[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
ELECTION SECURITY:
VOTING TECHNOLOGY VULNERABILITIES
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON INVESTIGATIONS
AND OVERSIGHT
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
OF THE
COMMITTEE ON SCIENCE, SPACE,
AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
JUNE 25, 2019
__________
Serial No. 116-31
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
36-795 PDF WASHINGTON : 2020
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman
ZOE LOFGREN, California FRANK D. LUCAS, Oklahoma,
DANIEL LIPINSKI, Illinois Ranking Member
SUZANNE BONAMICI, Oregon MO BROOKS, Alabama
AMI BERA, California, BILL POSEY, Florida
Vice Chair RANDY WEBER, Texas
CONOR LAMB, Pennsylvania BRIAN BABIN, Texas
LIZZIE FLETCHER, Texas ANDY BIGGS, Arizona
HALEY STEVENS, Michigan ROGER MARSHALL, Kansas
KENDRA HORN, Oklahoma RALPH NORMAN, South Carolina
MIKIE SHERRILL, New Jersey MICHAEL CLOUD, Texas
BRAD SHERMAN, California TROY BALDERSON, Ohio
STEVE COHEN, Tennessee PETE OLSON, Texas
JERRY McNERNEY, California ANTHONY GONZALEZ, Ohio
ED PERLMUTTER, Colorado MICHAEL WALTZ, Florida
PAUL TONKO, New York JIM BAIRD, Indiana
BILL FOSTER, Illinois JAIME HERRERA BEUTLER, Washington
DON BEYER, Virginia JENNIFFER GONZALEZ-COLON, Puerto
CHARLIE CRIST, Florida Rico
SEAN CASTEN, Illinois VACANCY
KATIE HILL, California
BEN McADAMS, Utah
JENNIFER WEXTON, Virginia
------
Subcommittee on Investigations and Oversight
HON. MIKIE SHERRILL, New Jersey, Chairwoman
SUZANNE BONAMICI, Oregon RALPH NORMAN, South Carolina,
STEVE COHEN, Tennessee Ranking Member
DON BEYER, Virginia ANDY BIGGS, Arizona
JENNIFER WEXTON, Virginia MICHAEL WALTZ, Florida
------
Subcommittee on Research and Technology
HON. HALEY STEVENS, Michigan, Chairwoman
DANIEL LIPINSKI, Illinois JIM BAIRD, Indiana, Ranking Member
MIKIE SHERRILL, New Jersey ROGER MARSHALL, Kansas
BRAD SHERMAN, California TROY BALDERSON, Ohio
PAUL TONKO, New York ANTHONY GONZALEZ, Ohio
BEN McADAMS, Utah JAIME HERRERA BEUTLER, Washington
STEVE COHEN, Tennessee
BILL FOSTER, Illinois
C O N T E N T S
June 25, 2019
Page
Hearing Charter.................................................. 2
Opening Statements
Statement by Representative Mikie Sherrill, Chairwoman,
Subcommittee on Investigations and Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 9
Written Statement............................................ 10
Statement by Representative Ralph Norman, Ranking Member,
Subcommittee on Investigations and Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 11
Written Statement............................................ 12
Statement by Representative Haley Stevens, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 13
Written Statement............................................ 14
Statement by Representative Jim Baird, Ranking Member,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 15
Written Statement............................................ 16
Written statement by Representative Eddie Bernice Johnson,
Chairwoman, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 17
Written statement by Representative Frank Lucas, Ranking Member,
Committee on Science, Space, and Technology, U.S. House of
Representatives................................................ 18
Witnesses:
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology
Oral Statement............................................... 20
Written Statement............................................ 22
Mr. Neal Kelley, Registrar of Voters, Orange County, California
Oral Statement............................................... 28
Written Statement............................................ 30
Dr. Latanya Sweeney, Professor of Government and Technology in
Residence, Department of Government, Harvard University,
Institute of Quantitative Social Science
Oral Statement............................................... 77
Written Statement............................................ 79
Mr. Paul Ziriax, Secretary, Oklahoma State Election Board
Oral Statement............................................... 84
Written Statement............................................ 86
Dr. Josh Benaloh, Senior Cryptographer, Microsoft Research
Oral Statement............................................... 99
Written Statement............................................ 101
Discussion....................................................... 113
Appendix I: Answers to Post-Hearing Questions
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology..... 136
Mr. Neal Kelley, Registrar of Voters, Orange County, California.. 138
Dr. Josh Benaloh, Senior Cryptographer, Microsoft Research....... 140
Appendix II: Additional Material for the Record
Documents submitted Representative Mikie Sherrill, Chairwoman,
Subcommittee on Investigations and Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 146
Document submitted by Rep. Sean Casten, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 176
ELECTION SECURITY:
VOTING TECHNOLOGY VULNERABILITIES
----------
TUESDAY, JUNE 25, 2019
House of Representatives,
Subcommittee on Investigations and Oversight,
joint with the Subcommittee on Research
and Technology,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to notice, at 2:58 p.m., in
room 2318 of the Rayburn House Office Building, Hon. Mikie
Sherrill [Chairwoman of the Subcommittee on Investigations and
Oversight] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. The hearing will come to order.
Without objection, the Chair is authorized to declare recess at
any time. Good afternoon, and welcome to a joint hearing of the
Investigations and Oversight and Research and Technology
Subcommittees. Ranking Member Norman and I had such a good
experience working with Research and Tech last month during our
transportation hearing that we thought we should do it again,
so it's great to be here with Chairwoman Stevens and Ranking
Member Baird, so thank you both, I appreciate it.
We are here today to talk about election security, and the
various technologies and best practices that support it, and I
want to start out by acknowledging something good. The experts
tell us that the United States has, in fact, made enormous
progress since 2016 toward protecting our election
infrastructure. I applaud the Secretaries of State, the
election officials, the poll workers, and the systems
administrators across the Nation who have already been working
to defy election interference. New Jersey, for example, is
investing in a whole range of activities right now to prevent
interference, including a pilot program for voter-verified
paper trails.
But I remain worried about the enormous risks our election
systems still face heading into 2020, and I have been really
concerned about how attacks on our election system affect the
American psyche. We have all seen anecdotes in the press about
counties and States across the United States, where experts
learn after the fact that an election system has been hacked.
It is worth pointing out that we don't always see election
systems actually being breached when they are targeted.
Sometimes our systems work the way they're supposed to, and
keep intruders from doing harm, and we should find comfort when
we learn of a crisis averted, but for the most part we don't.
These stories in the news allow us to see just how high the
stakes are. They allow us to see how many ways there are to
manipulate the system. These stories make the American people
feel uncertain, and our peace of mind, our faith in the
electoral process, is another casualty of interference.
There are few things more central to the American covenant
than the safety and security of our elections, where citizens
from all walks of life can cast their vote and know that it
will be counted. Our foreign adversaries know this. The last
two election cycles saw foreign interference in our election
systems that tried to shake our faith in the U.S. election
system, and in our fellow Americans. When I was in the Navy, I
was a Russian policy officer, and I saw firsthand how the
Russians worked to sow division here. We know the Russian
intelligence service has already attacked our election
infrastructure across a number of States, and we have every
reason to believe these attacks will escalate during the 2020
cycle. The methods that foreign and domestic actors use to
corrupt our elections are growing more sophisticated every day.
When it comes to cybersecurity, the threat is constantly
changing. It is our responsibility in Congress to help States
arm themselves with advanced, adaptive strategies to prevent,
detect, and recover from intrusions.
On a lighter note, I am delighted to welcome a special
guest in the gallery today, Ms. Bianca Lewis. Bianca just
finished the 7th grade in Phillipsburg, New Jersey. She is a
coder and an inventor who runs her own blog dedicated to her
adventures in STEAM. That's science, technology, engineering,
art, and mathematics. Bianca was also one of the young hackers
featured at an exhibit that was hosted at last year's DEFCON
technology conference in Las Vegas called Roots Asylum. At
DEFCON, Bianca and other young people were able to exploit
models of Secretary of State websites to delete content and
change the voting results displayed. While the websites at
DEFCON were models, and not part of any real life voting
systems, they were designed with some of the known
vulnerabilities that real life hackers have abused in recent
years. I thank Bianca for being a leader for girls in tech and
computer science, and for helping shine a light on
cybersecurity and election infrastructure. It is so rewarding
to see that the next generation is thinking big, and I'm glad
that you and your family could be here today from New Jersey.
I'm also pleased to welcome the distinguished witnesses on
our panel, three of whom contributed to the very important
recent report from the National Academies on Securing the Vote.
Thank you all for being here today.
[The prepared statement of Chairwoman Sherrill follows:]
Good afternoon, and welcome to a joint hearing of the
Investigations and Oversight and Research & Technology
Subcommittees. It's good to be here with Ranking Member Norman,
Chairwoman Stevens and Ranking Member Baird once again.
We're here today to talk about election security and the
various technologies and best practices that support it. And I
want to start out by acknowledging something good:
The experts tell us that the United States has, in fact,
made enormous progress since 2016 toward protecting our
election infrastructure. I applaud the Secretaries of State,
the election officials, the poll workers and the systems
administrators across this nation who have already been working
hard to defy election interference. New Jersey, for example, is
investing in a whole range of activities right now to prevent
interference, including a pilot program for voter verified
paper trails.
But I remain worried about the enormous risks our election
systems still face heading into 2020. And I have been really
concerned about how attacks on our election system affect the
American psyche. We have all seen anecdotes in the press about
counties and states across the United States, where experts
learn after the fact that an election system has been hacked.
It is worth pointing out that we don't always see election
systems actually being breached when they are targeted.
Sometimes our systems work the way they are supposed to and
keep intruders from doing harm.
And we should find comfort when we learn of a crisis
averted. But for the most part, we don't. These stories in the
news allow us to see just how high the stakes are. They allow
us to see how many ways there are to manipulate the system.
These stories make the American people feel uncertain. And our
peace of mind, our faith in the electoral process, is another
casualty of interference. There are few things more central to
the American covenant than the safety and security of our
elections, where citizens from all walks of life can cast their
vote and know it will be counted.
Our foreign adversaries know this. The last two election
cycles saw foreign interference in our election systems that
tried to shake our faith in the U.S. election system - and in
our fellow Americans. When I was in the Navy, I was a Russian
policy officer and I saw firsthand how the Russians work to sow
divisions. We know the Russian intelligence service has already
attacked our election infrastructure across a number of states,
and we have every reason to believe these attacks will escalate
during the 2020 cycle. The methods that foreign and domestic
actors use to corrupt our elections are growing more
sophisticated every day. When it comes to cybersecurity, the
threat is constantly changing. It is our responsibility in
Congress to help states arm themselves with advanced, adaptive
strategies to prevent, detect, and recover from intrusions.
On a lighter note - I am delighted to welcome a special
guest to the gallery today, Ms. Bianca Lewis. Bianca just
finished seventh grade in Phillipsburg, New Jersey. She is a
coder and inventor who runs her own blog dedicated to her
adventures in STEAM - that's science, technology, engineering,
arts and mathematics. Bianca was also one of the young hackers
featured at an exhibit that was hosted at last year's Def Con
technology conference in Las Vegas called the R00tz Asylum. At
Def Con, Bianca and other young people were able to exploit
models of Secretary of State websites to delete content and
change voting results being displayed. While the websites at
Def Con were models and not part of any real-life voting
systems, they were designed with some of the known
vulnerabilities that real-life hackers have abused in recent
years.
I thank Bianca for being a leader for girls in tech and
computer science - and for helping shine a light on
cybersecurity in election infrastructure. It is so rewarding to
see that the next generation is thinking big - about big
challenges. I'm glad that you and your family could be here
from New Jersey for today's hearing.
I am also pleased to welcome the distinguished witnesses on
our panel, three of whom contributed to the very important
recent report from the National Academies on Securing the Vote.
Thank you all for being here.
Chairwoman Sherrill. So the Chair now recognizes Mr. Norman
for an opening statement.
Mr. Norman. Thank you, Chairwoman Sherrill, and Chairwoman
Stevens, for convening this important hearing, and thank you
for each of the witnesses for taking the time to give your
testimony this morning. We're here today to review the security
of the United States' election system technologies, and discuss
research to ensure the security, the integrity, and the
accessibility of America's election systems. Today's hearing
provides an opportunity to learn how the Federal Government can
support State and local governments as they work to secure
elections through research, technology, standards, and
voluntary guidance, without burdensome Federal mandates.
The 2000 Presidential election highlighted problems with
punch card and lever voting systems, and brought to light new
concerns about election integrity. To address these concerns,
Congress enacted the Help American Vote Act of 2002, or better
known as HAVA. HAVA provided money to the States to replace
antiquated voting systems, established the United States
Election Assistance Commission, or EAC, and required the
National Institute of Standards and Technology (NIST) to
provide technical support to the EAC to develop voluntary
guidelines for voting systems.
My home State of South Carolina recently decided to upgrade
voting systems, and serves as an example of how the process
should work. South Carolina officials conducted a lengthy
evaluation of several options, and ultimately determined that
upgrading to a ballot marking device was the option that best
met the needs of our State. And this is how it should be, State
and local officials figuring out what is best for their
community. As Federal policymakers, we must remember that
administration of elections is inherently a function of State
and local governments. We should listen to our local election
officials, and provide the reasonable support necessary to
bolster the security of election systems, and to efficiently
and effectively administer elections throughout the United
States. This requires a flexible and a dynamic approach to
security that can be molded by jurisdictions across the country
to fit their specific needs. A one-size-fits-all approach is
simply impractical and unworkable.
I welcome the chance to hear from State and local election
officials as we consider the issue of election system security,
and look forward to their perspective on what role the Federal
Government can play in ensuring that they have the information
and support necessary to harden their election systems against
present, and any future threats. We'll also hear today from
representatives of academia, the private sector, and the
Federal Government, which provides us with the opportunity to
learn more about technologies and innovations that will improve
America's election systems today, as well as research underway
that may bolster election system security in the future. It's
hard to imagine an issue of greater importance to our democracy
than the security of America's election system.
And while I appreciate that this Committee continues to
approach critical issues of national importance in a bipartisan
fashion, I would be remiss today if I didn't take the
opportunity to highlight how partisan politics on the part of
the House Democrat leadership has once again failed to proceed
through regular order. Specifically, I'm disappointed but, you
know, quite frankly I'm not surprised, as this is just another
in a long list of political stunts by leadership's sudden
decision to move H.R. 2722, the so-called Securing America's
Federal Elections Act, to the floor this week without
consideration by this very Science Committee, which rightfully
received a referral on the bill. House Democratic leadership
instead chose to rush this bill to the floor in order to
satisfy far left progressives with yet another messaging bill
that thankfully has absolutely no chance of being considered in
the Senate. As today's hearings will demonstrate, the Science
Committee has a crucial role to play in the consideration of
any legislation that truly aims to improve the security of
America's election systems. That being said, I look forward to
a thoughtful and bipartisan discussion today of how we can
improve the security of America's election systems now, and in
the future.
I want to thank each of our witnesses for being here, and
thank you, Madam Chair, for convening this all-important
hearing. And I want to thank the Hyatts, who are here from my
hometown, who have played a part in the elections in South
Carolina, for being with us today. Madam Chair, I yield back
the balance of my time.
[The prepared statement of Mr. Norman follows:]
Thank you, Chairwoman Sherrill and Chairwoman Stevens, for
convening this important hearing, and thank you to the
witnesses for your testimony this morning.
We are here today to review the security of U.S. election
system technologies and discuss research to ensure the
security, integrity, and accessibility of America's election
systems.
Today's hearing provides an opportunity to learn how the
Federal government can support state and local governments as
they work to secure elections through research, technology,
standards, and voluntary guidance, without burdensome Federal
mandates.
The 2000 presidential election highlighted problems with
punch card and lever voting systems and brought to light new
concerns about election integrity. To address these concerns,
Congress enacted the Help America Vote Act of 2002 (or
``HAVA'').
HAVA provided money to the states to replace antiquated
voting systems, established the U.S. Election Assistance
Commission (or ``EAC''), and required the National Institute of
Standards and Technology to provide technical support to the
EAC to develop voluntary guidelines for voting systems.
My home state of South Carolina recently decided to upgrade
voting systems and serves as an example of how the process
should work. South Carolina officials conducted a lengthy
evaluation of several options and ultimately determined that
upgrading to a ballot marking device was the option that best
met the needs of the state.
And this is how it should be - state and local officials
figuring out what is best for their community. As Federal
policy makers, we must remember that administration of
elections is inherently a function of state and local
governments. We should listen to our local election officials
and provide the reasonable support necessary to bolster the
security of election systems, and to efficiently and
effectively administer elections throughout the United States.
This requires a flexible and dynamic approach to security
that can be molded by jurisdictions across the country to fit
their specific needs. A one-size-fits-all approach is simply
impractical.
I welcome the chance to hear from state and local election
officials as we consider the issue of election system security
and look forward to their perspective on what role the Federal
government can play in ensuring they have the information and
support necessary to harden their election systems against
present and future threats.
We will also hear today from representatives of academia,
the private sector, and the Federal government, which provides
us with the opportunity to learn more about technologies and
innovations that will improve America's election systems today,
as well as the research underway that may bolster election
system security in the future.
It's hard to imagine an issue of greater importance to our
democracy than the security of America's election systems. And
while I appreciate that this Committee continues to approach
critical issues of national importance in a bipartisan fashion,
I would be remiss if I didn't take the opportunity to highlight
how partisan politics on the part of the House's Democrat
leadership has once again failed to proceed through regular
order.
Specifically, I am disappointed-but quite frankly not
surprised, as this is just another in a long line of political
stunts-by leadership's sudden decision to move H.R. 2722, the
so-called Securing America's Federal Elections Act, to the
floor this week without consideration by the Science Committee,
which rightly received a referral on the bill. House Democratic
leadership instead chose to rush this bill to the floor in
order to satisfy far-left progressives with yet another
messaging bill that thankfully has no chance of being
considered in the Senate.
As today's hearing will demonstrate, the Science Committee
has a crucial role to play in the consideration of any
legislation that truly aims to improve the security of
America's election systems.
That being said, I look forward to a thoughtful and
bipartisan discussion today of how we can improve the security
of America's election systems, now and in the future.
Thank you again to our witnesses for being here today. And
thank you madam chair for convening this important hearing.
I yield back the balance of my time.
Chairwoman Sherrill. Thank you. The Chair now recognizes
Chairwoman Stevens of the Subcommittee on Research and
Technology for an opening statement.
Chairwoman Stevens. Thank you, Chairwoman Sherrill. It's
great to be here talking about election security and voting
technology vulnerabilities, and we're certainly so grateful
that we have the leadership in the House of Representatives
willing to take on the severity of some of the election
security breaches that we experienced in 2016, some of which
have been long overdue, and the current Administration has
failed to address. So, good afternoon, and welcome to this
hearing.
Certainly the elections of 2016 showed us how vulnerable
our election infrastructure can be to foreign adversaries who
interfere in the very foundation of our democratic process, and
this has begun a national conversation on the security and
integrity of our U.S. elections. Most election authority rests
with the States, but, as Mr. Norman recognized, Congress
created a Federal role in election administration and security
with the Help America Vote Act of 2002, known as HAVA. And,
under HAVA, the National Institute of Standards and
Technologies, NIST, which--the Subcommittee that I have the
privilege of chairing on Research and Tech has oversight over--
NIST was tasked with providing technical assistance and
research to inform the development of voluntary voting
systems--guidelines to be recommended to the Election
Assistance Commission, the EAC. HAVA provided hundreds of
millions of dollars to States to buy new voting equipment, but
some of those old machines are still in use today, and States,
not having--being--or not being required to implement the
voluntary voting system guidelines in the purchase of new
voting machines, were left with a gap. Only 38 States and the
District of Columbia use some of the parts of the Federal
testing and certification program for purchasing new voting
equipment.
With more than 10,000 election jurisdictions in the United
States, there is certainly no one fit--no one-size-fits-all
solution to election administration and security. In addition,
most election administrators are well intentioned, but lack
resources, awareness, and technical expertise. Cue the Federal
Government. At the time of HAVA, voting technology was assumed
to mean only the voting machine itself. Today, depending on the
jurisdiction, a voter may be able to register online to vote,
and have their name and address confirmed through an Internet
connected electronic poll book, or e-poll book, at their
polling site, in addition to casting their vote on an
electronic machine. Unfortunately, many Americans still cast
their vote on machines with no paper record.
I know we will hear from our experts today that all--with
all the conveniences that the Internet and the 21st century
technology provide, paper ballots are still the most secure.
But even if we implement paper records everywhere, we are still
left with the new security challenges posed with online
registration and e-poll books. As a champion and a believer of
21st century technology, I am also still a champion for the
analog skills that move us forward. In fact, every point of
internet connectivity in the election system, including
software development and updating, introduces a vulnerability.
Security must be a priority at every step of our cherished
democratic process. Free and fair elections are paramount.
Last year the National Academies issued a consensus study
report titled ``Securing the Vote: Protecting American
Democracy''. This report included several recommendations for
improving election security, including the need for national
standards for e-poll books, voter registration databases,
ballot handling procedures, and audits. Finally, the report
included a strong statement that the Federal Government has a
responsibility to invest in research to protect the integrity
of elections, which is part of what we are here today to
discuss. I certainly could not agree more, and I am glad to
know that, in addition to NIST, the National Science Foundation
carries out computer science and social science research that
could be applicable to election systems. There needs to be more
coordination. We are fans of inter-agency work here on this
Committee, and a more robust dedication of research dollars for
this purpose. The 2020 elections are not far away. I look
forward to our witnesses' insight on the Academies' report, and
other important recommendations for this Committee to take up.
Thank you, and I yield back.
[The prepared statement of Chairwoman Stevens follows:]
Good afternoon and welcome to this hearing to review U.S.
election security and voting technology vulnerabilities. I look
forward to hearing testimony from our distinguished panel of
witnesses on this important topic.
The elections of 2016 showed us how vulnerable our election
infrastructure can be to foreign adversaries who interfere in
the very foundation of our democratic process and began a
national conversation on the security and integrity of
elections. Most election authority rests with the states.
However, Congress created a federal role in election
administration and security with the Help America Vote Act of
2002, known as HAVA. Under HAVA, the National Institute of
Standards and Technology, NIST, was tasked with providing
technical assistance and research to inform the development of
Voluntary Voting Systems Guidelines to be recommended to the
Election Assistance Commission.
HAVA provided hundreds of millions of dollars to states to
buy new voting equipment, and some of those old machines are
still in use today. Further, states are not required to
implement the Voluntary Voting System Guidelines in the
purchase of new voting machines. Only 38 states and the
District of Columbia use some part of the federal testing and
certification program for purchasing new voting equipment.
With more than 10,000 election jurisdictions in the United
States, there is no one size fits all solution to election
administration and security, but these Guidelines are intended
to have broad application. In addition, most election
administrators are well intentioned but unfortunately lack the
resources, awareness, and technical expertise to implement the
vital security needs of today.
At the time of HAVA, voting technology was assumed to mean
only the voting machine itself. Today, depending on the
jurisdiction, a voter may be able to register online to vote
and have their name and address confirmed through an internet-
connected electronic poll book (or e-poll book) at their
polling site, in addition to casting their vote on an
electronic machine.
Unfortunately, many Americans still cast their vote on
machines with no paper record. I know we will hear from our
experts today that, with all of the conveniences that the
internet and 21st century technology provide, paper ballots are
still the most secure. But even if we implement paper records
everywhere, we are still left with the new security challenges
posed with online registration and e-poll books. In fact, every
point of internet connectivity in the election system,
including software development and updating, introduces a
vulnerability. Security must be a priority at every step of our
cherished democratic process.
Last year, the National Academies issued a consensus study
report titled, "Securing the Vote - Protecting American
Democracy." This report included several recommendations for
improving elections security, including the need for national
standards for e-poll books, voter registration databases,
ballot handling procedures, and audits. Finally, the report
included a strong statement that the federal government has a
responsibility to invest in research to protect the integrity
of elections. I couldn't agree more, and am glad to know that
in addition to NIST, the National Science Foundation carries
out computer science and social science research that could be
applicable to election systems. However, there needs to be more
coordination and a more robust dedication of research dollars
for this purpose.
The 2020 elections are not far away, I look forward to our
witnesses' insight on the Academies' report and other important
recommendations for actions this Committee can take to help.
Thank you and I yield back.
Chairwoman Sherrill. Thank you, and the Chair now
recognizes Dr. Baird of the Subcommittee on Research and
Technology for an opening statement.
Mr. Baird. Thank you, Chairwoman Sherrill, and Chairwoman
Stevens, for convening this day's hearing to review the
security of U.S. election system technologies. Voting is a
fundamental right of every American citizen, and ensuring the
right to a safe and secure election is the responsibility of
every Member of Congress. Without security, integrity, and
accuracy in our electoral process, the foundation of our
Nation, in fact, our democracy, is weakened. I look forward to
hearing from our witnesses this afternoon about how the Federal
Government can support State and local governments in ensuring
safe and secure elections through research, technology testing,
audits, and voluntary guidance.
As we all know, under our Constitution, the Federal system
elects an Administration is, and should be, the responsibility
of State and local governments. Our founders believed that
government is more transparent, responsive, and accountable
when it's closest to the people, which is why the Constitution
gave the responsibility of our elections to the States. To this
end, Congress' role is to empower State officials to strengthen
the security of their unique election systems, and effectively
administer elections, not to try to dictate a one-size-fits-
all. The Help America Vote Act established the Federal Election
Assistance Commission, and requires the National Institute of
Standards and Technology, NIST, to work with the Commission on
technical, voluntary guidelines, and voting systems. These
voluntary guidelines are an important tool for State and local
elected officials to ensure the functionality and accuracy of
the State's unique system. They allow the testing of voting
systems to determine the basic functionality, accessibility,
and security capabilities. They also offer flexibility, which
is important, given the variation of election infrastructure
from State to State.
I look forward to hearing from Dr. Romine about the most
recent iteration of voluntary voting system guidelines, which
is expected to be released soon. I believe it's also valuable
that this Committee has the opportunity to hear what new and
evolving challenges States are facing, and how States are using
Federal resources to overcome unique challenges, including how
and if these guidelines and protections are being effectively
adopted. I expect Secretary Ziriax and Mr. Kelley will have
particularly good insight into these challenges.
There's no doubt that there is a need for improved security
of our elections. We know that at least 21 States have been
targeted by foreign state actors prior to the 2016 U.S.
election, and we know that Russian undertook disinformation
campaigns on social media in that same election. This is
troubling, but we must also acknowledge that no votes were
changed in the 2016 election, and the 2018 midterm elections
were secure, with a record number of voter participation. We
must examine what we can learn from these past elections and
improve upon them. We can make progress on this issue. I want
to again thank Chairwoman Sherrill and Chairwoman Stevens for
holding this hearing, and I hope that we will take a bipartisan
look at the challenges of election security.
As my colleague, Ranking Member Norman, noted, this matter
has not been addressed in a bipartisan manner thus far this
Congress. But I hope this hearing will illustrate how progress
can be made in keeping our Nation's elections secure, and free
from interference. Thank you, and I yield back.
[The prepared statement of Mr. Baird follows:]
Thank you, Chairwoman Sherrill and Chairwoman Stevens, for
convening today's hearing to review the security of U.S.
election system technologies.
Voting is a fundamental right of every American citizen and
ensuring the right to safe and secure elections is the
responsibility of every Member of Congress.
Without security, integrity, and accuracy in our electoral
process, the foundation of our nation - our democracy - is
weakened.
I look forward to hearing from our witnesses this afternoon
about how the federal government can support State and local
governments in ensuring safe and secure elections through
research, technology testing, audits and voluntary guidance.
As we all know, under our Constitution and federal system,
election administration is and should be the responsibility of
State and local governments.
Our Founders believed that government is more transparent,
responsive, and accountable when it is closest to the people,
which is why the Constitution gave the responsibility of our
elections to the States.
To this end, Congress' role is to empower state officials
to strengthen the security of their unique election systems and
effectively administer elections, not to try to dictate a one-
size-fits-all approach.
The Help America Vote Act of 2002 (HAVA) established the
federal Election Assistance Commission (EAC) and requires the
National Institute of Standards and Technology (NIST) to work
with the Commission on technical, voluntary guidelines for
voting systems.
These voluntary guidelines are an important tool for state
and local election officials to ensure the functionality and
accuracy of that state's unique system.
They allow for the testing of voting systems to determine
the basic functionality, accessibility, and security
capabilities.
They also offer flexibility, which is important given the
variation of election infrastructure from state to state.
I look forward to hearing from Dr. Romine about the most
recent iteration of the Voluntary Voting System Guidelines,
which is expected to be released soon.
I believe it is also valuable that this Committee has the
opportunity to hear what new and evolving challenges states are
facing and how states are using federal resource to overcome
these unique challenges - including how and if these guidelines
and protections are being effectively adopted.
I expect Secretary Ziriax and Mr. Kelley will have
particularly good insight into these challenges.
There is no doubt that there is a need for improved
security of our elections - we know that at least 21 states
were targeted by foreign state actors prior to the 2016 U.S.
election and we know that Russia undertook disinformation
campaigns on social media in that same election.
This is troubling, but we must also acknowledge that no
votes were changed in the 2016 election and the 2018 midterm
elections were secure with a record number of voter
participation.
We must examine what we can learn from these past elections
and improve upon them. We can make progress on this issue.
I want to again thank Chairwoman Sherrill and Chairwoman
Stevens for holding this hearing, and what I hope will be, a
bipartisan look at the challenges of election security.
As my colleague, Ranking Member Norman noted, this matter
has not been addressed in a bi-partisan manner thus far this
Congress, but I hope this hearing will illustrate how progress
can be made in keeping our nation's elections secure and free
from interference.
Thank you and I yield back the balance of my time.
Chairwoman Sherrill. Thank you, Dr. Baird. If there are
Members who wish to submit additional opening statements, your
statements will be added to the record at this point.
[The prepared statement of Chairwoman Johnson follows:]
Thank you Madam Chair, and I would like to join you in
welcoming our witnesses this afternoon.
I'm glad we're holding this hearing today on such an
important topic. The election system is decentralized and
complicated. There are many different aspects of it that rely
on technology in some form. As a result, there are numerous
challenges and solutions to making sure our election system is
secure, fair and accessible. Elections security, as we all
know, is an active topic of conversation in Congress right now,
as it should be. It is an urgent topic for our nation.
The Science Committee will do what it does best today - we
will talk about the technology. My home state of Texas is a
case study in how advanced technologies are both promising and
perilous when it comes to the administration of elections. The
2018 election cycle saw a terrible episode in Texas in which
malfunctioning electronic voting machines ended up changing
some voters' selections from Democrat to Republican, and
deleted some voters all together. This occurred across at least
78 counties. And the machines where this happened were
paperless, which means it was impossible to go back and compare
the voters' intent with what the device actually recorded. To
underscore the gravity of what happened in 2018, the Texas
Civil Rights Project issued a statement that this event ``is
threatening to call into question the entire election in
Texas.'' To wit, in a court case that resulted from a similar
episode in the state of Georgia, a judge ultimately decided
that continued use of paperless systems can harm our
constitutional rights to a free and fair election.
We were somewhat relieved to learn that cybersecurity
experts believe that the voting machine anomalies in Texas can
be attributed to old technology and not to hackers. But it is
easy to imagine how a bad actor might seek to take advantage of
exactly this kind of vulnerability in Texas and across the
country. On the other hand, Texas is looking at some exciting
reforms. This year the Texas House is considering legislation
that would implement automatic voter registration when eligible
residents interface with the Department of Motor Vehicles. This
proposal will not only make it more convenient for citizens to
participate in the democratic process, it will also save money
for state elections administrators and may help make the
registration process more secure.
I hope that the experiences we have in Texas can be used as
lessons learned for other states. In fact, I believe almost
every state and jurisdiction is working hard to improve their
systems and make them more secure and accessible. The Federal
government has a role in shepherding the development of
voluntary guidelines for secure elections and in providing
technical and other assistance to state and local election
administrators. We all need to learn from each other. Our very
democracy is on the line.
I want to thank Chairwoman Sherrill, Ranking Member Norman,
Chairwoman Stevens and Ranking Member Baird for holding this
hearing, and I yield back the balance of my time.
[The prepared statement of Mr. Lucas follows:]
Thank you, Chairwoman Sherrill, Chairwoman Stevens, Ranking
Member Norman, and Ranking Member Baird, for holding today's
hearing.
The integrity and security of elections is fundamental to
democracy in the United States. Americans must have confidence
in the accuracy of election results, or we risk losing the
public trust in government and our political system.
Although there is no evidence to date that a single vote
was changed in the 2016 or 2018 elections due to a cyberattack
or foreign interference, we know that our adversaries are
looking to erode public confidence in elections.
Prior to the 2016 federal election, a series of
cyberattacks occurred on information systems of state and local
election jurisdictions. The Federal Bureau of Investigation
(FBI) announced that some state election jurisdictions had been
the victims of cyberattacks aimed at exfiltrating data from
information systems in those jurisdictions. The attacks
appeared to be of Russian-government origin.
Although these attacks did not result in actual votes being
changed, they served as a warning to Federal, State, and local
officials that we must be vigilant about securing our
elections.
The U.S. Constitution vests the responsibility of
administering elections with State and local governments.
However, the Federal government has an important role to play,
in providing guidance and assistance to states on election
systems. The Federal government can and should also work
closely with State and local election officials to deal with
foreign and domestic cyber threats.
Concerns with earlier versions of voting and election
systems led to the passage of the 2002 Help America Vote Act
(HAVA). This Act requires the National Institute of Standards
and Technology (NIST), over which our Committee has
jurisdiction, to work with the Election Assistance Commission
(EAC) on technical, voluntary guidelines for voting.
NIST plays an important role in conducting research on
election systems and providing technical assistance and
guidelines. NIST is a trusted partner by both industry and
State governments. Because these guidelines are voluntary,
States and private companies are more willing to share
information with the agency, which results in better voluntary
standards and guidelines. It is important that we support NIST
in this work, and not erode their role in election security.
In Oklahoma, we have an election system that is secure,
reliable, and provides timely results. I want to thank Mr. Paul
Ziriax, Secretary of the Oklahoma State Election Board, for
testifying today. Oklahomans can trust in the results of our
State's elections, thanks to the thoughtful work of Paul and
his staff. I look forward to hearing about how the Federal
government can best support states like Oklahoma in their work,
without creating mandates that are one-size-fits all.
What works for California might not work for Oklahoma, and
I am glad we have two State and local election officials on the
panel to hear what tools they need to administer secure
elections in their jurisdictions.
The Science Committee has demonstrated over the last few
months how Committees should work. Under the leadership of
Chairwoman Eddie Bernice Johnson, we have been conducting
hearings and moving legislation under regular order, and in a
bipartisan and productive fashion, to make progress for the
American people.
Unfortunately, the Democratic leadership of the House has
chosen to ignore the Committee process, and rush two partisan
bills to the floor in the name of "election security,"
including H.R. 2722, a bill that will be considered on the
House floor later this week. That bill is partially in the
Science Committee's jurisdiction, but leadership ignored
regular order, and never gave our Committee members the
opportunity to consider the legislation.
Unfortunately, that partisan bill goes far beyond securing
elections - setting mandates on State and local governments for
the administration of elections that have nothing to do with
security or election integrity.
Republicans want to work with Democrats on election
security. I hope this hearing demonstrates that commitment on
both sides of the aisle and lays the groundwork for bipartisan
legislation out of this Committee to update NIST's election
security activities.
Again, thank you to the chairs and ranking members for
holding this hearing. I yield back.
Chairwoman Sherrill. And, at this time, I would like to
introduce our five witnesses.
First, we have Dr. Charles Romine is the Director of the
Information Technology Laboratory at the National Institute of
Standards and Technology, or NIST. And, Doctor, I'm not sure if
I should offer you congratulations or condolences, I hear this
is your 20th time testifying before us, so welcome again.
Mr. Neal Kelley is the Registrar of Voters for Orange
County, California. Mr. Kelley is also a member of the National
Academies of Science, Engineering, and Medicine, Committee on
the Future of Voting. This committee contributed to the
publication of the 2018 National Academies consensus study
report titled, ``Securing the Vote.'' Thank you for coming
today.
Dr. Latanya Sweeney is a Professor of government and
technology in the Department of Government at Harvard
University's Institute for Quantitative Social Science. Thank
you.
And then Dr. Benaloh is a Senior Cryptographer at Microsoft
Research. Dr. Benaloh also contributed to the National
Academies ``Securing the Vote'' report.
And, to introduce our final witness, I recognize
Congresswoman Horn of Oklahoma's 5th Congressional District.
Ms. Horn. Thank you, Madam Chairwoman. I am honored today
to be able to introduce not only our Election Secretary, but
also one of my constituents from Oklahoma City, and I'm honored
to be able to join you on this Subcommittee today on such an
important issue.
Secretary Paul Ziriax has served as the Secretary of
Oklahoma State Election Board since 2009, and as--in that
capacity as our chief election official. He also serves as the
Oklahoma--the Secretary of the Oklahoma Senate by way of a 1913
Oklahoma law that requires the Secretary of the Senate to also
serve as the Secretary of the Education--or the Election Board.
Originally from Claremore, Ziriax has worked as a senior
aide in the Oklahoma State Senate, Chief of Staff, and Press
Secretary to a Member of Congress from Oklahoma, as a radio
station music director and announcer. Ziriax is a member of the
National Association of Election Directors, and the American
Society of Legislative Clerks and Secretaries, and is a past
appointee to the Oklahoma Capital Preservation Commission. He's
an alumnus of Oklahoma State University in Stillwater, and
finally, especially as related to this hearing today, I am
proud of Oklahoma's election system because of our paper
ballots, and a number of other security features that allow us
to know the security and veracity of our elections, which is
one of the things that we are talking about here today. So the
work of Secretary Ziriax, and the staff of the Oklahoma State
Election Board, has been very important, and I'm glad that you
could join us today, and look forward to your testimony.
Chairwoman Sherrill. Well, thank you. Now I feel guilty I
didn't give the rest of you the great intro. But, as our
witnesses should know, you will each have 5 minutes for your
spoken testimony. Your written testimony will be included in
the record for the hearing. When you all have completed your
spoken testimony, we will begin with questions. Each Member
will have 5 minutes to question the panel. And let's start with
you, Dr. Romine.
TESTIMONY OF DR. CHARLES H. ROMINE,
DIRECTOR, INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairwoman Sherrill, Ranking Member Norton,
Chairwoman Stevens, Ranking Member Baird, and Members of the
Subcommittees, I'm Charles Romine, the Director of the
Information Technology Laboratory at the Department of
Commerce's National Institute of Standards and Technology, or
NIST. Thank you for the opportunity to appear before you today
to discuss our role in what NIST is doing in election security.
For more than a decade, as directed by both the Help
America Vote Act of 2002, or HAVA, and the Military and
Overseas Voter Empowerment Act, NIST has partnered with the
Election Assistance Commission, the EAC, to develop the
science, tools, and standards necessary to improve the
accuracy, reliability, usability, accessibility, and security
of voting equipment used in Federal elections for both domestic
and overseas voters. Under HAVA, NIST provides technical
support to the Technical Guidelines Development Committee
(TGDC), which is the Federal advisory committee to the EAC in
areas such as the security of computers, computer networks, and
computer data storage used in voting systems, methods to detect
and prevent fraud, protection of voter privacy, the role of
human factors in the design and application of voting systems,
the remote access voting, including voting through the
Internet.
This technical support includes intramural research and
development in areas to support the development of a set of
Voluntary Voting System Guidelines, referred to as the VVSG, or
the Guidelines. The Guidelines are used by accredited testing
laboratories as part of both State and national certification
processes by State and local election officials who are
evaluating voting systems for potential use in their
jurisdictions, and by manufacturers who need to ensure that
their products fulfill the requirements so they can be
certified.
The Guidelines address many aspects of voting systems,
including determining system readiness, ballot preparation and
election definition, voting and ballet counting operations,
safeguards against system failure, and protections against
tampering, ensuring the integrity of voted balance, and
protected data during transmission and auditing. Almost
immediately following the adoption of Voluntary Voting System
Guidelines 1.1, NIST established a set of public working groups
to gather input from a wide variety of stakeholders on the
development of the next iteration of the Guidelines, the VVSG
2.0. This approach pulled in subject-matter experts across the
Nation, with 994 members across seven working groups. Within
the working groups, the cybersecurity working group has grown
to 175 members, and it engages in discussions regarding the
security of U.S. elections. Guidelines 2.0 addresses these
evolving security concerns. It includes support for advanced
auditing methods, as well as enhanced authentication
requirements, and mandates two-factor authentication. The
system integrity section in Guidelines 2.0 ensures that
security protections developed by industry over the past decade
are built into the voting system.
Other security issues to be resolved, beyond those
mentioned in the Guidelines, include the need for regular and
timely software updates and security patches. Networked
communication is another important security issue currently
under discussion. Many election jurisdictions rely on public
telecommunication networks for certain election functions, such
as reporting results to State agencies and media outlets on the
night of the election. These connections, however brief, are a
significant expansion of threat surface, and their security
requires further study.
NIST participates in the DHS (Department of Homeland
Security) Election Security Initiative federal partner
roundtable, and kicked off the election profile of the
cybersecurity framework effort in March 2019. NIST will hold
workshops in July and in August to identify election processes
and assets that need protection, threats from foreign control
technology vendors, available safeguards, techniques that can
detect incidents, and methods to respond and recover. The
election profile will serve as a one-stop cybersecurity
playbook that matches cybersecurity requirements with
operational methodologies across all election processes, from
voter registration through election reporting and auditing. The
profile can be used by Secretaries of State, State and local
election officials to identify and prioritize opportunities to
improve their cybersecurity posture. NIST expects that an
initial draft of the election profile of the cybersecurity
framework will be available in the fall of 2019.
NIST is continuing to address election security by
strengthening the VVSG for voting systems, such as vote capture
and tabulation, and by working with our government partners,
including the EAC, to provide guidance to State and local
election officials on how to secure their election systems,
including voter registration and election reporting systems.
Thank you for the opportunity to testify on NIST's work
regarding election security, and I'll be pleased to answer any
questions that you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. Well, thank you very much. And, Mr.
Kelley?
TESTIMONY OF MR. NEAL KELLEY,
REGISTRAR OF VOTERS, ORANGE COUNTY, CALIFORNIA
Mr. Kelley. Good afternoon, Chairwoman Sherrill, Chairwoman
Stevens, Ranking Member Baird, Ranking Member Norman, and
Members of the Subcommittee on Investigations and Oversight,
and the Subcommittee on Research and Technology. My name is
Neal Kelley. I'm the Chief Election Official, Registrar of
Voters, for Orange County, California. Thank you for the
invitation to speak today.
I'd like to address four specific things: The key findings
of the National Academies of Sciences, Engineering, and
Medicine's consensus study report; ``Securing the Vote:
Protecting American Democracy'', the best practices used in
Orange County, including the use of paper trails with voting
machines, electronic poll books, and risk limiting audits;
barriers States' and counties' encounter in the pursuit of
enhancing election security; and how I believe Congress can
further assist States and counties with securing election
system technologies.
As a member of the National Academies' Committee on the
Future of Voting, I have submitted the report highlights for
Federal policymakers along with my testimony today. I would
also like to share the insights I have gained as an election
administrator. In the 2 decades following the 2000 Presidential
election, numerous initiatives have been undertaken to improve
our election systems. Although progress has been made, old and
complex problems persist, and new problems emerge. Aging
equipment, number one, the targeting of our election
infrastructure by foreign actors, a lack of sustained funding
dedicated to election security, inconsistency in the skills and
capabilities of elections personnel, and growing expectations
that voting should be more accessible and convenient, as well
as secure, complicate the administration of elections in the
United States.
Working together, NIST and the Election Assistance
Commission have made numerous contributions to the improvement
of electronic voting systems by providing critical technical
expertise. The Voluntary Voting System Guidelines, otherwise
known as VVSG, developed by the EAC in collaboration with NIST,
are particularly important. Nevertheless, despite the critical
roles that these agencies plays--play in strengthening election
infrastructure, there is currently a very limited pool of
ongoing financial support.
While one-time funding has been historically allocated,
election cybersecurity is known to be an ongoing challenge that
will require a constant effort to better understand threats and
vulnerabilities. The National Academies' report recommends that
the EAC and NIST, the architects, developers, and shepherds of
the VVSG, continue the process of refining and improving the
VVSG to reflect changes in how elections are administered; to
respond to new challenges to election systems as they occur,
such as the threat of cyber attacks; and to research how new
digital technologies can be used by Federal, State, and local
governments to secure elections. Our report further recommends
that a detailed set of cybersecurity best practices for State
and local election officials be developed, maintained, and
incorporated into election operations, and that the VVSG be
periodically updated in response to new threats and challenges.
Electronic voting systems that do not produce a human-
readable paper ballot of record are a particular concern, as
the absence of a paper record raises security and vulnerability
issues. Because of this, our report recommended that all
elections should be conducted with human-readable paper
ballots. We also recommend the use of risk limiting audits. An
RLA is not considered to be performance audit, as it seeks to
ensure accuracy that the reported outcome would be the same if
all ballots were examined manually, and that any different
outcome has a high likelihood of being detected and corrected.
The National Academies' report also recommends that the use of
the Internet, or any network connected to the Internet for a
voter to cast a ballot, or the return of a marked ballot,
should not be permitted.
There is no known technology that guarantees the secrecy,
verifiability, and security of a marked ballot transmitted over
the Internet. Voter registration databases are also vulnerable
to cyberattacks, whether it is a standalone, or is connected to
other applications. Presently, election administrators are not
required to report any detected compromises or vulnerabilities
in voter registration systems, and our report recommends that
States make it mandatory for election administrators to report
these instances when it occurs to the Department of Homeland
Security, the EAC, and State officials.
As the fifth largest voting jurisdiction in the United
States, Orange County, California is in the fortunate position
of being able to allocate resources and staff to support pilot
programs, and determine best practices for the use of paper
audit trails, voting machines, and electronic poll books. On
the matter of election security, in Orange County we remain
closely connected to our local fusion center, and to
information sharing and analysis centers. In addition, I
routinely invite security experts to conduct audits and testing
on our systems to identify vulnerabilities, and to propose
solutions. Electronic poll books must meet high-level security
requirements to be used in California, and my office has placed
additional requirements on potential electronic poll book
solutions. Data must be encrypted while in transmission, and
while at rest. Nevertheless, not every election office has the
resources that we have in Orange County. There are hundreds, if
not thousands, of election offices where only a handful of
dedicated staff are on hand to run their jurisdiction's
elections. To share the knowledge and experience----
Chairwoman Sherrill. Wrap it up quickly, please.
Mr. Kelley. Going quickly. I released the 2018 Election
Security Playbook for Orange County elections, and I have
attached that to my written testimony.
Chairwoman Sherrill. Thank you.
Mr. Kelley. And thank you, and I look forward to your
questions.
[The prepared statement of Mr. Kelley follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. Thank you. I appreciate it. Dr.
Sweeney?
TESTIMONY OF DR. LATANYA SWEENEY,
PROFESSOR OF GOVERNMENT
AND TECHNOLOGY IN RESIDENCE,
DEPARTMENT OF GOVERNMENT, HARVARD UNIVERSITY,
INSTITUTE OF QUANTITATIVE SOCIAL SCIENCE
Dr. Sweeney. Thank you, Chairwoman Sherrill, Ranking Member
Norman, Chairwoman Stevens, Ranking Member Baird, and Members
of the Committee. I'm not going to--I presented a written
testimony I'm not going to read from, and instead like to give
you just some highlights. Let me first tell you a little bit
about myself. I have a Ph.D. in Computer Science from MIT. I'm
a Professor of government at Harvard University, and I was the
former Chief Technology Officer of the Federal Trade
Commission. For the last 20 years, my research mission has been
to scientifically investigate and reveal unforeseen
consequences of technology and its impact on society. I put
names to health data that was supposed to be anonymous at--and
that's cited in the preamble of HIPAA (Health Insurance
Portability and Accountability Act), and it led to a new field
of study called data privacy. I documented adverse racial
discrimination in online ad delivery that's led to a new area
of computer science study called algorithmic fairness. I
trained students to be these same type of technologists to work
in the public interest, and my students have improved practices
at CMS (Centers for Medicare and Medicaid Services), Facebook,
Airbnb, just to name a few.
In 2016, we gathered together 50 computer scientists, and
social scientists, and civil society organizations, and said,
what are the most pressing problems? They made a list of 75. We
then asked them to tell us which problem did they think was the
most important for us to investigate for the year? They said
elections. It was January 2016, and we began doing just that.
We found different kinds of problems around misinformation
campaigns, and things like that on the Internet they got--that
were brought to our attention.
Eventually, though, we began realizing how broad the
election system is. The surface area of it is huge. Every one
of those boxes has its own nature of a vulnerability. And we
are only--and the rest of my talk is only going to talk about
what's in that upper left corner. It was motivated by what
happened in Riverside County during the primaries in 2016, in
which Republican--it was a close primary. Republicans showed
up, and instead of getting a Republican ballot, they got
everything but--many--hundreds of them got everything but a
Republican ballot. There was no break-in, there was no database
breach, it just seemed like somebody changed all these records
through the online system.
And so this idea that you could just change a voter's
address, which changes their polling place, which could
disenfranchise voters, not--in a primary, but just in the
general election, and there are other ways too, that if you
impersonate a voter, and you could go online, you could make a
big difference, whether you wanted to make a local impact on a
local election, whether you wanted to shave points off of an
election, or whether you wanted to disrupt the election
altogether. So that gave us a set of research questions, and we
dug in. We found 35 States, and the District of Columbia, had a
website in which a person could change their voter registration
online. These were not always voter registration websites. Many
of them were also from the Motor Vehicle Division as well.
As you can see, the big problem here is, how does the State
know who you are? In the case of Delaware, it--using this
system, it was the first name, last name, date of birth, and
zip code. But there are many places where I could find the
name, date of birth, and zip code of people who live in
Delaware. That--an alternative that used the driver's license
and date of birth is another example from Alabama. This is the
summary for all of the websites that we found, and the
information that they require. Most of them require some
combination of demographics, like name, or date of birth, or
maybe address. Some of them require some government-issued
number, like a Social Security Number (SSN), or a part of it,
or a driver's license number. None of them necessarily require
all of them, or they were the same.
Second question, though, is where would you get this data?
And we found no shortage of the availability of the data. You
could buy voter lists directly, you could buy voter lists from
brokers that had a lot of the information. Some voter lists
were just posted freely online. We surveyed about 500 popular
data brokers to get SSNs and other kind of information, and we
went on the dark web and found that you could find a disturbing
amount of information also, including all of the Social
Security Numbers of Americans.
At the time, 11 of those websites had captchas, these ways
to try to figure out who you were, but in 2016 every captcha,
including the Google captcha you see at the bottom, could be
automated to be defeated. So with people who had virtually no
experience, with about one page of Python code, you could
automate an attack, and the cost of doing that, including the
virtual machines to do it, and to weight its time, turned--if I
wanted to shave 1 percent of the voter information off of the
voters from that--from those locations, it would be $24,000
across all of them. If I use name sources. It drops to 10,000
if I was willing to also use dark net information as well.
We're not saying that it did happen. We're just saying that
this is--it's possible to happen, and it's a real
vulnerability. Homeland Security had recommended this kind of
vulnerability assessment. We're happy that we were able to
participate, and we are updating now as to what has been the
response.
I'd better stop there. Thank you.
[The prepared statement of Dr. Sweeney follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. Thank you. Mr. Ziriax?
TESTIMONY OF MR. PAUL ZIRIAX,
SECRETARY, OKLAHOMA STATE ELECTION BOARD
Mr. Ziriax. Thank you very much. And I do want to thank my
representative, Ms. Horn, for the kind introduction. I am her
constituent, so I think that's a prerequisite when here, but
thank you very much for that. I also want to thank the full
Committee Ranking Member, Mr. Lucas, who is also from Oklahoma,
who ensured my invitation here today. So, Chairwomen Sherrill
and Stevens, and Ranking Members Norman and Baird, also
Chairwoman Johnson of the full Committee, and distinguished
Members of the Subcommittees, I want to thank you for the
opportunity to testify today. My name is Paul Ziriax. I'm the
Secretary of the Oklahoma State Election Board, and the Chief
State Election Official. Different from many States, Oklahoma
has a voting system that is uniform, and Statewide, owned and
controlled by the State Election Board. Our system utilizes
paper ballots that are hand-marked by voters, and counted by
accurate, reliable, precinct-based optical scanners. And no
matter where you are in our State, voting is the same. We have
the same style of ballots, the same voting hours, the same
standards and regulations, and the same accurate optical
scanners.
In my written testimony you can read much more about
Oklahoma's election system and procedures, including our
relatively low costs, the bipartisanship of the system, the--
and the speed with which we are able to count ballots and
certify results. In my opinion, Oklahoma's uniform system helps
make it more secure, easier to maintain, more efficient, more
cost effective, and more equitable to voters across our State.
In my written testimony you can read about our--security
features of the system, but we are very proud that our system
is auditable and verifiable. At my request, my State
legislature passed a new law this year that authorizes post-
election audits beginning in 2020. But, as an election
official, I do want to say, although I want to make voting and
voter registration as convenient and as accessible as possible,
we, as election administrators and policymakers, must be
cautious about sacrificing too much security in the name of
convenience.
I will say, in 2017, when I learned from Homeland Security
that Oklahoma was unsuccessfully targeted--was one of the 21
States unsuccessfully--or at least we were unsuccessfully
targeted, we have taken a number of steps to improve election
security. For example, our systems are actively monitored and
protected by our State Cyber Command. We joined several Federal
and State agencies to create an election security working group
to enhance communication and information sharing. We are
members of the EI-ISAC, which is the election infrastructure
information sharing network. We work closely with State Cyber
Command, NASED (National Association of State Election
Directors), and social media sites to help protect against
misinformation campaigns, and our county election boards are
now required to notify the State if physical intrusions or
cyber incidents occur in their counties.
Now, speaking only for myself, I do want to offer some
recommendations. The VVSG, which was mentioned earlier, should
remain voluntary, and should contain broad-based goals that
States can determine how best to implement. These standards,
though, must be flexible so that they can adapt to changing
threats and technology. Academia should work closely with
current election administrators so that its recommendations are
viable in the real world of election administration. All of us
in this room should take great care so as not to unnecessarily
alarm the public, or cause distrust in elections, especially
when discussing theoretical threats without noting actual
protections that exist against those threats.
Under our Federal system, the States should continue to
administer elections in our country. I do not believe that
election administration should be Federalized, and that--I
believe that mandatory standards and certification procedures
should not be forced on the States. The Federal Government
should make technical assistance, best practices, voluntary
standards, and intelligence available to the States. Sustained
Federal funding for election security, or for upgrading voting
systems, can be very helpful, but excessive mandates could
cause States to refuse those Federal grants. When possible, I
think intelligence regarding election security threats should
be declassified quickly and shared with State and local
election officials. And I do believe that every State should
use voting systems that are auditable and verifiable, but that
States should determine the best methods for auditing their
elections.
In closing, my biggest concern as an election official is
protecting the public's faith and confidence in the integrity
of our elections. If citizens lose faith in our elections, then
we risk losing our very representative republic. Physical
security and cybersecurity are a great concern, but the easiest
way to disrupt our elections, and what we've already observed,
is for our adversaries to sow discord and spread
misinformation. I encourage Federal policymakers to keep in
mind that each State is different, and that imposing a one-
size-fits-all mandate on the States for election policies or
security procedures could be disruptive and expensive, and
could unnecessarily create an adversarial relationship at a
time when a cooperative partnership is needed. And, with that,
I thank you for the time.
[The prepared statement of Mr. Ziriax follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. Thank you. Dr. Benaloh?
TESTIMONY OF DR. JOSH BENALOH,
SENIOR CRYPTOGRAPHER, MICROSOFT RESEARCH
Dr. Benaloh. Thank you, and good afternoon Chairs, Ranking
Members, other Members of the Subcommittees. I very much
appreciate the opportunity to speak before you this afternoon.
My name is Josh Benaloh. I'm Senior Cryptographer at Microsoft
Research. My 1987 doctoral dissertation at Yale University was
entitled ``Verifiable Secret Ballot Elections'', so I've been
working on election technologies for an embarrassingly long
time. I also had the privilege and pleasure of serving
alongside Neal Kelley on the National Academies' recent report
on securing the vote, and appreciate that experience as well.
There are thousands of election jurisdictions in the U.S.,
over 8,000 by most counts, and most are very small, with very
limited resources. Threats come from nation-state sponsored
adversaries, in many cases. This is an asymmetric battle. And
while we have certainly a responsibility to harden our election
infrastructure to the extent that we can, we should recognize
that we cannot realistically make our election infrastructure
impervious to attack. While we cannot guarantee that attacks
can be prevented, we can guarantee that they're detectable. And
the National Academies' report recommends pursuing two
technologies that enable auditing that enables us to detect any
attacks on our infrastructure. One is called risk-limiting
auditing, the other is end-to-end verifiability.
Risk-limiting audits are an enhanced form of traditional
audits, managed by, and overseen by election officials, ideally
together with, in cooperation with, members of the public. They
use advanced statistical methods to make the auditing process
more effective and more efficient, and they have been piloted
in many jurisdictions--probably about a dozen jurisdictions
around the U.S. in recent years. End-to-end verifiability is
something entirely different. It's a public means of auditing.
It's a method that allows any individual, after an election
closes, at any time to conduct an audit. There's no need to
wait for election officials, for Judges to issue court orders.
Candidates, members of the news media, interest groups, and
even individual voters can check for themselves that the votes
have been counted correctly. Any and all tampering can be
detected. Not just external tampering, but even insider
tampering, due to faulty equipment, or improper actions by
election personnel.
End-to-end verifiability effectively answers the question,
how can I trust the results of an election when I don't trust
the people or equipment on which the election has been run?
This is not a new technology. It has actually been around for
decades. Its seeds go back to the 1980s, but it has evolved
during that time, and improved, and become more efficient, and
more practical, and more friendly, and is ready for wide-scale
deployment at a time when I believe we most need it.
Just over a year ago, Microsoft announced its Defending
Democracy program, and as part of that, just last month
Microsoft announced its ElectionGuard system. Microsoft is
working with partners, including Columbia University, and a
Portland company called Galois to build a free, open-source,
software toolkit that enables both end-to-end verifiability and
risk-limiting audits. This is not intended to replace existing
systems for counting votes. It goes alongside. It makes it
possible to have an auxiliary verifiable count that is
verifiable by anybody at all. We are working with many vendors
to promote the adoption of this technology, and seeking
jurisdictions for initial pilots. The technical details will be
released shortly, and the toolkit that enables this will be
available later this summer.
There are, however, regulatory challenges to making this
happen, and the NIST and EAC guidelines that are in existence
today are somewhat old and dated. They don't recognize new
technologies, they're not very flexible, so we very strongly
support and encourage the adoption of the new VVSG 2.0
Guidelines that are in draft form, and hope they will be
adopted very soon.
There are numerous other challenges facing our election
infrastructure: Technical, financial, educational, and others.
Congress, in collaboration with States, can help to provide
consistent funding sources, and address many of the challenges
we face. Thank you very much, and I look forward to your
questions.
[The prepared statement of Dr. Benaloh follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Sherrill. Well, thank you. Before we proceed, I
would like to bring the Committee's attention to statements we
have received from the Brennan Center for Justice, the Center
for American Progress, and Verified Voting. We've also received
letters to the Committee from the National Election Defense
Coalition, and Common Cause. These documents highlight
priorities that Members of this Committee should consider as we
look to assist States in their election security efforts.
Without objection, I will enter these documents into the
record.
At this point we will begin our first round of questions,
and I'll recognize myself 5 minutes.
So first I'd like to start, if I could, with Mr. Kelley. In
2018, my home State of New Jersey received a HAVA Election
Security grant of nearly $9.8 million. So with this money, I'm
happy to report we plan to purchase a number of voting systems
that use a voter-verified paper trail audit, I'm sorry to
report that New Jersey does not have that at this time, and to
conduct a number of pilot programs with new systems. So what
advice would you have for a State that decides to scale up
their post-election audit pilots to a Statewide application?
Mr. Kelley. Well, thank you, Madam Chair, for the question.
I would have to go back to the discussion on risk-limiting
audits, and, using that as really the benchmark for
auditability post-election. In California we use two auditing
functions right now. One is the 1-percent audit, which audits 1
percent of the precincts, the ballots that are cast within
California, and then the second is the option of conducting a
risk-limiting audit. Opening that up in a Statewide function,
like we are in California, I think is the proper way to go,
because it does give you that extra look and comfort at
auditing functions post-election, when, even if you're manually
counting the ballots, this gives you that extra added security
and assurance that those audit--that the ballots are counted
correctly.
So when you're looking at ramping up an auditing function,
I think risk limiting audits is certainly the way to go. And
there are so many States, and counties, and jurisdictions right
now that don't utilize any auditing function, let alone a risk-
limiting audit.
Chairwoman Sherrill. Thank you very much. And, Dr. Sweeney,
with the money we received, we're also making plans to allocate
funds to implement any necessary changes to the Statewide voter
registration systems. I know NIST and the National Academies
have a lot of recommendations for how to do this. And, given
your experience examining vulnerabilities in a broad swath of
voter registration systems, what do you think are some of the
most important first steps that New Jersey can pursue with
these funds?
Dr. Sweeney. Well, there's two sides. A lot of--my
colleagues on the panel have really focused a lot on
traditional--cybersecurity kinds of threats. Break-ins, ways
that the data could be tampered with, changing the flow of the
data. The example that I gave is not a break-in, it's the
opposite. It's the--a fundamental problem we have in the United
States about identifying citizens, or identifying Americans,
or--and it's on--and how do we go about doing that when so much
of the data on Americans is so publicly available?
And the study also gives us a hint at what was the best
answer. Texas was the most difficult of the States, and it's
because it used driver's license numbers, but it also used the
number that was printed on the surface of the driver's license
itself. It wasn't enough for us to stop the attack, but it
limited--it raised the cost, because the only place you could
get scans of actual driver's license to get those numbers was
on the dark web. They weren't--that--those extra numbers
weren't available elsewhere. So that gives us a sense of a way
forward. Intrusion--and also intrusion detection would be
helpful.
I would just say one more thing to New Jersey, and that is
the idea of independent assessments are really important. If--
we went through this with healthcare. If you build a system,
and you say, this is what my security people say is good, and
you test it, you're testing what you built it for. What we do
is--and the reason you do independent assessment is the things
you never thought of. It's a surface area you can't possibly
think of. And the second part of that is whether or not New
Jersey then--if a vulnerability is found, is--how robust is the
response by New Jersey? We learned in the healthcare industry
that if the hospitals just try to pretend it didn't happen to
reassure everyone, that that's not nearly as good as a hospital
who says, I had this vulnerability, we fixed it up, now we're
ready to go. That kind of robust response is much more
trustworthy. So I would recommend that approach.
Chairwoman Sherrill. Thank you very much. And then, Dr.
Romine, I have some straightforward questions for the record
for you. Does NIST currently have the legal authority to
develop technical guidelines for electronic poll books?
Dr. Romine. Thank you for the question. Under the Help
America Vote Act, the work that we do with the EAC is
constrained to voting systems, which are defined more narrowly.
However, we do have a broad mandate for cybersecurity for a
broader number of systems, and in the COMPETES Act (America
Creating Opportunities to Meaningfully Promote Excellence in
Technology, Education, and Science) we have more authorities
there for cybersecurity in those systems.
Chairwoman Sherrill. Thank you. And what about for voter
registration databases and local election websites?
Dr. Romine. That would be the same answer. Not under HAVA,
but under other authorities that we have, we could do work
there.
Chairwoman Sherrill. And same answer for election night
reporting systems and ballot reconciliation methods?
Dr. Romine. That's correct.
Chairwoman Sherrill. All right. Well, thank you very much.
Thank you all. Now I'd like to, sorry, turn it over to Ranking
Member Norman for 5 minutes.
Mr. Norman. Thank you, Chairwoman Sherrill. Secretary
Ziriax, the substitute amendment to H.R. 2722 appears to
contain several provisions that pertain to the administration
of elections, as opposed to election security. To me, it
appears that these election administration provisions are a
Federal overreach that really encroach upon the function of
State and local election administrators and their job. What are
your thoughts about the bill? And, as an example, it looks like
the bill requires paper ballots to be printed on recycled paper
produced in the United States. And is that your read of the
bill, and what would a mandate like that mean for Oklahoma?
Mr. Ziriax. Well, in general let me say that when I was
working with one of my home State Senators, and I apologize for
mentioning a Member from the other body, but Mr. Lankford, when
he was working on some election security, I told him many of
the same things I'm about to tell you, that I do believe that
it's important to remember the differences between different
States. The recycled paper, for example, I personally--I--it is
in the bill, I did read it there. I'm not exactly sure what the
security purpose of that is. I know that with our current
voting system, it cannot use recycled paper because of the
sensitivity of the scanners, and what--if we were required to
use recycled paper, it would actually run the risk of causing
false readings.
Mr. Norman. Well, in your opinion, do you think the
election administration provisions of the bill reach too far
into the administration of elections, which really is
inherently a function of each State?
Mr. Ziriax. I--in general, I think broad guidelines are
better, and leaving specific decisions are better in the hands
of the State.
Mr. Norman. OK. Mr. Kelley, you briefly discussed VVSG 2.0,
and how it is structurally distinct from previous iterations of
the VVSGs. Specifically, you indicated that the new structures
aimed at providing high-level principles and guidelines on
functions that are incorporated into devices that make up a
voting system. From the perspective of State and local election
officials, do you think the high-level approach taken by the
VVSG 2.0 provides a more workable and implementable set of
guidelines when compared to the previous iterations?
Mr. Kelley. Yes, sir, thank you for the question. Actually,
from the standpoint of security, reliability, usability, and
accessibility, I definitely believe that. The principles and
guidelines are high-level. They are certainly a good road map
for heading down that path, but they're not in the weeds.
They're not the test assertions, they're not the requirements.
So, as it stands, those principles and guidelines in VVSG 2.0 I
think are light years ahead, sir, of where we were.
Mr. Norman. OK. And, Secretary Ziriax, based on your
experience, do you believe that a high-level approach is more
workable and implementable, and is this the right approach?
Mr. Ziriax. That--in my opinion, yes. I'm very supportive
of the VVSG 2.0 guidelines that are out there. Although I'm not
speaking for the National Association of State Election
Directors, NASED, I am a member, and I know that they have
expressed concerns about a second part of that, where I know
the EAC is seeking to vote on the actual testing standards.
And, you know, my concern there is that, with the--with what
we've seen in the past, with the lack of a quorum at the EAC,
you run the risk then of getting stuck, as we currently are,
with out-of-date standards.
Mr. Norman. Thank you. And, Dr. Romine, in layman's terms,
can you describe what the election profile to the cybersecurity
framework is, how it functions, and how it stands to help State
and local election officials fortify their election systems?
Dr. Romine. Yes, sir. The cybersecurity framework that was
spearheaded by NIST, and is now being adopted around the world,
is a high-level document that is applicable and scalable to a
wide variety of different sectors of the economy, for example.
In order to be maximally useful to a specific sector, and in
particular the critical infrastructure sectors that include the
election infrastructure, certain tailoring needs to be done to
the cybersecurity framework to make it maximally effective, and
that's what we're actually working on right now. So it's
essentially making sure that we make decisions that are
predicated on the needs of a particular sector.
Mr. Norman. Great. Thank you so much. You all have been
very responsive, and thank you for your questions. I yield
back.
Chairwoman Stevens. Thank you, Mr. Norman. The Chair will
now recognize herself for 5 minutes of questions. And,
certainly, we--we're capturing the nuance here, and how
important the R&D is, and the trustworthiness, and the honesty,
and the integrity of our election systems. I represent a
suburban district in southeastern Michigan, and after the 2016
election, Michigan replaced its aging voting machines in
basically every county in the State, spending $40 million in
State and Federal money to do so, and it's one of at least four
States, along with Florida, Illinois, and Wisconsin, that use
cellular modems to transmit unofficial election results. And
Michigan officials have said that the State's election machines
are not connected to the Internet, eliminating a major hacking
risk. Our Secretary of State, Jocelyn Benson, has implemented a
Security of Elections Commission, a first of its kind
commission. That's coming into formation this year. She's a
newly won Secretary of State whose come in and put in that
commission.
So Michigan voters are using paper ballots that run through
an optical scan voting system, and, as we've noted, this week
the House is considering H.R. 2722, Securing America's Federal
Elections Act, which would require paper ballots and manual
counting by hand or optical scanning systems, which is sort of
a nice springboard to what we're doing here today, which is
digging into the technology, talking about the R&D, relying on
your expertise is a really robust panel. So--and there's
obviously some, you know, ongoing debate about the use of
modems and Internet connectivity in elements of the election
system.
NIST has named this as one of its ``open areas'' still
being considered in its ongoing efforts to update its Voluntary
Voting System Guidelines. And so, Dr. Romine, can you just tell
us where NIST is headed with this? Will NIST give us an
affirmative finding about whether voting systems should avoid
wireless and cellular modems, and minimize Internet
connectivity?
Dr. Romine. Thank you, Madam Chairwoman. First I'd like to
mention that the VVSG--the Guidelines that I've described are
not solely NIST guidelines, but we're in partnership with the
EAC, and with the TGDC, which is the advisory committee, so
there's a number of people involved in the guideline
development. But certainly in the Principles document in VVSG
2.0 we talk about some of the concerns regarding Internet
connectivity, for example, actually, in VVSG 1.1 we talk about
those concerns. We've had guidelines in the past, you talked
about the paper ballots, about auditability. In the Guidelines
that we put out, we're not specific on the way that you can
obtain auditability. We just try to ensure that auditability is
available.
With regard to cellular modems, or any specific technology,
we don't get into that level of detail, but we do talk a lot
about the importance of Internet connectivity for voting
systems as being a challenge to be managed.
Chairwoman Stevens. Dr. Benaloh, would you say that--the
general opinion of the computer science community, as to
whether the risks of Internet connectivity and wireless access
can be adequately mitigated?
Dr. Benaloh. I think the consensus is that--not at this
time. There has been a good deal of exploration of use of
Internet technologies associated with voting equipment, and
there have been some studies looking at possibilities of how
this might be done, and I believe the consensus is it would be
premature to apply any of those technologies today.
Chairwoman Stevens. Yes. And, Dr. Romine, you know, each
fiscal year, NIST receives, you know, about the $1 to $2
million in appropriations transferred from the EAC budget to
conduct its voting research, if I have that right, and testing,
work required, you know, under HAVA, and these annual funds
have been declined, even as needs have grown. How many NIST
staff work on the NIST voting system project?
Dr. Romine. We have five Federal employees in my
laboratory. Four of those are part time, one is full time, and
then we have approximately four contractors working with them.
That's the extent of our capacity currently to address these
issues.
Chairwoman Stevens. And, under those circumstances, how do
you prioritize your voting technology efforts, given limited
resources and constrained staffing?
Dr. Romine. Well, I'd like to point out that the activities
that we have in cybersecurity are considerably larger than this
one effort, and many of the activities--the research activities
that we engage in are applicable in some ways to voting
systems, and in particular to the more traditional systems,
like the voter registration systems, which are much more
similar to mainstream IT systems. So we do leverage a lot, and
I'd just like to say we're very proud of what we do with the
resources that we have.
Chairwoman Stevens. We're proud of you, too. And we're also
proud of your fabulous description of NIST in your opening
testimony. We must have faith in our government, we must have
courage, we must stick to our principles for the people, by the
people. I don't even say bipartisan. I talk about the things
that bring us together as a body. And, with that, I'm going to
yield back, and I'm going to call on my fabulous colleague, Dr.
Jim Baird, for his 5 minutes of questioning.
Mr. Baird. Thank you, Madam Chairwoman. Was that part of my
time you were using? Dr. Romine, when you look at your
knowledge, and your experience, and the number of times you've
been here, maybe I should just allow you to decide what
question you would like to answer. But I'm not going to do
that. Here's a question. You know, in past testimony you
mentioned the importance of collaboration with stakeholders in
the realm of elections, and to be successful in creating
voluntary standards. How often does NIST meet with election
officials, with industry, outside technical experts, and
advocacy groups, and what's been produced as a result of these
meetings, in your opinion?
Dr. Romine. Thank you for a question that allows me to brag
about NIST a little more. I appreciate that very much. The
subcommittee meetings I talked about, and the various task
groups have meetings, virtual meetings, biweekly, in some cases
weekly. The level of engagement is high, the amount of
participation is high. The work that we're doing on the
development of the Guidelines, and in the cybersecurity profile
that I talked about, the cybersecurity framework profile, is a
testament to the productivity of those activities. We work
collaboratively with the Department of Homeland Security, and
obviously with the EAC, in tackling some of these challenging
issues with regard to security of many kinds, but security of
our election systems in particular.
On the industry front, we have strong collaborations. One
of the secrets of NIST is, because we're non-regulatory, I like
to say aggressively non-regulatory, we have a very strong
working relationship with industry in many, many different
sectors of the economy, and certainly we have strong
relationships with the election vendors as well.
Mr. Baird. Thank you. Dr. Ziriax, in your written testimony
you described how efficient Oklahoma's election system is, and
you state that the efficiency of Oklahoma's voting system is by
design. How can we, at the Federal level of government, ensure
that you get what you need to bolster the security of
Oklahoma's election system without reducing the efficiency that
your system has designed to achieve?
Mr. Ziriax. I'm very proud of our system, as I mentioned
earlier. It's paper-based, it is auditable, it is verifiable.
We use optical scanners. We have since the early 1990s. That's
when we first developed our Statewide uniform system. In my
opinion, the best thing that Congress can do is to help ensure
that we have the resources from, you know, various Federal
agencies for help. One of the things that I'm very proud of is
the working relationship that we have with local, Federal, and
State officials, Department of Homeland Security--both State
and Federal--FBI, our State Cyber Command. They, and others,
are all part of an election working group that we have, and I
think making sure that those various entities and agencies have
the resources to work with their local and State election
officials is very important.
Mr. Baird. Thank you, and I have one more question for you.
In your closing remarks, you said that the Federal policymakers
should keep in mind that each State is different, and that
imposing one-size-fits-all would be disruptive, expensive, and
could create an adversarial relationship between State and
local officials at a time when cooperation and partnership is
very much needed. So how can we best help States improve the
security of their election systems without encroaching on their
Constitutional prerogatives, and at the same time ask any other
things that you might consider important?
Mr. Ziriax. Well, thank you for the question. You know,
Oklahoma is different from other States. My State has a little
over two million registered voters. I believe Mr. Kelley's
county has about two million registered voters. I have counties
in my State with fewer than 1,500 registered voters that are
staffed by one county election board secretary and one staff
person. And I think, you know, you have to keep in mind that,
as you're looking at election legislation, the broader that you
make any requirements, the more that you leave to local and
State election officials to decide how to implement those, the
better we can make it work for our States.
I know that--I believe in Oklahoma we know more how to run
elections in our State than, you know, someone from Washington,
D.C., or maybe a college professor from another State, for
example.
Mr. Baird. Thank you, and I'm out of time, so I'm sorry I
don't have questions for the other three of you, but thank you
for being here.
Chairwoman Stevens. Thank you, and the Chair now recognizes
Mr. Tonko for 5 minutes of questioning.
Mr. Tonko. Thank you, Madam Chairwoman, and thank you for
holding this hearing, and thank you to our witnesses for
joining us. Election security goes to the very heart of
America's ideal of government, of the people, by the people,
and for the people. We need look no further for evidence of
this fact than the widespread, well-documented, and ongoing
attacks of America's adversaries on our election systems. Our
enemies recognize the power of our elections, and we must do
the same.
Today is Primary Day in the State of New York, and I am
reassured that New York State has been taking election security
seriously. I'm deeply concerned about the U.S. intelligence
reports that 21 State election systems were targeted by Russian
hackers during the 2016 election cycle. I agree with Special
Counsel Mueller that all Americans should be concerned about
the multiple systematic efforts to interfere in our election.
This must be a wakeup call for all of us.
Assuring the principle of one person, one vote requires
balancing security and accessibility. In developing election
technology, it is crucial that the technology be both secure
and accessible for blind Americans, for people with other
disabilities that can make it harder to vote. In election
infrastructure, there may be places where security and
accessibility seem to compete with one another.
So, Mr. Kelley, is this the case? Are there places where
the needs of blind voters, or voters with disabilities, are at
odds with some of the efforts that have been undertaken to
modernize election infrastructure?
Mr. Kelley. Thank you, sir, for the question, and I think
at times in the past that was the case. I think with
technology, and where we are today, we do have the capability
to produce paper ballots that can be used by voters with
disabilities, and can be verified by voters with disabilities.
And I would say the one area where they probably still
intersect which is a little bit difficult is the remote
transmission of ballots to individuals who are voters with
disabilities. That's an area of concern that I think we need to
keep an eye on, and security's very important in that regard.
But I agree with you, sir, we can't lose sight of making sure
that it's accessible at the same time.
Mr. Tonko. So that technology gap that you just identified,
is that resolvable, or----
Mr. Kelley. I believe it is. I think we're at a point now
where we can transmit the ballot directly to that voter, it can
be verified, and marked, and printed out, and then mailed back,
so there's no transmission of that ballot over the Internet, or
over any network. So I do think it's solvable, yes, sir.
Mr. Tonko. Thank you. And, Dr. Benaloh, did I say that
correctly?
Dr. Benaloh. It's Benaloh.
Mr. Tonko. Benaloh, thank you. Based on Microsoft's work
with election officials, what do you believe is the current
cybersecurity posture and readiness of the average State
election office, and is there even an average, or any--or are
things all over the place?
Dr. Benaloh. I think it would be hard to define an average
of any kind. States are--and local jurisdictions are certainly
working to try to improve things, but there is certainly a lot
more that can be done, and we are hoping that, with consistent
funding, new technologies, new--a new regulatory environment
we'll be able to enact better systems, with better
technologies, that can better protect the American voter.
Mr. Tonko. And, Mr. Ziriax, what are the election security
concerns that keep you up at night going into 2020?
Mr. Ziriax. When I'm--there are really three potential
threats that we face. One is misinformation. That has happened.
I think it continues to happen. Obviously cyber intrusions. And
I haven't heard anyone yet today mention physical security. You
know, you could have physical security threats at polling
places, or at election offices, but all three of those things
are things that we should be concerned about, and, in my
opinion, should work together--State and Federal officials
finding common ground about how to move forward.
Mr. Tonko. Thank you. And, Mr. Kelley, what about you?
Mr. Kelley. I would just add to that, I definitely agree
with what he's saying. Cyber, physical, but I would also add
social. One of the things that keeps me up at night is how well
trained are my election staff to make sure they're not clicking
on links they shouldn't be clicking on? And----
Mr. Tonko. OK.
Mr. Kelley [continuing]. That's really in the weeds, I
know.
Mr. Tonko. Thank you. And, Mr. Kelley, help us understand
how the paper trail works, and why it is important. When you
talk about establishing a paper trail in all voting
jurisdictions, what does that paper trail look like, and why
does it need to be readable by humans?
Mr. Kelley. Yes, sir. So I'll just give you a quick
example. In California, we're required to have a paper trail in
our electronic voting booths, and that paper trail prints out,
the voter can look at that, and see what their selections were
before casting their ballot. They don't take that with them,
but it's included as part of the official record. The reason
that's very important is because that is the official record.
When you go back in a recount or an audit, you're looking at
that paper record. You're not looking at the cast vote record,
or the electronic portion of that ballot cast, so it has to be
human readable so anybody looking at that can determine what
are the true results here?
Mr. Tonko. Thank you. Thank you very much. And, with that,
I yield back, Madam Chair.
Chairwoman Stevens. Thank you. And now the Chair would like
to recognize Mr. Balderson for 5 minutes of questioning.
Mr. Balderson. Thank you, Madam Chair. Good afternoon,
everyone, thank you all for being here. Dr. Romine, my home
State of Ohio is requiring all 88 counties to request a risk
assessment from the Department of Homeland Security by next
month. Can you speak how the suggestions NIST lays out in the
Voluntary Voting System Guidelines can mitigate common mistakes
found in DHS' assessments?
Dr. Romine. I'm not sure that I would do exactly that. What
I can say is the Guidelines that we promote through the EAC are
intended to guide election officials to understand what the
priorities are. The DHS program of assessment is an independent
activity that I think is valuable to many localities in trying
to determine whether they have adequately protected and thought
of all of those particular issues.
Mr. Balderson. OK. Thank you. My next question is for Dr.
Benaloh. Dr. Benaloh, does an end-to-end verifiable system,
like has been suggested by some, replace current technologies,
or can it be used alongside them to ensure integrity in our
election system?
Dr. Benaloh. It can absolutely be used alongside. End to
end verifiability offers an independent pathway by which voters
can check for themselves that the election results are correct.
It doesn't need to replace current systems at all. It can be
entirely separate and parallel.
Mr. Balderson. Thank you very much for your answer. Madam
Chair, I yield back my remaining time.
Chairwoman Stevens. Thank you to the gentleman from Ohio.
And at this time the Chair would like to recognize Mr. Beyer
for 5 minutes of questioning.
Mr. Beyer. Thank you, Madam Chair, very much. And thank you
very much for holding this long overdue hearing. Last Congress,
I repeatedly asked our former Chair to hold hearings on
election security after all of the reports about Russian
interference, and now, certainly, our fears have since been
confirmed. They've been verified, and I'm really concerned that
the Trump Administration and the Senate Majority Leader refuse
to take action.
You know May 2017, President Trump announced the bipartisan
Presidential Advisory Commission on Election Integrity, and
appointed Kris Kobach as his Chair, despite what we now know
about his concerns about his connection to white supremacy. And
the formal charge of the commission was to investigate voter
fraud. This is the step that Mr. Trump took after making the
unsubstantiated--claim that three to five million people voted
fraudulently in the 2016 election, and it appears the primary
purpose of this commission was just to try to support that
contention that he had somehow won the popular vote. In one of
its only actions, the commission asked States to send in all
their voter registration lists, including personal information
like Social Security Numbers. In return, the commission mostly
received just lawsuits, and then Trump decided to disband it.
Mr. Kelley, as an election administrator, and a general
expert with a lot of experience, how frequently do we see
actual voting fraud, where individuals actually cast fraudulent
votes?
Mr. Kelley. Well, thank you, sir. I can speak to my
jurisdiction only, and in Orange County there have been very
few prosecutions for voter fraud in general. I will tell you
the majority of those have been under voter registration, so
individuals who are out registering individuals to vote, they
may change information on the voter registration cards. We have
not seen any instance of in-person voter fraud, where someone
would show up in a polling place and present themselves as
somebody other than who they say they are. It's mainly been on
the voter registration side. In the last 15 years I would say
there's about five to six instances that have been prosecuted.
Mr. Beyer. Yes. In 40 years of doing politics in Virginia,
I can remember exactly one instance that at least made it to
the newspaper, and that was a former State Senator who had
moved between his last election, voted one place, and then
forgot, and voted the other place. He pled guilty, and was--can
any of our panelists explain to use concisely the difference
between voter fraud and election fraud? Is there--then let's
move on. How about Dr. Benaloh? Given what we learned today
about the information about the security and vulnerabilities in
data, how much risk would there have been if the States had
complied with the commission's request, and sent in all that
data, including Social Security Numbers?
Dr. Benaloh. It's very hard to say. Much of the data, I
believe, that was requested was public, but certainly there
were non-public data that were requested. The more hands that
touch sensitive data, the more exposure there is, and
transporting is always a somewhat risky endeavor, but it can be
done well. It should be done well.
Mr. Beyer. Mr. Kelley and Mr. Ziriax, you're both on the
front lines. Do you feel you've received enough resources to be
fully prepared for the 2020 election?
Mr. Kelley. No, sir. I think we've made tremendous strides
in the right direction, but I think funding is always an issue.
I will say that I am grateful for the funding that we have
received, because we've been able to start securing new systems
in California, and that will be a leap forward for 2020. But I
would never sit here and tell you, sir, that we're 100 percent.
Mr. Beyer. And Mr. Ziriax?
Mr. Ziriax. Thank you for the question. In the election
business, we never have enough resources, no matter which
particular issue you're talking about, I think. But in general
I'm very grateful for the Federal funds we've received. We--
just as we were with our initial HAVA funds, have been actually
a little slow to spend the security funds that were granted
last year. We've actually begun by spending our State match
first, but--and while we do have a list of items we provided
the Election Assistance Commission, we're actually reviewing
those with our State Cyber Command, because there may be some
additional changes that would be more cost-effective, given the
limited dollars. But I would repeat what I said in my opening
statement, sustained funding is better, and the fewer the
mandates, the more likely you are to get State participation in
the grant process.
Mr. Beyer. Ok, great. Well, thank you very much, and thanks
for being here this afternoon. Madam Chair, I yield back.
Chairwoman Stevens. Thank you to the gentleman from
Virginia. At this time the Chair would like to recognize Mr.
Gonzalez for 5 minutes of questioning.
Mr. Gonzalez. Thank you, Madam Chair, and thank you,
everybody, for being here today on this incredibly important
topic. To Mr. Ziriax and Mr. Kelley, you both have unbelievably
important and critical jobs in securing our democracy, and I
thank you for your service to your States, and by default to
our country. We in Ohio have an outstanding Secretary of State,
Frank LaRose, and I share Mr. Ziriax's opinion that I have no
interest in dictating to him how to do his job. I trust him, I
voted for him, as did many Ohioans, and I think it's our
responsibility, at the Federal level, to empower you to do your
job as effectively as possible. And, specifically, one area
where I think we can do a better job at the Federal level is
helping on a cybersecurity standpoint.
Dr. Benaloh, I want to start with a question for you. One
thing we hear on the Financial Services Committee, on that
Committee, and across industry, is if you don't believe you've
had a cyber attack, it's because you're just not aware of it.
Would you share that opinion?
Dr. Benaloh. I think that's a reasonable adage. I'm sure
there are exceptions to that, but not knowing--not having seen
an attack does not mean that it, in fact, did not happen.
That's certainly true.
Mr. Gonzalez. Absolutely. And then I guess my follow up,
then, for Mr. Ziriax is, with that in mind, how can we better
equip you, how can we better prepare you for the coming
election, and going forward, from a cybersecurity standpoint?
Mr. Ziriax. Thank you for the question. In my opinion,
continuing the Federal partnership that we have locally is
something that is going to be very helpful. I know that our
local FBI field office, local Department of Homeland Security
officials have been very helpful, whether it's sharing
intelligence, whether it's providing physical security
assessments, and I think making sure that those functions are
funded, and perhaps staffing is expanded. There are only two
U.S. Department of Homeland Security officials, I believe, in
the entire State of Oklahoma, and one of them is attached to
our State Fusion Center.
But, you know, for me personally, I think making sure that
funds are available, and not just funding, but the expertise
and resources are available to election officials to help us
secure our own systems.
Mr. Gonzalez. Thank you. And, Mr. Kelley, same question.
Mr. Kelley. Yes, sir. Similar answer, but I would tell you
that in California we have 58 counties. Most of those counties
have not taken full advantage of all of the services that DHS
has to offer. I've done that in Orange County, but I think
additional resources for training and pushing that--those
resources out is very important, and the backlog, because it's
taken a little bit of time.
Mr. Gonzalez. Got it. And then switching to VVSG generally,
and then 2.0, Dr. Romine, it strikes me that one of the hardest
parts of this is we are playing an asymmetric dynamic game,
essentially, right? You're only as good as kind of the last set
of guidelines that you've articulated, and the hackers are
always kind of one step ahead. And so, with that in mind, I
guess how should we think about updating your mandates, from a
VVSG standpoint, to make sure that we are ahead of the game, or
at least not, you know, in this world where we're doing it
every couple years? It seems like we'd want to be continuously
updating this information.
Dr. Romine. Thank you for the question. I think you've just
articulated one of the reasons why the high-level principles
approach to VVSG 2.0 was the way that we felt most comfortable,
because at the high-level principles, they're not necessarily
affected by changes in technology more than specific guidelines
would do, and it gives you the opportunity to frame how you can
secure the systems at a higher level.
Mr. Gonzalez. Great. Dr. Benaloh, same question.
Dr. Benaloh. Yes. I think the high-level principles and
guidelines are very valuable, and they afford the opportunity,
if it is taken, to formally adopt just the high-level
principles, which are far more enduring, and allow
administrative revision of the detailed requirements of VVSG to
be made and adjusted, as necessary, over time to accommodate
changing circumstances.
Mr. Gonzalez. Fantastic. Thank you, and I yield back.
Chairwoman Sherrill. Thank you. Ms. Wexton for 5 minutes.
Ms. Wexton. Thank you, Madam Chair, and thank you to all
the witnesses for coming to testify today. I also want to thank
the Chairwomen for holding this hearing. This is a topic that's
critical to both our national security and the integrity of our
democracy, so I'm very delighted that we're having this
hearing.
Now, my home State of Virginia was one of the States that
was targeted by Russian hackers in the 2016 election, and at
the time we were using direct recording devices, or paper-free
voting machines, although paper ballots were available in many
polling places. And my State has now transitioned back to using
paper ballots, and they expedited that transition as a result
of the hacking attempt, but it seems like NIST has been
sounding the alarm about insecure voting machines for a long
time.
In the 2007 discussion draft paper of--to the EAC, a
subcommittee of the Technical Guidelines Development Committee
wrote, NIST does not know how to write testable requirements to
make direct recording devices secure, and this recommendation
is that the DRE, in practical terms, cannot be made secure. Is
that familiar to you, Dr. Romine?
Dr. Romine. It is.
Ms. Wexton. OK. And in 2011, the NIST working group on
auditability concluded that voting systems that do not provide
a voter-verified paper ballot will be vulnerable to
undetectable hacking, and cannot be audited effectively for
errors in the vote count. Is that also familiar to you?
Dr. Romine. It is.
Ms. Wexton. OK. So--but it doesn't seem clear--seem to be
clear that election officials at the State and local levels are
getting that warning, NIST's warning, and the alarm bells that
you guys are sounding about the inherent insecurity about
paperless DRE (direct recording electronic) systems. Even the
former Chair of the EAC, Tom Hicks, testified to the House
Homeland Security Committee earlier this year that a
compromised DRE could be effectively audited to discover a
manipulation. Were you aware of that testimony?
Dr. Romine. I believe I was on that same panel.
Ms. Wexton. OK. Can you explain that discrepancy, or did
you agree with that statement by the--by Mr. Hicks?
Dr. Romine. So I don't remember the context in which he
made that statement. I think possibly what he was alluding to
was a collection of recommendations for auditability that might
include risk-limiting audits. So there are certainly
opportunities for advanced statistical analysis to be able to
reveal the potential presence of anomalies in voting, but I
don't remember exactly whether he was endorsing fully paperless
ballots or not.
Ms. Wexton. So going forward, how can we ensure that NIST's
research and conclusions regarding the security and
auditability of DREs are given due attention and shared
effectively with election administrators to inform policy?
Dr. Romine. We have strong relationships with the National
Association of State Election Directors, NASED, and other
venues for State officials, and we talk regularly with them.
Many of the stakeholders participate in the working groups, the
cybersecurity working groups, a working group that I alluded to
earlier, with 175 members. So we're getting the word out.
There's some awareness building. The principle guideline, from
our perspective, is the necessity of an audit mechanism. Our
Guidelines don't specify how that audit mechanism is to be
done, but the importance of auditability is essential, and our
guidelines reflect that.
Ms. Wexton. Very good. Thank you. I will yield back with
that.
Chairwoman Sherrill. Thank you. Dr. Marshall? He's gone?
OK. And so we are now down to Mr. Waltz for 5 minutes.
Mr. Waltz. Thank you, Madam Chairwoman, and I want to thank
everyone for holding this important hearing. I have some
concern on the timing of it. I think this hearing is absolutely
necessary, and would have hoped we could work toward some
bipartisan solutions before the majority put the bill H.R. 2722
forward this week, that is looking to put $1.3 billion at this
issue.
Here nor there, I am working with Representative Stephanie
Murphy and putting together an alerts framework. We all know I
represent Florida, and we all know that two of Florida's
counties were breached as a result of a Russian spear phishing
campaign targeted at county election officials. None of the
congressional delegation, nor the State officials, were
notified by the FBI or DHS as a result of that intrusion in
2016. The bill that we are working would seek to correct that
problem. Not only should officials be notified, but Floridians,
and the voters, should be notified, in the guise of maintaining
confidence in our electoral system.
So part of the issue was that the Russians targeted
employees of a Florida-based manufacturer of voter registration
software, VR Systems. VR Systems has confirmed to the media
that they were the company that was penetrated. They have
responded to a letter from Senator Wyden that they did not
click on an attachment in the e-mail, however, we do know that
VR systems used remote access software on election management
systems it sold to the counties leading up to that 2016
election. We don't know if the systems were hacked as a result
of the remote access software, and DHS is conducting forensic
analysis, I promise you I'm getting to my questions.
Look, at the end of the day, the company responded that
they had been following the NIST cybersecurity framework that
we've talked about prior to 2016, and they continue to do so
today, so this gets to my question, Dr. Romine. Under HAVA,
NIST is directed to develop the VVSG, all right, we know that.
The law defines voting systems for the purposes of mandating
NIST to create standards for testing and certifying voting
systems. Not included in the definition of voting systems,
which I know we've gotten to somewhat today, but I want to
really spend time on this point, not including the definition
of voting systems are voter registration panels and voter
registration databases. And, because of this, there have been
questions whether this vendor in particular, but I think it's a
broader question, whether this vendor, VR Systems, implemented
NIST framework, because, again, there's issues now with the
definition.
So although NIST guidelines are voluntary, and you're not a
regulatory agency, which I think is correct, regardless of
whether the standards meet the definition of voting systems
under law. So question one, how would authorizing voter
registration portals and databases under the Help America Vote
Act, under HAVA, improve NIST's ability to provide innovative
standards with respect to registration technologies?
Dr. Romine. Thank you, Mr. Congressman. The guidelines that
we currently provide under HAVA, the scope of those guidelines
is controlled largely by the EAC, who makes the determination
of what is in scope, or it's their interpretation of HAVA. The
role that we play in cybersecurity broadly allows us the
opportunity to provide things like the cybersecurity framework
and other guidance on more traditional IT type systems, such as
those that generally are used for voter registration databases,
and e-poll books, and so on. So we already have guidelines in
place that might be applicable. The change there would be that
those guidelines would be incorporated into the EAC database,
for example, for VVSG guidelines, and that would be perceived
as more directly relevant to election officials.
Mr. Waltz. I am out of time, but could you submit for the
record how doing so, and how changing those guidelines, would
incentivize companies and vendors, for example VR Systems, and
other registration software companies to follow NIST
guidelines, and implement the framework?
Dr. Romine. I'll be happy to respond.
Mr. Waltz. Thank you. I yield my time.
Chairwoman Sherrill. Thank you. And next the Chair
recognizes Ms. Horn for 5 minutes.
Ms. Horn. Thank you, Madam Chair, and thank you for
allowing me to join this Subcommittee on such an important
issue today. I--we have covered a lot of ground today, and in--
this is such a critical topic. I want to tackle a couple of
questions for I think most of the panel, just in a slightly
different direction. It seems to me--I've heard both Dr. Romine
and Mr. Ziriax say very clearly and explicitly that we have to
work to balance being--the accessibility and convenience, and
making sure that people can show up and cast a ballot, and not
making it so hard to cast a ballot that we disincentivize
participation in the system, with a reliable and secure system.
I absolutely agree, and this is a challenge to balance.
And, Dr. Sweeney, in your presentation, in your testimony,
we're looking at two sides of this coin. We're looking at the
voting system, and the ability to verify votes, and the
security, but also the database, and so we've got two different
pieces to this, as I see it. So I want to start with the
verify--the piece of--the verification, and how we can put
parameters around that to continue to ensure the confidence and
the auditability of our voting systems.
I noted, Mr. Ziriax, in your testimony, in your
presentation, that Oklahoma, and I think Chairwoman Stevens
mentioned this as well, has three, as I see them, fundamental
baseline principles that help the ability to verify and audit
votes, paper ballots, a Statewide system that is uniform, and
owned by the State, which helps allay differences between the
different counties, and the fact that the systems in Oklahoma
aren't connected to an Internet source, which is another
challenge. So my question--and we've talked about how we set
these standards, the VVSG 2.0, VVSG, that--it seems that we
have States that aren't even getting up to the baseline. So I--
Mr. Kelley and Mr. Ziriax, I'd like to hear your opinions about
the need to set baseline standards that all States have to
comply with, of course assuming we're going to help provide the
funding at the Federal level to help with that.
Mr. Ziriax. Thank you, Ms. Horn, and I think there's, you
know, there's a fine line between, say providing the
guidelines, and allowing the States to determine how best to do
that. And some things--I mean, just to give an example, and,
again, these are similar things that I've discussed with--about
other election bills, but the bill that's been discussed
earlier today, the SAFE Act (Securing America's Federal
Elections), includes a mandate that new voting systems have to
accommodate ranked choice voting, for example, and that's in an
election security bill.
Me personally, you know, I view that as a decision that our
State should make, whether we want to move toward that. But if
Congress is going to provide money, and wants to say, if you
want our grants, then you need to at least demonstrate that
you're going to attempt to follow the voluntary guidelines,
that's certainly Congress' prerogative.
Mr. Kelley. And I would concur with that. I would just also
add that--for the--for an example in California, there is an
enhanced requirement in California for certification, so it
just does not rely on the Federal standards, it goes above and
beyond that. And I think I would agree also that the States
should, in many cases, make those decisions, personal opinion.
Ms. Horn. Thank you. Now turning to the next piece of this
is--that we--we're going to have to face, Dr. Sweeney, you
referenced all of the ways that individuals could perhaps get
into different systems without necessarily verifying their
identity. So, knowing that there are a range of challenges that
we may not even know, and, Dr. Romine, you've spoken to some of
these as well, do you see any other pathways, or potential
solutions, for example biometrics, or anything like that, that
would help, moving forward, to protect these systems?
Dr. Sweeney. I think the most immediate answer is probably
just to follow the best practices of things like using driver's
license, but it is a--with additional information off the
driver's license, and using a modern capture device. But it is
a bit of a moving target, because that's not wholly
satisfactory. That--it requires a bigger question about how we
authenticate. The problem, though, is it's--the questions that
you pose generally around what NIST has proposed and so forth,
and it was brought up that a lot of what they talked about
happened years before they started saying it. I'm like that,
but now years before.
And, you know, so there's a--so we have a cycle mismatch as
well. So I think, if we're going to do the cycle, if we could
move faster to, like, implement something like, OK, what's the
best practice right now, to nail that down, like the driver's
license, then we have a better shot at not being victimized by
it, and having to come back in a few years, and say, well, how
many States have improved what they asked for?
Ms. Horn. Thank you very much. So we both have to address
the challenges now, and look forward--thank you all for your
testimony. I yield back, Madam Chair.
Chairwoman Sherrill. Thank you. And now I would like to
recognize Mr. Sherman for 5 minutes.
Mr. Sherman. I want to agree with Mr. Ziriax that the
Federal Government has no business pushing rank choice voting,
or rank order voting. Those who propose it most are those who
most want to undermine the two party system. There are
arguments for and against having two major parties in this
country, but that's not something that the Federal Government
should be pushing on the States.
My first question is for whichever panelist answers it
first. What number of States currently require the use of paper
ballots and an auditable paper ballot trail? Do we know how
many States do that? I thought there'd be a jump in to be the
first to answer.
Mr. Ziriax. Oklahoma does.
Mr. Sherman. And I guess the other States don't matter. Do
we have--if we don't have that, then I'll ask whichever witness
raises their hand first to agree to answer that for the record.
Dr. Sweeney. I----
Mr. Sherman. Do we have any hard working----
Dr. Sherrill. I do believe----
Mr. Sherman [continuing]. Witnesses?
Dr. Sherrill [continuing]. Five do not. I know----
Mr. Sherman. Five do not?
Dr. Sherrill [continuing]. I know New Jersey does not.
Mr. Sherman. Got you. Hopefully it's only five that do not.
For States which conduct testing and certification of voting
machines, how do the State standards compare with the standards
promulgated by the U.S. Election Assistance Commission? Yes?
Mr. Ziriax. I can--as Oklahoma's chief election official, I
can only talk about our State. I know with our current system,
which was implemented in 2012, although our State law does not
require that we follow those guidelines, the guidelines that I
set at the time, when we were reviewing that system, and
requiring testing for it, we did require testing to ensure
compliance with many of the VVSG 1.0 requirements.
Mr. Sherman. Anyone else have a comment?
Mr. Kelley. Yes, sir, just very quickly, in California it's
very similar, VVSG 1.1, but I will say one of the key
differences is that California requires volume testing of all
the systems, where those are not in the current standards.
Mr. Sherman. Should they be added to the national
standards?
Mr. Kelley. Sir, if I could defer that question?
Mr. Sherman. OK. Increasingly a number of States, including
my own, has moved to vote by mail. My State has authorized
ballot harvesting. I'm told that the proponents of it would
prefer I call it by a different name. What technologies do we
need to prevent either false registrations, followed by false
vote by mail voting, where--knowing that people who--people are
not looking to cheat by adding one vote. I know every vote
matters, and we--but those who want to steal votes want to do
it by the--at least by the hundreds. What do we do, first, to
prevent false registrations, followed by false voting, all done
by mail? Is there any system that is designed to combat that?
Dr. Sweeney. I wouldn't say that it's--I'm not answering
exactly on----
Mr. Sherman. Right.
Dr. Sweeney [continuing]. Point to you. It's not so much
that it's designed to combat it, it's just that it's totally a
different vector than has been really talked about in computer
security, because I'd use the change of address, but it--what
we also talk about, it could be absentee ballots. I--
disenfranchise a person who then would go to the voting place,
who would get a provisional ballot, and that ballot won't
count, or in the case of a State where it's vote by mail.
Mr. Sherman. If I can squeeze in one question? In my State
they compare the signature on the outside of the envelope to
the signature on the voter registration card.
Dr. Sweeney. Right, but the clarification here is not----
Mr. Sherman. I've got to squeeze in one more question, I'm
sorry. Mr. Kelley, or anyone else, is that process useful at
all? Do the people who do that have any expertise in comparing
signatures, and do signatures change over time? My voter
registration form was filled out long, long ago.
Mr. Kelley. Yes, sir. I'm glad you asked the question,
because absolutely they do, and you see that, especially with
historical signatures that we have on file. 20 years, 30 years,
you see a big difference. I will add that----
Mr. Sherman. So what percentage of the ballots in our State
is--are put aside or provisional because there's some question
as to whether the signature is legitimate?
Mr. Kelley. One plus million ballots cast in Orange County
by mail, we had about 5,000 that were set aside specifically
for signature issues. Now, I will----
Mr. Sherman. How many of those were ultimately counted, how
many of those were not ultimately----
Mr. Kelley. The majority were ultimately counted.
California changed its law last year to allow us to reach out
to the voter to attempt to cure that.
Mr. Sherman. And so you had to reach out in 5,000
circumstances and say, hey, is this really your signature.
Mr. Kelley. Yes, sir, we did.
Mr. Sherman. Wow. I believe my time has expired.
Chairwoman Sherrill. Well, thank you, and now the Chair
recognizes Mr. Casten for 5 minutes.
Mr. Casten. Thank you, Chairwoman Sherrill. Thank you to
the panel. The--one of my favorite things about this Committee
is we consistently get such fascinating nerds before us, and
you guys are all awesome. Just--learned so much today on a
really important topic. And fortunately, the nerds are not just
limited to the panel. The--I want to thank--there's a few of us
up here, but I want to thank our young visitor, Bianca Lewis,
for being here. Really, really appreciate what you've done.
And I want to talk a little bit about, if I understand what
you did at DEFCON--my understanding, if I've got it right, is
the method that the participants in your exhibit used to hack
into the Secretary of State website was called a sequel
injection? And--I got it right? The--this is--the single
strategy that these kids at DEFCON demonstrated is also what is
described in Robert Mueller's report that the Russians did.
Page 50, Volume 1, of the report says the following, GRU
officers--Bianca, GRU is the Russian agents--targeted State and
local databases of registered voters using a technique known as
sequel injection, by which malicious code was sent to the State
or local website in order to run commands, such as exfiltrating
the database contents. In one instance, the GRU compromised the
computer network of the Illinois State Board of Elections, my
State, by exploiting a vulnerability in the State Board of
Elections website. The GRU then gained access to a database
containing information on millions of registered Illinois
voters, and extracted data relating to thousands of U.S. voters
before the malicious activity was identified. This is real-time
stuff. But what it seems to be saying is that the Russians used
a real sequel injection to crack open the real State website,
same strategy that Bianca demonstrated on the models at DEFCON,
and then the Russian worm kept going all the way through to the
voter registration database.
Now, Illinois has done great work in responding to this. I
hope we have done enough. We seemed to be OK in the last
election, but this is really scary stuff. And--so what I'm--
first I'd like to ask unanimous consent to add pages 50 and 51
of Volume 1 of the Mueller Report, which describes this
episode, to the hearing record.
Chairwoman Sherrill. Without objection.
Mr. Casten. And then, notwithstanding how I started this, I
want to start with Dr. Benaloh. Could you explain to us, so
that us smaller-brained people up here can understand, how does
a sequel injection work, exactly?
Dr. Benaloh. You're getting a little bit away from my
expertise, but the basic idea is that the--in a web query of
some--of any sort, additional information can be added to
what's--what would otherwise be interpreted as an innocuous web
request that is not of the form that's expected by the web
server that is handling this request. And if there aren't
adequate measures in place, that web server may interpret that
additional information as code to be executed, and to
potentially do harm, or provide services that are not intended
by the----
Mr. Casten. Essentially modifying an existing sequel SQL
database?
Dr. Benaloh. Yes. It----
Mr. Casten. Dr. Sweeney, I see you nodding your head. Is
there anything you want to add to that? Did I get it about
right?
Dr. Sweeney. No. I mean, that's about right. The idea is I
just simply can add commands within a command so that it'll, in
fact, do multiple things that never--you never intended me to
do. You provided access, say, to list some voters, or to check
one voter, and I just end up deleting 1,000, or downloading a
million, or something like that.
Mr. Casten. So, for all of you, is this an--is this a
technique we should expect to be seeing again, and be watching
for? I see a lot of head nodding will be entered into the
record. Dr. Romine, does NIST's work in VVSG address the need
to firewall State websites, particularly under the voter
registration databases, that we can protect against this in
some fashion?
Dr. Romine. I actually don't know the answer to that, but
I'm happy to respond to that. I suspect that it does, but I
can't confirm that. I'll have to go back and check.
Mr. Casten. That would be very helpful to find out.
Dr. Romine. Happy to do that.
Mr. Casten. Thank you all, and I yield back the balance of
my time.
Chairwoman Sherrill. Thank you, and now the Chair
recognizes Mr. McAdams for 5 minutes.
Mr. McAdams. Thank you, Madam Chair. I think this timely
hearing is important for our Congress to review the current
efforts, and the plan--and to plan our future work to develop--
or to protect our elections from malign actors. So this work
will require, I think, strong collaboration from local, State,
and Federal partners to ensure the integrity of our elections,
and that all Americans can participate in our democracy. In my
previous role, I was one of those local officials. And, while I
wasn't a county clerk, per se, was familiar with the incredible
work that they do to protect the integrity and security of our
elections, and sometimes under very difficult circumstances,
but I applaud, and am grateful for those elected officials
across the country who work with the greatest effort to protect
our elections.
And I'm also proud that my home State of Utah has been
leading the way in upgrading our election infrastructure and
policies, and also cybersecurity practices. Our county clerks,
in 2018, led the substantial upgrade--a substantial effort to
upgrade voting machines, and also to take other security
measures in advance of the 2018 midterms, while also promoting
more options for Utahans to vote, including adopting things
like widespread vote by mail, and same day registration. Utah
is one of 17 States that offer same day registration, and I
believe policymakers should support any strategy that makes it
easier for Americans to add their voice to our democracy, so
long as our election practices maintain the high standards of
security and integrity.
So I'd like to discuss the implications for same day
automatic, or any mode of registration on our election system
security. So to anyone on the panel who'd like to respond, how
can same day registration help to mitigate the effects of a
cyber attack on voter registration data close to the election?
Are there any concerns we should be worried about with that?
Dr. Sweeney. I would say the same day registration could
definitely be a way of resolving the threat that I described.
And the reason being that if somebody--if a malicious actor had
come in and intended to disenfranchise a large percentage of
those voters, but those voters still show up at their polling
place, and could register right there, the attack would be
thwarted.
Mr. McAdams. Yes.
Mr. Ziriax. And if I may add, in Oklahoma, my State, we do
not have same day voter registration, we have a 24-day
deadline. I don't anticipate anywhere in the near future that
that is going to happen, but we extensively use the provisional
ballot process in Oklahoma, so then, in the event you did have
a situation where perhaps large numbers of voters were not
appearing on registries, we would have a backup means, and then
be able to go back and confirm later that those people actually
were eligible to vote.
Mr. Kelley. Similar comments in--from California, and I
would say that the same day registration growth in California
is growing, but it is small. It's still a small number compared
to the overall database. So I think we need to be careful and
just say that's the solution. We should be looking at the
database as a whole, and finding ways to detect anomalies in
that database itself.
Mr. McAdams. So I guess my second question relates to
automatic voter registration, and how can that operate in a
secure election system. And ultimately is--are election
security and automatic voter registration, are they in
competition, or they--are they in symbiosis?
Mr. Kelley. I don't think they're in competition. It's
certainly a different dynamic when you go into DMV, for
instance, in California, and it's automated registration that
you could opt out of, where same day registration is you're
affirmatively going to a polling place, or vote center, to
register to vote. So I don't think they're in competition with
each other.
Dr. Sweeney. From a security standpoint, it definitely
would change--if I wanted to disenfranchise voters, because--in
those States, where provisional ballots don't fully count, then
I would just want to attack the database. So it would remove
the--automated registration might remove on one layer--but
remember the attack that I talked about was changing an
existing----
Mr. McAdams. Um-hum.
Dr. Sweeney [continuing]. Registration, so it would still
allow that.
Mr. Ziriax. And if I may, I want to briefly add that, you
know, some of the concerns Dr. Sweeney and others have
expressed about the vulnerabilities for online voter
registration, if you're talking about whether you have the
ability to confirm a person's identity, or whether someone
could use a stolen identity to register to vote falsely, that
could happen with paper ballots now.
Dr. Sweeney. Let me make just one quick correction, since I
was called. I----
Mr. McAdams. Yes.
Dr. Sweeney [continuing]. These are not voter registration
systems. I'm not talking about voter--it just happens that
sometimes changing the voter record is on the same system as
the voter registration website, but sometimes it's on the DMV
site. I'm only talking about registrations that already exist.
Mr. McAdams. And these are policies that would protect our
elections. So I see our time has expired, and, Madam Chair, I
yield back.
Chairwoman Sherrill. Well, thank you very much. And thank
you so much to all of the panelists today. I think all of us
think this is such a critical issue moving forward. Thank you
to Bianca. You are not only a STEAM wizard, you are a trooper
to sit through our hearing today, so I appreciate everyone here
today. Thank you very much, and hopefully we will be talking
again. Maybe we can get you in, Dr. Romine, for your 21st
appearance. So thank you all very much. Thank you.
[Whereupon, at 4:58 p.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Dr. Charles H. Romine
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Neal Kelley
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Dr. Josh Benaloh
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Documents submitted by Rep. Mikie Sherrill
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Document submitted by Rep. Sean Casten
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]