assistance Commission and the National Institute on Standards
and Technology began updating the existing voting system or
guidelines to address new systems such as DREs.
Last month, the EAC released their latest update to
volunteer voting systems guidelines. The guidelines are set for
manufacturing specifics that are certain standards of
functionality, accessibility, accuracy, audibility, and
security capabilities. And final approval by EAC is expected in
the spring of 2018.
In Louisiana, we take pride and go way beyond any current
standards with our voting machines. We are a top down State.
The State purchases, warehouses every voting machine in the
State. Additionally, we have the most current software
available in all of our voting machines, and we test each and
every one before and after elections. Once the machines are
tested, a tamper-proof seal is placed on them to protect
against any intrusion.
In Louisiana, because no one touches our voting machines
except our staff, because they are never sent out to a
manufacturer for repair, they are not handled by individuals or
companies who program voting machines because they are readily
tightly controlled by our office. We have the utmost of
confidence in the system.
We do need to prepare. Yes. We do need to continue to
update our processes and procedures. Yes. We do need to be
vigilant. Yes. As secretaries of state, at NASS, we are
currently looking for better practices that we can solicit from
various entities and groups. And most of all, we're looking for
the remaining $396 million in Federal HAVA that we have never
been appropriated to help us replace aging equipment purchased
over 10 years ago.
I'll certainly be available for any questions.
[Prepared statement of Mr. Schedler follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, sir.
And, Commissioner Cortes, I'd like the record to reflect
that you were prepared to come testify the day after your most
recent elections, and I appreciate your willingness to address
this body. And, sir, you're now recognized for 4 minutes.
STATEMENT OF HON. EDGARDO CORTES
Mr. Cortes. I'm Edgardo Cortes. I'm the Commissioner of
Elections in Virginia. In this role, I serve as the chief
election official for the Commonwealth, and I lead the Virginia
Department of Elections.
Virginia has 133 local election jurisdictions and over 5
million active registered voters.
So you have my written remarks, and today I'm going to
focus on the recommendations that I provided in there.
During my tenure, the Department has focused on using
technology to create a better voting experience for eligible
Virginians, and reduce the administrative workload for local
election officials, while increasing security and
accountability in our processes.
As part of the McAuliffe administration's focus on
cybersecurity, one aspect of the these wide-ranging efforts has
been to strengthen the security and reliability of Virginia's
voting equipment, including the voting machines and the
electronic pollbooks used to administer elections in the
Commonwealth.
When I became commissioner in 2014, approximately 113 of
Virginia's 133 localities used paperless DREs that were over a
decade old and already past their expected end of life. I'm
happy to say that all Virginians voted using a paper-based
system in the November 2017 general election.
Virginia has twice been put in the unfortunate position of
having to decertify voting equipment and transition to new
equipment in a condensed timeframe based on security concerns,
previously used DREs. These steps, outlined in detail in my
written testimony, were not taken lightly. They placed a
financial and administrative stress on the electoral system.
They were, however, essential to maintain the public's trust
and the integrity of Virginia elections.
The November 2017 general election was effectively
administered without any reported voting equipment issues.
Thanks to the ongoing partnership between the State, our
hardworking local election officials, and our dedicated voting
equipment vendors, the transition to paper-based voting systems
on a truncated timeline was incredibly successful and
significantly increased the security of the election.
Although it's clearly possible to transition quickly, doing
so is less than ideal. I request that you consider the
following recommendations, which I believe will make these
issues much easier to manage in the future.
Number one, Congress needs to ensure sufficient Federal
funding is available for States to procure and maintain secure
voting equipment and increase security of all election systems.
This is a critical need and must be addressed immediately if
the funding is going to provide any assistance in time for the
2018 midterm elections.
Number two, the U.S. Election Assistance Commission has
been critical to ensuring that a baseline set of standards for
voting systems, adequate testing protocols, and certified test
labs are available to States. Congress must ensure the EAC is
fully funded so they can continue to be an exceptional resource
to State and local officials.
Number three, Congress should ensure the use of or--to
ensure the use of secure voting equipment in the future,
Congress should require Federal certification of all voting
systems used in Federal elections. This is currently a
voluntary process. Federal certification should also be
required for electronic pollbooks, which currently are not
subject to any Federal guidelines. Requiring Federal
certification for both of these will ensure there is a security
baseline for use across the country to ensure the integrity and
security of our elections.
And finally, Congress should establish some sort of
accreditation system for election administrator training to
ensure that the individuals responsible for this fundamental
American right are equipped with the appropriate skill and
knowledge set. Elections are an integral function of
government, and we still have much more to do in Virginia and
across the country to secure our election infrastructure from
potential threats, especially with the midterm elections
quickly approaching.
While we're extremely appreciative of the work and
assistance provided by the EAC and DHS to date, the Federal
Government can and should do more to assist States in
safeguarding this most fundamental American right.
Thank you again for inviting me to join you today and your
interest in hearing from election administrators about the work
being done to secure the Nation's voting systems. We look
forward to continuing to work with Congress to ensure
sufficient Federal resources are available to State and local
election officials to continue this important work. Thank you.
[Prepared statement of Mr. Cortes follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, sir.
Dr. Blaze, great to have you here. And having participated
and walked through the voting village at DEFCON, I saw up close
and personal what the white hat hacker community and security
research community does and the impact they have on public
policy. And so thank you for your efforts there, and you're now
recognized for 4 minutes.
STATEMENT OF MATTHEW BLAZE, PH.D.
Mr. Blaze. Thank you very much, Mr. Chairman, the ranking
members, and all of the members who are here today.
As a computer scientist who specializes in the security of
large scale critical systems, I've had an interest in
electronic voting technology since it was first introduced at
large scale in the United States after the passage of the Help
America Vote Act in 2002.
In particular, I lead several of the teams commissioned in
2007 by the secretaries of state of California and Ohio to
evaluate the voting system products used in those States, as
well as elsewhere in the Nation. I also helped organize the
DEFCON voting machine hacking village that was held this
summer, at which these systems were made available really to a
larger community for the first time--for the first time ever.
Virtually every aspect of our election process, from voter
registration to ballot creation to casting ballots, and then to
counting and reporting election results is, today, controlled
in some way by software. And, unfortunately, software is
notoriously difficult to secure, especially in large scale
systems such as those used in voting.
And the software used in elections is really no exception
to this. It's difficult to overstate how vulnerable our voting
infrastructure that's in use in many States today is,
particularly the compromise by a determined and well-funded
adversary. For example, in 2007, our teams discovered
exploitable vulnerabilities in virtually every voting system
component that we examined, including back-end election
management software as well as, particularly, DRE voting
terminals themselves.
At this year's DEFCON event, we saw that many of the
weaknesses discovered in 2007, and known since then, not only
are still present in these systems, but can be exploited
quickly and easily by nonspecialists who lack access to
proprietary information such as source code. These
vulnerabilities are serious, but ultimately unsurprising.
The design of DRE systems makes them particularly dependent
on the really Herculean task of securing all of the software
components that they depend on. And this would be, under the
best of circumstances, an extraordinarily difficult thing to
do. So what we're seeing is both alarming as well as
unsurprising.
Worst, as we saw in 2016, we largely underestimated the
nature of the threat to the extent these systems are intended
even to be secure. That is, they're designed against a
traditional adversary who wants to cheat in an election and
alter the results. But there's actually an even more serious
adversary, a nation state or a state actor who might seek to
disrupt an election, cast doubt on the legitimacy of the
outcome, and cause a threat to our confidence in legitimacy of
our elected officials.
I discuss all of these issues in detail in my written
testimony, and I offer really three particular recommendations.
The first is that paperless DRE voting machines should be
immediately phased out from U.S. elections, in favor of systems
such as precinct counted optical scan ballots that leave a
direct artifact of the voters' choices.
Secondly, statistical risk limiting audits should be used
after every election to enable us to detect software failures
in the back-end systems and recover the true election results
if a problem is found.
And then, finally, additional resources, infrastructure,
and training should be made available to State and local voting
officials to help them more effectively defend their systems
against increasingly sophisticated adversaries.
So thank you very much.
[Prepared statement of Mr. Blaze follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, sir.
Ms. Hennessey, you're now recognized for 4 minutes.
STATEMENT OF SUSAN HENNESSEY
Ms. Hennessey. Thank you to Chairman Hurd, Ranking Member
Kelly, to Chairman Palmer, and Ranking Member Butler Demings,
and to the distinguished members for the opportunity to speak
to you today.
My name is Susan Hennessey. I am the executive editor of
Lawfare and a fellow at the Brookings Institution where my
research focuses on the law and policy governing cybersecurity
and surveillance. Prior to Brookings, I served as an attorney
for the National Security Agency, though my comments today
reflect only my personal views, and not those of my current or
prior employer.
I'd like to begin by noting how extraordinary it is that a
full year after the last presidential election, there is still
enduring attention to the issue of election security. This
moment really represents a remarkable opportunity to take long
overdue steps towards securing Federal and State elections. In
order to do so, however, it is necessary to carefully define
the issues and to disentangle pure election security from
broader information operations, or covert influence campaigns.
Information operations certainly impacts the broader
context in which elections occur, but they are distinct
problems with distinct solutions.
The matter currently before these committees is narrower,
but no less pernicious: the threat to election infrastructure
and voting systems related to the management and administration
of elections. The election security threat is not limited
exclusively to changing the vote counts. As other experts have
testified here today, altering vote tallies is technically
possible. However, it remains difficult to do so on the scale
necessary to predictably change the outcome of the statewide or
national election.
The probable actors with both the incentives and technical
capacity to carry out sophisticated attacks are foreign
governments, which would need to avoid both forensic detection
and that of the U.S. and allied intelligence communities.
Unfortunately, U.S. adversaries have a far more achievable aim,
to undermine the confidence of the American people in their
government and their processes and institutions, and in the
selection of their leaders. To do so, a malicious actor needs
only to penetrate systems in a manner that introduces
uncertainty. This landscape increases the importance of being
cautious in how we discuss election security issues to avoid
inadvertently undermining confidence ourselves.
Congressionally driven solutions should account for
international and domestic realities. Internationally, while
most recent attention has been on Russia, any number of U.S.
adversaries, including China, North Korea, and Iran, possess
the capabilities and interest to be of genuine concern.
Enduring solutions cannot be country-specific.
Domestically, a strong tradition of Federalism and election
administration ensures that despite clear constitutional
authority, any perceived Federal overreach will meet strong
resistance from States on political and policy grounds. Keeping
those features and the nature of the threat in mind, I believe
Congress should adopt the following broad solutions which are
detailed more extensively in my statement for the record.
First, to direct the development of a national strategy for
securing elections aimed at protecting systems, deterring bad
actors and bolstering public confidence. Second, provide
Federal resources to States in the form of funding, support,
and best practices. Third, regulate election technology
vendors, which currently operate in limited and proprietary
markets that leave States with insufficient power to dictate
security standards. Fourth, lead the development of
international norms against election interference.
Finally, Congress, as our primary elective body, must renew
and sustain political commitment to the issue of election
security, and reestablish norms that have been broken in the
way we discuss election integrity and outcomes.
Thank you, again, for the opportunity to address you today.
I look forward to taking questions on this important national
security issue.
[Prepared statement of Ms. Hennessey follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you.
And to start off our first round of questions will be the
distinguished gentleman from Alabama, Chairman Palmer. You're
recognized for 5 minutes.
Mr. Palmer. Thank you, Mr. Chairman.
Dr. Blaze, what do you think is the biggest takeaway from
the DEFCON report?
Mr. Blaze. So I think the biggest takeaway is both alarming
and yet unsurprising, and that is that vulnerabilities that we
knew in principle were present are, in fact, exploitable in
practice by nonspecialists.
Mr. Palmer. Here's a question that I'm going to direct to
you but some others may want to respond to it. I'm very
concerned about foreign influence on our elections. But we--to
the last year, particularly the last few years, we've had
hundreds, if not thousands, of reports of domestic voter fraud,
whether it's voter register, it's manipulation of ballots at
the polling place. Is that not also a threat to our elections?
Mr. Blaze. Well, certainly, you know, the potential threats
to our election are very broad, and they include everything
from the voter registration process through the reporting of
election results. My concern as a computer scientist, and my
expertise, is particularly on the technical vulnerabilities
present in these systems as they're designed and built. And
what, really, every expert who has looked at these systems has
found is that the attack surface of these machines leaves us
particularly vulnerable----
Mr. Palmer. But not just to foreign----
Mr. Blaze. --adversary----
Mr. Palmer. But not just to foreign interference but
domestic interference as well. Wouldn't you agree?
Mr. Blaze. Absolutely. A determined domestic adversary----
Mr. Palmer. So someone with a political agenda could--if
they had the technical expertise, would be as much a threat as
a foreign entity. Would that be a reasonable conclusion?
Mr. Blaze. That's right. Particularly someone interested in
disrupting an election, or casting doubt on the legitimacy. The
way these systems are--particularly DRE-based systems are
designed, it's very difficult to disprove that tampering has
occurred. And, ultimately, that's a critical aspect of being
able to have confidence in the result.
Mr. Palmer. One of the things that particularly concerns me
is, is that you can be disconnected from the internet, from
WiFi, and still hack a machine because of the potential of
parts within the machine, foreign-manufactured parts. Can you
talk briefly about that?
Mr. Blaze. That's right. The design of DRE systems makes
their security dependent not just on the software in the
systems, but the hardware's ability to run that software
correctly and to protect against malicious software being
loaded. So an unfortunate property of the design of DRE systems
is that we have basically given them the hardest possible
security task. Any flaw in a DRE machine's software or hardware
can become an avenue of attack that potentially can be
exploited. And this is a very difficult thing to protect.
Mr. Palmer. Do we need to go to, even if we have some
electronic components, to back it up with paper ballots?
Because your fallback position is always to open the machine
and count the ballots.
Mr. Blaze. That's right. So print and counted optical scan
systems also depend on software, but they have the particular
safeguard that there is a paper artifact of the voter's true
vote that can be used to determine the true election results.
Paperless DRE systems don't have that property, so we're
completely at the mercy of the software and hardware.
Mr. Palmer. As inconvenient as it might seem, I mean, for
years and years and years, we relied on paper ballots. It
doesn't seem unreasonable that that would be a great safeguard.
I want to ask Secretary Schedler and Cortes about this. In
Alabama, it's a mixture of voting machines. Do you have that as
well? I mean, do you have kind of an all over the roadmap?
Mr. Schedler. Congressman Palmer, Louisiana is what we call
a top-down system. We control, as I indicated in my opening
comments, all of our own machines. We warehouse our own
machines. You know, we do have a tape system of paper behind
that that we can audit specifically with three different types
of processes. It has never been unproven in a court of law. And
the only thing I want to add to the DEFCON is that, look, I
welcome anyone from the academic side to look at any system.
But let's put it in contents. The contents is an unfettered
access to a machine that's given to them in a laboratory. Let's
talk about when you discover--and I'm certain the professor
from University of Pennsylvania, or MIT, or anyone, if I gave
them unfettered access to a machine can figure out how to
tinker with that machine or disrupt it. That machine.
In Louisiana, as most States, the machines are not linked
together. Each one has a separate cartridge to itself. And I
guess the implication is that at the point of programming, you
could do something to that. I guess that's possible, and I
wouldn't argue that point with someone much more learned on
that subject than I.
But, again, in a top-down system, that would mean someone
in my office, on a computer that is cleaned and scrubbed before
an election and after, would have to have access to that
program and equipment in my office.
The other thing that's never mentioned in any of the
hacking of a machine is after you figure out what you're going
to do, has anyone yet ever sat down and discussed--and I'll
only give you Louisiana--in roughly a 36-hour period, after we
go into the machine, put a metal clamp like you have an on your
electrical box at your home, with a serial number, figure out
they're going to get into 64 warehouses across my State, go
into 10,200 machines, undetected under camera, no one saw you,
unscrew the back of the panel, do what you're going to do, put
the panel back on, and figure out how you're going to put that
metal clamp back on.
So the point I'm making is that a lot of these things that
we talk about are certainly possible. But I would suggest to
you the amount of people you'd have to put in play to commit
this fraud, it would be easier to do a stump speech and
basically convince them to vote your way, the legal way.
Now, there is no such thing as a perfect election. None.
There are issues that occur from electricity going out, to
fires at a precinct--I could go on and on--flooding in
Louisiana and the like. But, you know, one of the things that
everybody has to understand is all of these conversations
around this all deter voter participation, whether you believe
it or not.
Mr. Palmer. Let me just say this, Mr. Chairman. I
appreciate your answer, Mr. Secretary. Is that a couple of
things that I hope that we're sensitive to. One is that we
don't want the Federal Government's involvement in this to
infringe upon the State's authority to conduct elections. And
then the other is, is that we don't want to just be so focused
on foreign interference that we don't give due diligence to
addressing the domestic threat as well.
I yield back.
Mr. Hurd. Ranking Member Kelly, you're now recognized.
Ms. Kelly. Thank you, Mr. Chair.
Mr. Krebs, I wanted to ask about your agency's efforts,
DHS, to notify 21 States about Russian attacks on their State
election systems. On October 20, Ranking Member Cummings and I
sent a letter to DHS requesting copies of the notifications you
sent to 21 States that were attacked before the last elections.
And, Mr. Chairman, I ask for unanimous consent that this
letter be made part of the official record for today's hearing.
Mr. Hurd. So ordered.
Ms. Kelly. In our letter, we also asked for other
materials, including all documents, and I quote, ``relating to
Russian Government-backed attempts to hack State election
systems.'' Our letter asked for these documents by October 31,
but we got nothing. So earlier this week, the Republican
committee staff kindly agreed to help us make crystal clear to
DHS that we wanted these documents before today's hearings so
we could ask informed questions. DHS assured us that they would
respond. Instead, late in the day yesterday DHS sent us only an
email with a short script that DHS employees apparently read
over the phone to State election officials.
Mr. Krebs, I'm just asking, where are the rest of the
documents that we requested?
Mr. Krebs. Ma'am, I'm aware of the script that was
provided. A lot of those notifications were over the phone.
They were not via email. There may have been some follow-up
conversations. As to the rest of the documents, if you'll
permit me to go back, and I commit to you that we will have a
more fulsome answer for you. But as to the specifics of each
document, I would have to go back and check on that.
Ms. Kelly. Okay. I'm counting on you----
Mr. Krebs. Yes, ma'am.
Ms. Kelly. --to deliver. Because the telephone script is
literally only 13 sentences long. It does not refer to any
specific State or any specific attack. It is just a generic
script that provides no additional information at all.
And, you know, just curious about where are all the
supporting documents that we requested that set forth the
details of the attack? And, with all due respect, the telephone
script does not help us do our job, which will help you in
turn.
You have not provided us with any information about the
tools the attackers used, or the tactics that they utilized, or
any information on the results of your conversations with these
States or the steps you took to follow up. So it's been more
than a month since we asked for those documents, and the
majority wants those documents also. Can you tell us what the
holdup is?
Mr. Krebs. Ma'am, I'm not aware of any particular holdup.
What I will say is the nature of the conversations we've had
over the last, frankly, year with the States--and I've had a
number of conversations with Secretary Schedler, my team has
regular conversations with Commissioner Cortes, and a range of
other State election officials. When you characterize these
things as attacks, I think that that is perhaps overstating
what may have happened in the 21 States as was mentioned over
the course of the summer.
The majority of the activity was simple scanning. Scanning
happens all the time. It's happening right now to a number of
probably your websites. Scanning is a regular activity across
the web. I would not characterize that as an attack. It's a
preparatory step.
In terms of those scripts, there are two scripts. One
script was provided to States that wanted additional
information if they were included in that batch of 21. And in
the other script is for those States that were not in that
batch of 21. So if that context was not provided, I apologize,
and I'm happy to follow up and make sure that you get the
information that you're looking for.
Ms. Kelly. Okay. And I just want to make sure the chairman
is willing to work with me today by directing DHS to provide
all the documents actually within 1 week, and that I hope we
can work together to get these documents as soon as possible,
hopefully in 1 week. Because this hearing is supposed to be
about cybersecurity of voting machines and our investigation
should be bipartisan. Yet, DHS is withholding the very
documents that would help us, on both sides of the aisle, help
our committee understand how our State election systems were
attacked by the Russians. So I look forward to your cooperation
and working with my chairman.
I yield back.
Mr. Hurd. Would you yield to me?
Ms. Kelly. Of course.
Mr. Hurd. Mr. Krebs, was there anything other than scanning
done at those 21 locations?
Mr. Krebs. The vast majority of those 21 States were, in
fact, scanning. There was a very small subset of those groups
that there was a compromise on the voter registration side, but
not within the tallying. And then there was some additional--a
small group, also, that had some targeting. So we actually
winnowed it down.
Now, when we talk about that scanning, it was not, also,
necessarily an election system that was scanned. That's
additional context that we provided to our partners in the
State election offices. What we saw in a lot of those cases
was, frankly, drive-bys. It was--you know, you think about
walking down the street, and you're looking for a house. You
knock on the door. You don't know what's there. You may be
looking to get into the neighbor's house, looking for a key. I
apologize for the kind of mundane analogy. But that's simply
what we saw was doing a drive-by, seeing what was there, seeing
if the door was locked. In a lot of the cases, as Secretary
Schedler pointed out, there was adequate protections involved.
Mr. Russell. So, Mr. Krebs, you'll be able to provide us
with the details of who was in addition to scanning and what
the nature of that contact was?
Mr. Krebs. In terms of the States that were targeted or
scanned, that's a difficult conversation because the
information is provided to us based on trust, just like all our
other relationships with the critical infrastructure community.
The fact that we don't have statutory authorities to compel, we
are engaging on a trust-based relationship here. If I then turn
around and share information that Tom provided to me outside of
the scope of that confidential relationship, Tom will never
share with me again.
In fact, Edgardo will never share with me again. And this
is going to jump out of this relationship. And the entire
cybersecurity mission of the Department of Homeland Security,
it is a voluntary mission. That entire mission will be
jeopardized if we divulge confidential information.
So I am happy to provide contextualized information on the
nature of those 21 States. But in terms of the 21 States, I
suggest you reach back to your--and I will help with you to
reach back to your States--ma'am, you mentioned that your State
may have been one. I will help you have that and facilitate
that conversation. But today, while we're sitting here, I also
encourage you to ask my counterparts here from the States.
Mr. Hurd. Mr. Duncan, you're now recognized for 5 minutes.
Mr. Duncan. Thank you very much, Mr. Chairman.
I want to go back into this DEFCON conference from this
past July. The article that I have said participants tested
over 25 pieces of election equipment, and every piece was
effectively breached in some manner. And it says in the DEFCON
report on the voting machine hacking, the results were, quote,
``By the end of the conference, every piece of equipment in the
voting village was effectively breached in some manner.
Participants with little prior knowledge and only limited tools
and resources were quite capable of undermining the
confidentiality, integrity, and availability of these systems.
And back just a few months ago when they had the worldwide
cyber attacks, I don't often quote a liberal--don't often quote
liberal magazines in here, but Robert Kuttner, the editor of
The American Prospect Magazine, he wrote this. This was written
in The Huffington Post. He said, ``Last week's cyber attack to
produce the wrong reasons''--``the wrong lessons.'' The
immediate takeaway seems to be that large institutions need
much better cybersecurity systems. But there's a much simpler
and better solution. Vital systems that can't withstand the
catastrophic risk of malicious hacking should just go offline.
Hackers will always be able to find ways of getting into
network systems. The fantasy of ever-better cybersecurity is
delusional. We could spend half the GDP on network security and
someone will still find a way to breach it.
I know that we have addicted almost everyone in this
country to the computers and the iPads and so forth. But I tell
ya, I believe that cybersecurity is a multi-billion-dollar
hoax. And I'm sure what we're going to do, we're going to spend
untold billions trying to come up with these systems that, as
Mr. Kuttner says, it's a fantasy.
And I think the solution should be that we should go to the
Canadian system. I read several years ago that they had much
smaller precincts. They're usually on average of 500 people per
precinct, and they use paper ballots. And I know that's old
fashioned. But I think we're headed down the wrong path here.
It's a path that I'm sure we're going to go on. But I think
that--I agree with Mr. Kuttner and also the findings of this
DEFCON report.
Anybody want to say anything?
Mr. Schedler. I'll just say Louisiana is not one of the 28
States--21 States. Excuse me. So you can scratch one off.
Mr. Hurd. Thank you.
Mr. Duncan. All right. Well, I yield back, Mr. Chairman.
Mr. Hurd. Ranking Member Demings, you are now recognized
for 5 minutes.
Mrs. Demings. Thank you so much, Mr. Chairman.
You know, as we continue this discussion today, I cannot
help but think about my own parents. My mother was a maid, and
my father was a janitor. They didn't have a lot that other
people had, but they did have their votes. And I cannot
remember an election growing up where they did not cast that
vote. They believed that it mattered. And I would hope that
every witness here today and every member of our subcommittee,
regardless of if you were a billionaire or a maid and a
janitor, that we would all work to protect the integrity of our
voting system in the greatest country in the world.
So, Dr. Blaze, I want to go back to the DEFCON report that
we've talked quite a bit about today. And I certainly listened
to some of the comments my colleague, Mr. Duncan, made about
how these systems were breached. But could you please talk a
little bit more about the equipment that was used to breach the
systems? Was it sophisticated equipment or not? And what kind
of prior knowledge did the breachers have, if any at all?
Mr. Blaze. So, first of all, I'd like to point out the
DEFCON Voting Village was not intended to be a formal security
assessment. It was an informal opportunity for people from a
broader community, really for the first time, to get access to
actual voting equipment.
We got about five different models of voting machine and
electronic poll book, made them available. We made available
the reports that had been published about these equipments in
some cases. And that was it. We opened the doors on Friday
afternoon, and people came in and any tools and equipment that
they brought to that, they were--they had to bring in
themselves. There was no access to any proprietary information,
no computer source code was available. Just the equipment and
electricity.
Mrs. Demings. And I know some or many have criticized or
questioned the vulnerability of the ability to hack the systems
because of the decentralized nature of the machines. Do you
agree that the decentralized nature of our elections protects
us from disruption or not so much?
Mr. Blaze. You know, it's a double-edged sword. The fact
that we have highly heterogeneous systems that are
decentralized in their administration makes it difficult for
somebody to do a single thing that will affect us on a national
scale. And that is, in fact, an important safeguard. But it
cuts both ways. There's, in fact, only a relatively limited
number of different models of voting equipment used in the
United States. And an adversary, particularly a foreign state
actor interested in disrupting our election process, has the
luxury of being able to pick the weakest systems and need only
find the most poorly administered and the most vulnerable
systems to do sufficient damage to suit their needs. So while
it may make us more secure against somebody with one-stop
shopping disrupting a national election, it actually increases
our vulnerability to some disruption happening, perhaps
sufficient disruption that we don't have confidence in the
outcome.
Mrs. Demings. We've heard a lot about the need for an
audit. What type of audit do you believe would have to be
performed on a paperless voting machine to verify the vote
counts or verify that the vote counts had not been altered?
Mr. Blaze. So paperless voting machines essentially are
voting computers that are completely dependent on the software
that was running on them at the time of the election. There is
no fully reliable way to audit these kinds of systems. We may
get lucky and detect some forensic evidence. But, ultimately,
the design of these systems precludes our ability to do a
conclusive audit of the voter's true intent. That's why
paperless systems really need to be phased out in favor of
things like optical scan paper ballots that are counted at the
precinct but backed by an artifact of the voter's true intent.
Mrs. Demings. Thank you, Dr. Blaze.
And, with that, I yield back.
Mr. Hurd. Mr. Mitchell, you're recognized for 5 minutes.
Mr. Mitchell. Thank you, Mr. Chair.
Mr. Krebs, could you help me with one thing? On June 21st,
Secretary Johnson--and this is a quote--appeared before the
House Permanent Select Committee on Intelligence. He said: ``To
my current knowledge, the Russian Government did not, through
any cyber intrusion, alter any ballots, ballot counts, or
reporting of election results.'' Has anything changed since
that point in time that you're aware of?
Mr. Krebs. Not to my knowledge. No, sir.
Mr. Mitchell. So you have received no information that the
election results, either at the Federal level or the States you
looked at, were altered in terms of counts or outcomes?
Mr. Krebs. No, sir, I don't have any additional or contrary
information to----
Mr. Mitchell. Do you have any indication that any actor, be
they foreign agency or domestic, actually attempted to
influence the vote counts or ballot activity?
Mr. Krebs. Sir, I believe that's a different question.
Mr. Mitchell. Yes. You're correct.
Mr. Krebs. My understanding, the intelligence assessment is
that a foreign adversary--now, if I can back up. You said June.
June of 2016?
Mr. Mitchell. 2017. June 21, 2017.
Mr. Krebs. So former Secretary Johnson.
Mr. Mitchell. Former Secretary. I'm sorry, yes.
Mr. Krebs. So since then, any opportunity to influence, is
that your question?
Mr. Mitchell. The question is, did you find any indication
that there was any effort to, by domestic or foreign influence,
to affect the ballot results since that point in time?
Mr. Krebs. No, sir.
Mr. Mitchell. Thank you.
Let me ask the group as a whole. I think the consensus is
that the integrity of our election is a national infrastructure
issue. Anybody disagree about that? It's every bit as important
as our roads, our ports, our waterways. You know, we don't
invest any Federal money, never mind Federal standards or some
guidelines on that. Is anybody opposed to the idea that we go
forward with some form of a--we invest to support that program
with some kind of guidelines the States can choose to whether
they want to participate or not?
Mr. Schedler. I think best practices would be a better word
to use. I think that the States as a whole--and I speak in a
nonpartisan fashion----
Mr. Mitchell. Sure.
Mr. Schedler. --would be adamantly against an intrusion of
the Federal Government----
Mr. Mitchell. Oh, I agree.
Mr. Schedler. --of course we would do it, because it's in
the Constitution. But certainly best practices. I think there
are a lot of evidence of that with some of the entities that
are out there today. We welcome additional ones. Certainly,
we're not----
Mr. Mitchell. Let me clarify for you, Secretary. I wasn't
suggesting that we impose a system on the States, simply we
have a grant program with a range of options, and States,
particularly areas----
Mr. Schedler. Usually, the grant programs have strings
attached.
Mr. Mitchell. Well, if the grant program said, do you want
to update your equipment, and it meets certain sets of
expectations and security, you can choose to do it or not.
Mr. Schedler. Right.
Mr. Mitchell. If you don't----
Mr. Schedler. If it's voluntary and we can accept it, and
we can accept whatever strings come with it, and you can turn
it down, I have no problem.
Mr. Mitchell. Commissioner Cortes, you have any feedback on
that?
Mr. Cortes. Yes, sir. I think resources for States to
either purchase equipment, or for those that have already moved
to equipment to do other things to strengthen the security of
the election, whether it be electronic poll books or a
registration system, would be greatly appreciated and something
that we would certainly support.
Mr. Mitchell. It just occurs to me, why don't we do that
for our highways. We do that for our ports. But yet we expect
magically the elections are going to happen with local
resources, without, frankly, minimal support.
Let me give you an example. Mr. Duncan talked about would
we not be better off with paper ballots. You have any feedback
on simply going to a full paper system or some system that's
paper dependent?
Mr. Schedler. And you're referring to a paper system at a
poll location, not a mail paper ballot?
Mr. Mitchell. Correct.
Mr. Schedler. Okay. I'm not opposed to that. Matter of
fact, the system that we're looking at--we're not out for bid
yet--would be one that would produce--even though you would
vote on an electronic machine, it would produce an actual paper
ballot----
Mr. Mitchell. My whole concern with that----
Mr. Schedler. --and then a cast ballot only with that point
when you put it into a secure box.
Mr. Mitchell. My concern with that, and Dr. Blaze makes the
point, is that if you produce a paper result after you put
something into the machine, if, in fact, the machine is
tampered with, you could, in fact, end up just confirming the
tampered information.
Mr. Schedler. Yes, sir. But we do have, currently, at least
in the machines I use, a paper--I don't want to call it a cash
register receipt, but for just the purposes of this meeting--
that we can produce and audit back. So there's several audits
even though I don't have a paper ballot of Mr. Mitchell, I can
certainly use that in a court of law, and we have been very
effective with that.
Mr. Mitchell. Well, as Dr. Blaze states----
Mr. Schedler. There's one thing I want to do mention. In
this whole conversation is the segregation of the vulnerability
side of the registration, or a poll book versus voting day. No
State--no State--votes online in cyberspace.
Mr. Mitchell. I know that.
Mr. Schedler. So how do you attack something in cyberspace
that's not in cyberspace?
Mr. Mitchell. Right.
Mr. Schedler. And there's one or two exceptions to that,
Alabama with military voting, Alaska, in some remote areas. And
I think there's one other State. But a minuscule amount of
votes.
Mr. Mitchell. Let me--time--deference, Mr. Hurd?
Mr. Hurd. [Nonverbal response.]
Mr. Mitchell. I understand, and I think Dr. Blaze's
suggestion that an optical scan system allows you to have the
original source document that says, you know, voter number 028
voted this way. So that, in fact, you don't depend on the
system to generate it. But that's something we can deal with.
Question, you all are aware of what happened in Michigan in
terms of the Federal election, that 60 percent of the precincts
in the city of Detroit, they couldn't do a recount because the
numbers didn't match?
Mr. Schedler. No, sir, I'm not aware of that.
Mr. Mitchell. There were more voters that voted--
admittedly, only 728, nevertheless. There were more votes
counted than there were voters, and there were 328 that were
listed as voting but the ballots never showed in the count.
That meant that 60 percent of the precincts in the city of
Detroit weren't auditable.
I guess my point is, is you couldn't do a recount. I think
something we need to encourage the States to do is have an
audit system where we raise these issues of why those
disparities, and how we prevent them. Because that's--if, in
fact, we need to do a recount, it was not possible to do within
the city and several other jurisdictions.
I'll submit for the record, Mr. Chair, the article--I'll
have this submitted for the record--of what transpired in
Detroit, which was a paper-then-scan system. They still managed
to lose enough votes that they couldn't recount.
Mr. Krebs. Yes, sir. And I brought that out in my comments.
Even with a paper system, you still got to have some good
protocols. It's not foolproof by any means.
Mr. Mitchell. Agreed. Agreed.
Thank you, Mr. Chair, for the deference, and I yield back.
Mr. Hurd. The distinguished gentleman from the State of
Missouri, Mr. Clay, you are now recognized for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman. And I want to thank the
witnesses for your testimony today.
Last June, the vice chair of the Presidential Advisory
Commission on Election Integrity, Chris Kovach, made an
extraordinary request of all State election directors to
transmit to the White House the confidential information and
voting history of all Americans living in their State. Mr.
Kovach directed the State elections officials to provide the
sensitive data to a government email address with no apparent
means of securing that data.
Dr. Blaze, please explain the data security issues with
transmitting sensitive voter data over email.
Mr. Blaze. Well, I'm not familiar with the precise nature
of the request. But as you've described it, certainly sending
that kind of information over an ordinary unencrypted email
system would be fraught with many security and privacy issues.
Mr. Clay. If confidential voter data were revealed due to
insecure transmission, could that provide means to infiltrate
State election systems?
Mr. Blaze. Yes. That sort of information would--could
potentially be quite valuable to an adversary interested in
targeting particular polling places or individuals or areas. So
information about historical voting patterns and about
individual registered voters can be quite sensitive.
Mr. Clay. I see.
Secretary Schedler and Mr. Cortes, I understand your States
did not comply with Mr. Kovach's request. Could you explain
why?
Mr. Cortes. Congressman, that's correct. Virginia did not
provide any data that was requested from the Commission. We had
significant concerns related to the sweeping nature of the
request. And, you know, we spent a lot of effort and lot of
resources protecting our voter data of Virginians. So to take
that and turn it over to a Commission with no sense of what it
was going to be utilized for, how it was going to be stored and
maintained, raised significant concerns for us. And so we
declined to provide anything whatsoever.
Mr. Clay. Thank you for that.
Mr. Schedler?
Mr. Schedler. Mr. Congressman, we likewise refused that.
But I do want to clarify one thing that has been lost in this
whole debate. And why Mr. Kovach, my colleague, did not early-
on clarify his position. I watched him for 4 days on national
news networks. But if you go back and look at the original
request, he truly didn't ask for that. What he asked for was
what was available publicly under State law. And then, after
that, instead of putting a period, he went on with Social
Security number and other--why he did that, I don't know. He
caused me a lot of heartburn in my State with thousands of
emails and Facebook posts and the like.
So to answer your question, no, I did not supply that to
him. I told him for $5,000 and a credit card, we'd be glad to
supply him the public informational data that you could get on
anyone from Google, quite frankly more information. But you're
correct, putting that out in the fashion it was.
But I do want to say this: It wasn't just the Trump
administration that asked for that. I was posed with that under
three defiances to a Federal judge to produce that under
President Obama's administration through a Department of
Justice----
Mr. Clay. I see.
Mr. Schedler. --in a lawsuit from several entities. And I
refused President Obama, and I refused President Trump. So I am
consistent.
Mr. Clay. Well, let me ask you. That brings me to another
question for you and Mr. Cortes.
Are you aware of any cases of voter impersonation in your
State? Mr. Cortes, you can take it first.
Mr. Cortes. Congressman, I'm not aware of any instances of
voter impersonation taking place in Virginia. No.
Mr. Clay. So no pending cases or anything like that?
Mr. Cortes. Not that we're aware of, sir, no.
Mr. Schedler. No, sir. We wouldn't in Louisiana. I mean, we
have some issues. But let's put it this way: If we have had
one, it's never been prosecuted or been able to be proven.
Mr. Clay. Don't you think it's a little difficult to get
enough voters to show up, let alone someone showing up and
impersonating someone else?
Mr. Schedler. Well, I think the real issue is--and, alluded
again, we separate the distinctions in the election system. The
registration side, list maintenance, some States do a better
job than others. I know our current President has alluded to 3
to 5 million voters. What he's referring to is 3 to 5 million
potential voters on registration lists. The voter fraud would
be one of those individuals who shouldn't be on there showing
up at the poll and voting. It may be that. It may be more. It
may be less. But----
Mr. Clay. But you and I know people have the same names.
Mr. Schedler. Yes, sir. Yes, sir.
Mr. Clay. So that shouldn't disqualify them from being----
Mr. Schedler. No, but that's why we have identifying
information----
Mr. Clay. --a qualified registered voter.
Mr. Schedler. --like mother's maiden name, Social Security
number, date of birth, that we can distinguish those
differences.
Mr. Clay. Sure. All right.
Mr. Schedler. Like in the State of Louisiana, we have a
bunch of Heberts and Thibodeauxs, but we can distinguish it by
a birthday or mother's maiden name.
Mr. Clay. Well, look, I thank you all for your engagement,
and my time is up. Mr. Chairman, I yield back.
Mr. Palmer. [Presiding.] I thank the gentleman.
Just a point of clarification. You did have reports of
illegal voting in both your States. In Virginia, you had over
1800 illegals that apparently were reported voting. Is that
correct, Commissioner Cortes?
Mr. Clay. Mr. Chairman, I asked about voter impersonations,
someone else showing up and saying that they are someone other
than who they are.
Mr. Palmer. Thank you.
Mr. Clay. And you know that's what the photo ID laws are
all about.
Mr. Palmer. Right.
Mr. Cortes. Congressman, I believe you asked about our
reports regarding illegal voter. We don't agree with neither
the findings of the report, or, frankly, how the analysis was
done. There are a lot of problems in there that we have
indicated publicly. You know, in terms of proving, or, you
know, identifying individuals that are citizens or not on the
voter rolls is exceptionally difficult. And the processes that
we have in place in Virginia, I think, capture and prevent
anybody from voting illegally or improperly. And so the report
you're referring to, I think, was very faulty in its analysis
and really took information and made sweeping general
statements without taking into account the reality, despite our
best efforts to communicate with the report authors about it.
Mr. Palmer. Thank you.
In Louisiana, it's either Hebert or Hebert. So I can
understand the problem you have there.
Mr. Schedler. Depending on what part of Louisiana.
Mr. Palmer. The chair recognizes the gentleman, Mr.
DeSaulnier, from California, for 5 minutes.
Mr. DeSaulnier. Being from California, I wouldn't recognize
either version.
I just want to thank the chair, and I want to thank all of
the people who are testifying in front of us today. And for the
Secretary, I both agree with you, but maybe we have a small
difference of opinion. The importance of the integrity of the
voting process is obviously supreme for all of us sitting in
this room. But raising legitimate concerns about the integrity
of that, making sure that we are pursuing best practices in a
world that's changing dramatically, I think, is what we're all
concerned with. So in that regard, I'm hearing two sort of
versions of things here from the panel.
And, Ms. Hennessey, in your research--I got a quote from
Michael Vickers, who used to be the Pentagon's top intelligence
official, who said, quote, ``This attack is really the
political equivalent of 9/11. It is deadly, deadly serious.''
The attacks that we have seen both against the United States,
in my view, but also against western democracy. And this goes
to undermining democracy. So we want to make sure, I would
think, in Congress, that we're doing everything to make sure
that we're ahead of it and questioning our existing system.
So you made a number of suggestions. First off, is there
any doubt in your research that these hacks are attributable to
Russia, these significant hacks?
Ms. Hennessey. Certainly, the intelligence community--the
intelligence community assessment of the 2016 election assesses
that with high confidence that is supported by a large body of
public data. And there is no public information that would
counter or refute that conclusion.
Mr. DeSaulnier. So keeping in mind that we're talking
about, in this hearing, the title is Cybersecurity of Voting
Machines, and we've got lots of other activity going out there
that hopefully we'll discuss further in Congress, vis--vis the
things we're learning about social media and data collection.
But for this purpose, are we ahead of the game in your
research? I read where the French and other western democracies
are being much more aggressive, not knowing what their
infrastructure is. But from your research, is the United States
doing everything we can compared to other international
democracies who are aware of the problem?
Ms. Hennessey. I think the short answer is no. There are
two categories in which we can think about the U.S. response.
What we've been talking today can broadly be categorized as
deterrence by denial. So imposing security standards that make
it difficult or impossible for the adversary to achieve their
goals. Dr. Blaze and the others, I think, have pretty well
articulated the insufficiency of the U.S. response on that
front, the need for more to be done in terms of Federal
resourcing, and at the State level.
There's also a broader concept of deterrence, right? So
deterrence through setting international norms, response
options. We are also not seeing sufficient buy-in, frankly,
from the top at this point to push those efforts forward in
order to get the international community both to agree on the
seriousness of what occurred, and also to impose measures,
including those passed by Congress, to ensure that it doesn't
happen again.
Mr. DeSaulnier. I appreciate that.
Mr. Krebs, in that sort of vein, your response to Ms. Kelly
is seen somewhere in-between. We know the uniqueness of the
relationship as you have described it between State's rights
and the ability for them not to feel like we're imposing on
them. However, you've also talked about best practices. And it
would strike me that you're in a position to be able to acquire
those best practices, particularly in conversation with the
intelligence community.
Ms. Kelly asked you if you would give us those documents.
It seems like you're equivocating. Something--basically, you
said in order to have a relationship with the States, it's
based on trust. But forgive me for inferring from that there's
a lack of trust in giving those documents to Congress. In a
Federal election, it strikes me that Congress and the Federal
Government has a requirement to make sure that we are pursuing
best practices in partnership with the States, not overruling
them. But if Congress asks for documents, including the
minority party, it strikes me that you should give that to us,
to the whole committee, without edits, without comments.
Mr. Krebs. Sir, if I may, I'd like to clarify to the
ranking member, the information--ma'am, I'm glad you're here.
The information that I would provide, no question best
practices. I've got them right here. Best practices are just
fine to share. What we're talking about is the trusted
information that's shared on the nature of what may have been a
scan or a compromise. That's the information.
We have no question of the oversight interest of the
committee, absolutely no question. The balance we have is the
operational admission of the Department in partnership with our
State and local partners in that--again, that overarching
cybersecurity mission of the Department in working with our
partners in a voluntary basis.
Mr. DeSaulnier. I'll take that as we'll receive the
documents soon. So thank you.
Mr. Krebs. Yes, sir.
Mr. DeSaulnier. Thank you, Mr. Chairman.
Mr. Hurd. [Presiding.] Mr. Krishnamoorthi, you are now
recognized for 5 minutes.
Mr. Krishnamoorthi. Thank you, Chairman Hurd and Palmer,
along with Ranking Members Kelly and Demings, for convening
today's important hearing. The sanctity and security of our
election systems are the bedrock of our republic. The American
people need to know, not just believe, but they need to know
for certain that their votes are counted fairly.
My home State of Illinois was one of 21 States that the
Department of Homeland Security informed us was targeted by
hackers in June of 2016. The NSA reported that personal files
for over 90,000 Illinois voters were illegally downloaded by
Russian hackers. Mr. Krebs, do you have any reason to dispute
the NSA's findings that Russian-affiliated entities were behind
the recent election data breaches?
Mr. Krebs. I'm, unfortunately, not able to comment on that
specific disclosure. That, I would, unfortunately, have to
defer to the NSA.
Mr. Krishnamoorthi. But do you have any reason to believe
they're incorrect about that?
Mr. Krebs. I'm not certain to the nature of the report
you're discussing. I, unfortunately, would have to, again,
defer to the NSA to comment specifically----
Mr. Krishnamoorthi. Right. You'd defer to the NSA because
they are expert in this particular matter, and they have the
intelligence and the ability to ascertain whether these data
breaches occurred and who were the source of these data
breaches, correct?
Mr. Krebs. Again, I would defer to the NSA on any
discussion here.
Mr. Krishnamoorthi. Sure. While the implications--and
you're correct to defer to them.
While the implication of Russia's attack on one of our
elections systems are concerning, what I find even more
disturbing is that it was part of a broader international
campaign to undermine western democracies such as the 2017
elections in France and Germany, as well as recent elections in
the U.K. and other NATO countries.
Now, Mr. Krebs, again, I'd like to ask you a follow-up
question. Can you assure me that DHS is working with our allies
and the broader international community, the intelligence
community, to develop a coordinated response to these
incursions?
Mr. Krebs. So what I can speak to is the nature of the
Department of Homeland Security's engagements with our
international partners. Immediately before the French election,
we reached out to the CERT, the French CERT, which is the
Computer Emergency Response Team, keeping in mind that my
responsibilities in this space are, frankly, two things:
information sharing and technical support on a voluntary basis.
So information sharing with the State and locals and also
information sharing with the French CERT.
In terms of a broader strategy for pushing back, I'd have
to defer to the interagency or the White House on that.
Mr. Krishnamoorthi. Earlier this month, the President said
that he took Vladimir Putin at his word that he did not
interfere in Russia, and did not interfere in the 2016
election. Quote, unquote, he said: ``Every time he sees me, he
says, 'I didn't do that.' And I believe--I really believe that
when he tells me that, he means it,'' quote, unquote.
Mr. Krebs, just a few minutes ago you couldn't point to any
reason or dispute, you have no reason to believe that the NSA's
conclusions with regard to Russian hacking were inaccurate or
incorrect. You defer to the NSA's conclusions. Are you saying
that the President is somehow wrong to take Putin at his word,
as opposed to deferring to the NSA's conclusions on this topic?
Mr. Krebs. I'd like to clarify one thing real quick.
I have said all along that I agree with the intelligence
community's assessment that the Russians attempted to interfere
with our election.
Mr. Krishnamoorthi. Good.
Mr. Krebs. What you spoke about earlier was some report
attributed to the NSA about a specific State. That is what I
defer to the NSA on. I am unable to comment on that. That is
not within my agreement. I am focused on information sharing,
technical assistance and support to the State and locals. We
are in a support role.
Now, to your other comment----
Mr. Krishnamoorthi. Well, let me reclaim some of my time
here. You answered the question correctly, in my view, which is
that you agree that the Russians did interfere in our 2016
election, or you at least agree with the intelligence
community, which knows what it's talking about, that the
Russians did interfere in our 2016 election. So are you saying
that the President is wrong to disagree with that conclusion,
and instead, take the word of Vladimir Putin that Russia did
not interfere in our elections?
Mr. Krebs. No, sir. I said I agree with the assessment of
the intelligence community on what happened in 2016.
Mr. Krishnamoorthi. Okay. Do you agree with the President
that in his assessment, that Vladimir Putin did not actually
interfere in our election?
Mr. Krebs. Sir, I was not privy to that conversation. I--
look, I'm focused on helping State and local governments for
next year. Every one of us recognize that there is a threat,
whether it's from Russia, China, North Korea, or Iran.
Mr. Krishnamoorthi. You're not answering the question, sir.
Mr. Krebs. Yes, sir.
Mr. Krishnamoorthi. You don't have to be privy to that
question. You don't have to be privy to that conversation to be
able to answer the question. Do you agree with his assessment
that Russia did not interfere in our elections?
Mr. Krebs. Sir, I--again, I'll point back to last year's
intelligence assessment.
Mr. Krishnamoorthi. Okay. I'll take that as a nonanswer.
Mr. Hurd. The chair notes the presence of our colleague,
the gentlewoman from Hawaii, Ms. Gabbard, and I ask unanimous
consent Ms. Gabbard be allowed to fully participate in today's
hearing.
Without objection, so ordered.
Now it's a pleasure to recognize my friend, the gentlewoman
from the great State of Hawaii, for 5 minutes for questions.
Ms. Gabbard. I thank the chairman and Ranking Member Kelly
for holding this important hearing, and for all of the
witnesses for taking the time and coming and sharing your
experiences and expertise here. I apologize for missing the
first part of the hearing, but I'm sure a number of these
topics have been discussed. But I think they all boil down to
the immediate task at hand, which is seeing what actions can
and should be taken to make sure that our elections are
protected.
For our democracy to work, the American people need to have
faith and trust in our elections infrastructure that the vote
that they cast will actually be counted. And this is why making
sure that our elections infrastructure is impenetrable is
essential. And that's the task before us here in Congress and
before our elections officials.
Mr. Cortes, I'd love to hear your insights regarding
Virginia's decision to switch from direct recording electronic
voting machines to paper ballots. What were any obstacles that
you found in implementing that change? And did you see voter
confidence rise once that change was made?
Mr. Cortes. Congresswoman, in terms of our switch over to
paper, I think the biggest obstacle that we faced was timing
and the proximity to the election. We have statewide elections
in Virginia every year. And so we always have very little time
to implement changes. I think in this particular round of
decertification, subsequent to the DEFCON reporting that came
out, you know, the biggest challenges we faced were getting
equipment to our State IT agency for them to test and provide
us with their assessment.
When it came down to the final decision about what to do
with the equipment, our biggest consideration was if we had an
issue--if there was some issue reported on election day, would
we have the confidence to go out and tell our voters that the
results from the machines were accurate, that we can confirm
that? And I think ultimately, we determined, in consultation
with our wonderful staff at the State IT agency, in their
assessment, that we wouldn't be in a position to do that with
the equipment we were using.
Without that independent verification, the paper ballot,
there would be no way for us to do that. And So I think that
ultimately was the moment where, you know, decertification
moved forward, and we decided to have paper ballots statewide
for this past November.
Our local election officials had less than 60 days before
the election, frankly less than 2 weeks before the start of
absentee voting, to deploy new equipment. They did a phenomenal
job using the exceptionally limited resources that they have
and working with--not only in partnership with us, but also in
terms of the voting system vendors to get equipment deployed,
get ballots printed, do training, do voter education, all
within that window. They pulled it off successfully. And so
it--you know, I give a lot of credit to our local election
officials across the State for being able to do that.
Ms. Gabbard. Thank you.
Ms. Hennessey, I just came in here the last part of your
previous statement about making sure that--I think you used the
word ``impossible,'' making it so that our elections
infrastructure is impossible to hack. Noting the DEFCON report
that came out and the fact that it states by the end of DEFCON
conference, every paperless electronic voting machine was
effectively breached in some manner. Would the implementation
of voting machines across the country with some form of an
auditable paper record create that impossibility?
Ms. Hennessey. So to clarify, I was referring to impossible
to hack as a goal of sort of the deterrence by denial model. I
don't know that that's achievable, although we shouldn't make
perfect the enemy of the good. There's vast improvements that
can be made.
Certainly, we should want to move to a place in which
systems are both auditable and also audited. And so not just to
think about how do we ensure that, a built-in resiliency model.
So in the event that there is some form of compromise, some
reason to doubt the outcome, that we actually have the system
in place to verify it and restore----
Ms. Gabbard. A backup.
Ms. Hennessey. Right. And then also, that we actually
periodically undertake those checks, right? An auditable system
is effectively meaningless if we actually don't undertake the
audit.
Ms. Gabbard. This is such an important point. And I think,
Mr. Cortes, your testimony is critical to this in answering
that question of how do we ensure, with confidence, that you
can answer your voters, saying that the election results are
accurate. I'm working on legislation that will essentially
ensure that whatever the systems the States choose to use in
their elections--obviously, that is the freedom of the States
to do that--that there be some form of backup in place, a
paper, voter-verified backup to ensure exactly that question,
and that we can all answer with confidence to voters that the
election results are as a result of the votes that they cast.
So I thank you all for being here today.
Thank you, Mr. Chairman.
RPTR FORADORI
EDTR ZAMORA
[4:00 p.m.]
Mr. Hurd. I'm going to now recognize myself for some time.
First off, Dr. Blaze, correct me if I'm wrong. I think we
may have set a record here today for the number of times DEFCON
has been said in a positive way. So all my hacker buddies are
going to be happy about that.
In Dr. Blaze and Ms. Hennessey's statements, they've talked
about what I would characterize as old school ballot stuffing
is one threat. But what a nation-state actor or an intelligence
service would try to do, discredit an election, is another
threat.
And, Mr. Schedler, Secretary Schedler, the first question
to you as the Secretary of State for Louisiana, it's hard to
manipulate the votes in an election in your State. Is that
correct?
Mr. Schedler. I would say so.
Mr. Hurd. Commissioner Cortes, would you agree--not for
Louisiana, but for Virginia.
Mr. Cortes. Yes, Mr. Chairman.
Mr. Hurd. And, Dr. Blaze and Ms. Hennessey, is it still
hard to stuff the ballot electronically in many of these
States?
Mr. Blaze. I think it's very difficult. I think the
difficulty that we have is that it's very difficult to prove
that it hasn't happened.
Mr. Hurd. Well, sure. Sure. It's a trust issue. But when it
comes to physically, because of the decentralization, because
many of the vote tabulation machines are not connected to the
internet, are not connected to one another because of the
physical security precautions that are taken around the
physical machines that Secretary Schedler talked about at the
front, and many of the best practices that Mr. Krebs and his
organization has promoted, it makes it hard, right. But the use
case that I'm worried about is the credibility of our
elections, and not being able to prove something is one of
those things.
And for our two secretaries of state, would you agree that
the undermining of trust in our voting--in our elections is a
bad thing and something we should try to fight against, Mr.
Schedler?
Mr. Schedler. I would absolutely agree. I alluded to that
in one of my----
Mr. Hurd. Microphone, please, sir.
Mr. Schedler. In all due respect, I mean, what has
happened, and I think any secretary of state that would address
you in all honesty is, is since the last Presidential election
and all the rhetoric and all the committee reports and all the
things that are going around this, if you don't think that has
had a tremendously negative feeling to voters, we see it.
I just got out of an election for the mayor of New Orleans,
an open seat, that had a 32 percent voter turnout in Orleans
Parish, and we had a statewide election special for State
treasurer. When I look at the statewide overall voter turnout,
12-1/2 percent. That is absurd in this country.
And I'm not going to sit here--one of my most frequently
asked question is, Why, Secretary Schedler? And I could give
you a litany of 10 or 15 things. One of them I know you all
wouldn't want to hear.
But, for certain, the rhetoric that has gone around from
this past election has tremendously deterred voter confidence.
And it's a balancing act for a guy like me and Mr. Cortes
because we're up here trying to defend the integrity of a
system----
Mr. Hurd. For sure.
Mr. Schedler. --and yet it's being torn down as I speak.
Mr. Hurd. Right. And that's one of the reasons to have this
hearing----
Mr. Schedler. Yes, I'm respectful of that.
Mr. Hurd. --is to get smart folks in a dispassionate way
talking about the realities. And then how can we identify
certain things that we can do together in a way to ensure that
that trust is there so that we get more than 12 percent?
Now, I would also say that I was at a panel in South by
Southwest with a bunch of YouTube stars, and I didn't know any
of the YouTube stars, but when you added all their fans
together, it was almost a billion. And the woman, Ms. Lardy,
who does digital stuff with a rock, said, if a movie performs
poorly at the box office, do you blame movie goers or do you
blame the movie? And I think in this case, a lot of times we
want to blame voters when we're not providing the voters
something for them to come out and purchase by pulling a lever.
So that is an aside.
Mr. Cortes, was there any funny business in your elections
in Virginia a couple of weeks ago?
Mr. Cortes. Mr. Chairman, I think we had a----
Mr. Hurd. That's a technical term too, by the way, ``funny
business.''
Mr. Cortes. I believe we had a very successful election in
Virginia a couple weeks ago. We actually--I'm sorry to hear
that you all had a lower turnout in your statewide. We had
record turnout in our statewide race for Governor, Lieutenant
Governor, Attorney General, as well as our House of Delegates,
and it was a very successful--we did not receive any complaints
related to voting equipment, which was a first in the time that
I've been there. We had a very successful day across the
Commonwealth. Very few issues. You know, you always get the
occasional place where they have delivered equipment to the
wrong place and they may open a couple minutes late, but we had
no major systemic issues that took place.
Mr. Hurd. Well, touche to Virginia.
And, Mr. Krebs, some specific questions here. How many
cyber hygiene services over the internet--for internet-facing
systems can your organization do in a calendar year? And I
realize that's a--you know, you can round number--you can
ballpark it for us.
Mr. Krebs. That's tough because, frankly, engineeringwise,
it's--I don't want to say infinity, but it's--frankly, it's
very, very scalable.
Mr. Hurd. So you're not concerned about the over 10,000
voting jurisdictions requesting that particular service that
you feel like you'll be able to meet the need----
Mr. Krebs. No, sir, I think the challenge there would be
intake, would be signing up on the legal agreement side,
figuring out the IP ranges and deploying.
Mr. Hurd. Good copy. How many risk and vulnerability
assessments can you do in a calendar year?
Mr. Krebs. That is a different question. Risk and
vulnerability assessments are time and manpower limited. In
terms of the number on a given year, it'd be--let me put it
this way: To do one risk vulnerability assessment it takes 2
weeks.
Mr. Hurd. Two weeks.
Mr. Krebs. It's a week onsite and a week report drafting.
What we're doing in the meantime, though----
Mr. Hurd. And you have about 130 people that are able to do
this function?
Mr. Krebs. I'd have to get back to you on the specific
numbers on the Hurd teams, but it's--you know, we are manpower
limited there, but what we--and the reason for that, and you
just made my job a little bit harder with the NGT Act, but this
all comes out of the same pile of assessments as Federal IT,
the high-value asset. And so if we're going to do some
modernization activities, congratulations, but that's going to
make my job a little bit tougher. That also is the critical
infrastructure community. So it's all in one----
What the critical infrastructure designation did for the
election subsector is allowed me to reprioritize. So now I'm
able to put any requests up at the top of the list. We just
completed an RVA last week. I reviewed the product earlier this
week, and it is an impressive document. I'd like to do more. We
are going to continue to prioritize, upon request, these are
voluntary products, but keeping in mind that a number of States
have their own resources or private sector resources. So, you
know, we're not looking to serve for every single State, but we
are looking to reprioritize to address.
Mr. Hurd. And this next question is for Secretary Schedler,
Commissioner Cortes, and Mr. Krebs, and maybe Secretary
Schedler, you take the first swing at this. And this is
probably better--you know, this question I'm asking you of this
as your former hat at NASS. And what role exactly does NIST and
the HAVA Standards Board play? And maybe if--Mr. Krebs, if
you're more appropriate to answer that question, you know, I'll
leave it up to you all.
Mr. Schedler. I mean, it certainly assists us in
certification issues and some of those outlier issues that we
have. But, I mean, I think it's more of a collective whole,
NASS, whether it be with the Election Commission, NIST, or any
of us, I mean, we collaboratively all work together. We share
information through our executive director, Ms. Reynolds, here
in Washington.
So, I mean, I think it's a good thing. I wouldn't want to
necessarily disband that, but I think it's more looking at it
as a collective whole and our new partners in Homeland
Security. I mean, I alluded that we were very much against
critical infrastructure. We're in it. We're in a cooperative
spirit. We're trying to get our security clearances done at
this time and we're going to continue that.
Mr. Hurd. So, Secretary, am I hearing DHS is not trying to
take over?
Mr. Schedler. No, sir, I don't think so. Not yet. I'll give
you a call.
Mr. Hurd. Please do. Please do. And are folks comfortable
with the security clearance process? I know we're trying to get
every secretary of state and I believe two additional----
Mr. Schedler. Yes.
Mr. Hurd. --folks. And your indication is that folks are
happy with that process and how it's done?
Mr. Schedler. Yes, sir, we are. That's the first good step
that we can share some information.
Mr. Hurd. Commissioner Cortes, do you have, you know, any
information to disagree with that or----
Mr. Cortes. Mr. Chairman, I think, you know, from our
perspective in Virginia, having had a statewide election, we
had an opportunity to work very closely with DHS throughout the
year in preparation for that and really figuring out how to
leverage the Federal resource offerings, along with what our
State IT agency provides, as well as the Virginia National
Guard. So we've worked very collaboratively with them. I think
the creation of the coordinating council I think will be
exceptionally helpful going forward.
I think when it comes to the EAC and NIST, EAC's role in
this has been--you know, hasn't been as highlighted as I think
it should be. I think they've been really critical in opening
up that dialogue between DHS and the elections community, as
well as facilitating a lot of the meetings and interactions
that have taken place. So they've been exceptionally helpful
there.
When it comes to NIST, I think for us, and I think going
forward, you know, what we need to look at is the--you know,
the NIST cybersecurity framework is something that our State IT
standards are premised on and that we utilize for our voting
equipment, security, and our electronic pollbook security. So
those standards being there are very helpful to us and provide
the level of expertise and, you know, things to look for and
test against that we would not, you know, with our State
resources be able to recreate on our own. So everybody's been
exceptionally helpful.
Mr. Hurd. That is very helpful feedback.
And, Mr. Krebs, kudos to you for your leadership in that
process.
And maybe to anybody at this panel, why does EAC have $300
million in unspent funds? Does anybody have any unknown--none
of you all sit at EAC? Would anybody like to offer a question?
Mr. Schedler. They must have some of those HAVA dollars
that we need.
Mr. Hurd. And that's what we're trying to get at is, is
there an opportunity there to reprogram some of those funds to
help some of the municipalities that need to upgrade some of
their systems?
Mr. Schedler. Yes. And that was a tongue-in-cheek comment,
because I'm on the advisory--I truly don't know----
Mr. Hurd. Can you hit the button?
Mr. Schedler. I truly do not know what that balance is,
and, I mean, I just--it's certainly something to look at. I
think we got to look at any and all avenues of funding because
we do need assistance in the State, I can assure you. Just like
Federal Government, States are in budgetary issues. I know
certainly Louisiana is. And at this critical point of trying to
replace equipment because of some of the subject matter we're
talking about here, you know, we're scrambling to try to find a
way to do that, and I'm getting ready to go out on an RFP, so--
--
Mr. Hurd. Mr. Krebs, any comments?
Mr. Krebs. I think what we're talking about now, and I do
wish that Matt Masterson, the chairman of the EAC, was here. I
met with his yesterday. I think he's in Iowa right now doing
some training.
EAC has been a critical partner. When DHS got into this
game--it was before my time--but when we got into this game
last year, it was kind of a brave new world, didn't have a
relationship. EAC was critical in bridging the gap and
developing relationships with Louisiana, Virginia, and the rest
of the States.
NIST is also a partner. I think Dr. Blaze would agree that
NIST is probably reputationally unmatched in terms of
cybersecurity and cryptography excellence. And they are a
critical partner in standards development going forward.
And then on the information sharing piece--one last thing.
I do want to touch on the classified and the clearances piece.
Clearances, as has been pointed out, clearances and the sharing
of classified information is important, but we are, in the
meantime, focusing on that declassification effort. It is
critically important that we speed up that process to get it
out, tear lines, all that good stuff. But in the meantime, when
something truly sensitive comes in and someone doesn't have the
clearance but needs to see a piece of information, I personally
have the capability to authorize one-day read-ins.
So we have a suite of services and tools and capabilities
that we can--to make sure that our partners have the
information they need.
Mr. Hurd. Well, Mr. Krebs, that's why DHS is the
bellybutton for information sharing with municipalities and the
private sector, because I believe you're the only organization
that can truly achieve need to share versus need to know, and
continuing down that line is important.
Dr. Blaze, when it comes to the kinds of systems, the
actual vote tabulation machines, and you've talked a lot about
the scan, you know, version, one of the concerns I have about
some of the legislation that's being discussed is talking
specifically about a type of machine versus an outcome. And is
it fair to say that, based on your research and your activity,
that you're saying there needs to be an artifact that can be
checked in the case that a system is suspected of compromise?
Mr. Blaze. That's correct. The two important properties
are, first, that there be a paper artifact of the voter.
Optical scan paper is an example of a system that does that.
That's probably the best state-of-the-art technology that we
have right now. The second property is that we have a mechanism
for detecting compromise of the software that tabulates votes,
and that's the risk limiting audit feature.
Put together, those achieve or approach what we call strong
software independence, which means that, even if the software
is compromised, we still can learn the true outcome of the
election.
Mr. Hurd. Good copy.
Ms. Hennessey, do you have anything to add to that or
disagree with?
Ms. Hennessey. No, I would agree with everything Dr. Blaze
said.
Mr. Hurd. Thank you.
And my last question--and, Chairman Palmer and Ranking
Member Kelly, thanks for the indulgence--is slightly outside of
the bounds of the hearing topic today. But as we talk about the
importance of protecting our voting systems and trying to fight
this effort to erode trust in our national institutions,
disinformation is the tool that hostile intelligence services
are going to continue to use against us.
And I would just welcome, and really, Secretary Schedler
and Commissioner Cortes, what is the role of States in helping
to combat disinformation, specifically when it comes around
election time?
And, Dr. Blaze and Ms. Hennessey, I'd welcome your
thoughts.
And then, Mr. Krebs, I'm going to give you 30 seconds to
say whatever you want to say.
Secretary Schedler.
Mr. Schedler. Well, I mean, it's the old fashioned way. You
get out there and you communicate with people and you get on
the airwaves on radio and you get on TV and you get in the
newspaper and you combat some of this. Because, I'll be honest
with you, I had an individual just this morning that called
me--or, excuse me, text me from the previous election, and he
was convinced that our machines were connected to the school
internet system, because I guess it was plugged into a plug. I
don't know, but, I mean, it's those types of things in every
real day of a secretary of state or an election official across
the country that we combat. It's just part of the job. I will
tell you, it has become on steroids in the last 24 months.
Mr. Hurd. As a Member of Congress, I would say I understand
those concerns. Thank you, sir.
Commissioner Cortes.
Mr. Cortes. Mr. Chairman, I think it's really about being
open and transparent in the process and having, you know,
processes in place and working as election officials to make
sure voters are comfortable with the process and getting out
there and combating any misinformation about how the process
works. And I think our focus on transparency and doing things
like post-election audits, having equipment that had some sort
of verifiable backup, these are all things that we can do to
provide voters assurance that they can actually see and observe
and not just tell them everything's okay.
We're I think at a stage with our election processes where
people need to be able to understand what steps we're taking
and how we're doing, you know, to make sure that things are
okay, to make sure that their voting experience is a good one,
and that their votes are counted accurately.
Mr. Hurd. Good copy.
Dr. Blaze.
Mr. Blaze. So I think the most important thing, from a
technology perspective, is that the voting technology allow us
to refute those who say that the election was tampered with.
And, unfortunately, many of the systems in use today, even if
they haven't been tampered with, aren't designed in a way that
allows us to do that.
So I look forward to seeing a shift toward technologies
that are more robust and that allow us to do meaningful
recounts.
Mr. Hurd. Ms. Hennessey.
Ms. Hennessey. To bolster credible institutions now, and so
to not--to sort of resist any temptations of partisanship so
that in the event--so that there are those enduring credible
voices. And the closer we get to elections, the actual election
date, the higher the risk of politicization sort of infecting
that process comes, which increases the importance of setting
neutral standards now, both for the types of information that
will be shared and also for response options.
Mr. Hurd. Thank you.
Final words, Mr. Krebs?
Mr. Krebs. Yes, sir. I think my four co-panelists have said
it quite well. A key tenet of countering information operations
is shining a light on the activity. So what we have ahead of
us, and we were just talking about it before the hearing today,
is, we have some coordination work. We need to do some incident
response planning, develop a playbook, so if something pops up
on social media, Twitter, or whatever it is, we get the call,
we can work to refute the information, and we can push it out
through a clear trusted channel to the American people so they
can retain confidence in our election systems.
Mr. Hurd. Well, I want to thank all of you all for helping
to shine a light on the activities that our States and the
Federal Government is doing to ensure that the American people
can have the trust in their elections. That's what makes this
country great, is when we're faced with adversity, we all do
pull together. And I appreciate you all appearing before us
today and the flexibility in your travel schedules.
The hearing record will remain open for 2 weeks for any
member to submit a written opening statement or questions for
the record.
If there's no further business, without objection, the
subcommittees stand adjourned.
[Whereupon, at 4:20 p.m., the subcommittees adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]