[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
SECURING AMERICA'S ELECTIONS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
FRIDAY, SEPTEMBER 27, 2019
__________
Serial No. 116-56
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via: http://judiciary.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
45-285 WASHINGTON : 2021
-----------------------------------------------------------------------------------
COMMITTEE ON THE JUDICIARY
JERROLD NADLER, New York, Chair
MARY GAY SCANLON, Pennsylvania, Vice-Chair
ZOE LOFGREN, California DOUG COLLINS, Georgia, Ranking
SHEILA JACKSON LEE, Texas Member
STEVE COHEN, Tennessee F. JAMES SENSENBRENNER, Jr.,
HENRY C. ``HANK'' JOHNSON, Jr., Wisconsin
Georgia STEVE CHABOT, Ohio
THEODORE E. DEUTCH, Florida LOUIE GOHMERT, Texas
KAREN BASS, California JIM JORDAN, Ohio
CEDRIC L. RICHMOND, Louisiana KEN BUCK, Colorado
HAKEEM S. JEFFRIES, New York JOHN RATCLIFFE, Texas
DAVID N. CICILLINE, Rhode Island MARTHA ROBY, Alabama
ERIC SWALWELL, California MATT GAETZ, Florida
TED LIEU, California MIKE JOHNSON, Louisiana
JAMIE RASKIN, Maryland ANDY BIGGS, Arizona
PRAMILA JAYAPAL, Washington TOM MCCLINTOCK, California
VAL BUTLER DEMINGS, Florida DEBBIE LESKO, Arizona
J. LUIS CORREA, California GUY RESCHENTHALER, Pennsylvania
SYLVIA R. GARCIA, Texas BEN CLINE, Virginia
JOE NEGUSE, Colorado KELLY ARMSTRONG, North Dakota
LUCY MCBATH, Georgia W. GREGORY STEUBE, Florida
GREG STANTON, Arizona
MADELEINE DEAN, Pennsylvania
DEBBIE MUCARSEL-POWELL, Florida
VERONICA ESCOBAR, Texas
PERRY APELBAUM, Majority Staff Director & Chief Counsel
BRENDAN BELAIR, Minority Staff Director
C O N T E N T S
----------
Friday, September 27, 2019
Page
OPENING STATEMENTS
The Honorable Jerrold Nadler, Chairman, Committee on the
Judiciary...................................................... 1
WITNESS
Debora Plunkett, Senior Fellow, Defending Digital Democracy
Project, Harvard Kennedy School, Belfer Center for Science and
International Affairs
Oral Testimony................................................. 5
Written Testimony.............................................. 7
Kathryn Boockvar, Acting Secretary of the Commonwealth,
Pennsylvania Department of State
Oral Testimony................................................. 16
Written Testimony.............................................. 18
Tom Burt, Corporate Vice President, Customer Security & Trust,
Microsoft Corporation
Oral Testimony................................................. 24
Written Testimony.............................................. 26
LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING
H.R. 2353, To amend the Federal Election Campaign Act of 1971 to
require candidates for election for public office to refuse
offers of assistance from foreign powers and to report such
offers to the Federal Bureau of Investigation, and for other
purposes, submitted by The Honorable Sheila Jackson Lee........ 48
H.R. 3529, To require the Secretary of Homeland Security to
promptly notify appropriate State and local officials and
Members of Congress if Federal officials have credible evidence
of an unauthorized intrusion into an election system and a
basis to believe that such intrusion could have resulted in
voter information being altered or otherwise affected, to
require State and local officials to notify potentially
affected individuals of such intrusion, and for other purposes,
submitted by The Honorable Matt Gaetz.......................... 68
APPENDIX
A statement for the record from the Brennan Center for Justice at
NYU School of Law submitted by the Honorable Chairman Jerrold
Nadler......................................................... 92
SECURING AMERICA'S ELECTIONS
----------
Friday, September 27, 2019
House of Representatives
Committee on the Judiciary
Washington, DC
The Committee met, pursuant to call, at 9:05 a.m., in Room
2141, Rayburn House Office Building, Hon. Jerrold Nadler
[chairman of the committee] presiding.
Present: Representatives Nadler, Lofgren, Jackson Lee,
Cohen, Johnson of Georgia, Deutch, Cicilline, Lieu, Raskin,
Jayapal, Demings, Correa, Scanlon, Garcia, Neguse, Stanton,
Dean, Mucarsel-Powell, Chabot, Gohmert, Jordan, Buck, Gaetz,
Johnson of Louisiana, Reschenthaler, Cline, Armstrong, and
Steube.
Staff Present: Aaron Hiller, Deputy Chief Counsel; Arya
Hariharan, Deputy Chief Oversight Counsel; Madeline Strasser,
Chief Clerk; Moh Sharma, Member Services and Outreach Advisor;
Sarah Istel, Oversight Counsel; Julian Gerson, Staff Assistant;
Priyanka Mara, Professional Staff Member/Legislative Aide; Matt
Robinson, Counsel, Subcommittee on Courts, Intellectual
Property, and the Internet; Brendan Belair, Minority Staff
Director; Bobby Parmiter, Minority Deputy Staff Director/Chief
Counsel; Jon Ferro, Minority Parliamentarian; Ryan Breitenbach,
Minority Chief Counsel, National Security; and Erica Barker,
Minority Chief Legislative Clerk.
Chairman Nadler. The House Committee on the Judiciary will
come to order.
Without objection, the chair is authorized to declare
recesses of the Committee at any time.
We welcome everyone to this morning's hearing on ``Securing
America's Elections.''
I will now recognize myself for an opening statement.
Yesterday, the Director of National Intelligence testified
that, ``the greatest challenge we have as a Nation is making
sure to maintain the integrity of our election system.'' I
agree. Our democracy was founded on a government elected by the
people, for the people in free and fair elections.
Today, our elections, the very core of our democracy, are
under attack. Special Counsel Mueller's report, in no uncertain
terms, details how a foreign government attacked our 2016
elections. The Russian objectives were clear: Deepen distrust
and discord in our society, secure the election of one
candidate for President over the other, and, in so doing,
undermine confidence in the integrity of our elections and
damage our Nation's standing in the world.
There is no evidence that Russia affected the actual vote
count of our elections, but Russia did successfully steal
thousands of documents from American citizens that it used to
influence public opinion. It also accessed voter data and
gained other valuable intelligence, which it may seek to
exploit in the future.
In short, as Special Counsel Mueller emphasized in his
recent press conference, Russia's attack, ``deserves the
attention of every American.''
Russia's attack was not an isolated accident, nor is Russia
the only foreign power attempting to influence our elections.
We live in a world with agile, persistent enemies who are
constantly evolving their methods of attack. As FBI Director
Christopher Wray warned, ``Make no mistake: The threat just
keeps escalating. And we're going to have to up our game to
stay ahead of it.''
Despite concrete evidence confirmed by the heads of our
intelligence agencies, President Trump has refused to
acknowledge Russia's attack, let alone publicly denounce it, or
outline clearly how he intends to deter future interventions.
To the contrary, the President has openly declared that he sees
no problem with foreign influence in our elections.
More troubling, there have been reports from multiple
senior White House officials, including the former Secretary of
Homeland Security, the organization tasked with leading our
election security efforts, that the White House failed to
adequately inform Americans about continuing influence efforts
and, instead, directly stymied attempts to investigate or even
discuss the attacks on our elections.
More troubling still, we now have evidence that the
President of the United States asked a foreign leader to
interfere in our next election. The President is not only
refusing to defend our elections against foreign attacks but is
actively soliciting such intervention.
That is unacceptable, and it puts our Nation at great risk.
We must not let foreign attacks go unpunished or undeterred,
and we must make the investments necessary to withstand any
future attacks.
The Judiciary Committee is tasked with the duty of
protecting the right to vote for every American. That includes
not just equal voting rights and access to the polls but also
confidence in the accuracy and security of our election
systems. We will protect that sacred right. We will not let
anyone, not even the President, attempt to undermine the
integrity of our democracy.
Today's hearing will help carry out that duty to ensure
that we understand the extent of the scope and the threat to
our 2020 elections and to identify appropriate steps for
deterring, detecting, and defending against those threats. I am
pleased that the last week the Senate finally approved a
bipartisan spending bill to safeguard voting systems, but much
more needs to be done.
U.S. elections are not built of isolated parts. The
existing infrastructure is a vast ecosystem that includes voter
registration, vote-casting, vote tabulation, election-night
reporting, and auditing systems. Each of those components is
vulnerable to attack. As with any ecosystem, if any one
component part fails, if there is a flaw in one piece of the
technology, it can jeopardize the entire process.
As former Secretary of Homeland Security Jeh Johnson
explained, the integrity of our election outcomes on a national
level dances on the head of a pin. Securing our election
system, therefore, requires securing each of its component
parts.
This begins with ensuring that we can verify all votes
through post-election audits to certify that each vote is
accurately counted, which will help maintain trust and
transparency in the election process.
We must also secure our voter registration databases,
voting machines, and voting systems. A report published this
spring found that in at least 40 States voter registration
databases and machines were instituted more than a decade ago.
Outdated systems are difficult to maintain and are subject to
serious flaws and vulnerabilities and are more vulnerable to
attacks from the outside.
Our adversaries are agile and technologically advanced. We
must be too. We must provide States with the resources needed
to secure their systems and update their critical
infrastructure.
In addition, nearly all States and territories rely on
outside vendors in some capacity, but of those States and
territories, roughly 92 percent rely on just three vendors.
These vendors must be regulated to ensure that all of their
products meet minimum election security requirements.
Finally, State and local officials responsible for
administering elections, our democracy's frontline defenders,
must have the resources and cybersecurity training necessary to
protect our voting systems. We must also develop better tools
to share cybersecurity and threat information among State and
local officials and the Federal Government.
In 2016, according to the intelligence community, State
election officials were not sufficiently warned or prepared to
handle an attack from a hostile nation-state actor. We must
ensure that each component piece of our election system is
sufficiently integrated, equipped, and ready to handle any
attack, from any actor, going into 2020 and beyond.
In short, the challenges facing our elections are serious,
evolving, and multipronged. There are no easy answers. I know
that Ranking Member Collins agrees with me that the threat to
our elections is a threat to the American republic.
I thank Mr. Collins for his attention to this issue, and I
am pleased to say that our staff jointly selected the witnesses
here today. These witnesses will help us understand further the
extent and the scope of the threats we face and the
vulnerabilities in our systems that must be patched. Their
testimony will help guide this committee's efforts to ensure
the integrity of our elections, and I thank them for appearing
today.
I am confident that, working together, we can address the
imminent threat to our elections and protect our voting systems
going forward. Our democracy depends on it.
The Ranking Member has been detained, and I will recognize
him for his opening statement after he arrives.
Without objection, all other opening statements will be
included in the record.
Chairman Nadler. I will now introduce today's witnesses.
Debora Plunkett is a senior fellow for the Defending
Digital Democracy Project at the Harvard Kennedy School, Belfer
Center for Science and International Affairs, and an adjunct
professor of cybersecurity at the University of Maryland
Graduate School.
Ms. Plunkett previously served as Deputy Director and then
Director of the National Security Agency's Information
Assurance Directorate. She also served as a director on the
National Security Council under both President Clinton and
President George W. Bush.
Ms. Plunkett received a Bachelor of Science degree from
Towson University, an MBA from Johns Hopkins University, and a
Master of Science in national security strategy from the
National War College.
Kathy Boockvar is the acting secretary of the Commonwealth
of Pennsylvania. She also serves as the Elections Committee co-
chair for the National Association of Secretaries of State and
as the association's representative on the Election
Infrastructure Subsector Government Coordinating Council. That
is a nice title.
Previously, Ms. Boockvar served as senior advisor to the
Governor of Pennsylvania on election modernization, as
executive director of Lifecycle WomanCare, and as chief counsel
for the Pennsylvania auditor general. Ms. Boockvar also worked
for many years as a poll worker and voting rights attorney.
Ms. Boockvar received a Bachelor of Arts degree from the
University of Pennsylvania and a J.D. from American University
Washington College of Law.
Mr. Raskin. Will the gentleman yield?
Chairman Nadler. I yield to the gentleman.
Mr. Raskin. She was my student.
I yield back.
Chairman Nadler. I will assume she learned well.
Tom Burt is the corporate vice President of the Customer
Security and Trust Team at Microsoft Corporation, where he
works to formulate and to advocate Microsoft's cybersecurity
policy globally, including advancing the Digital Geneva
Convention, the Tech Accord, and the Defending Democracy
Project.
Mr. Burt joined Microsoft in 1995 and has since held
several leadership roles in the Corporate, External, and Legal
Affairs Department, including leading the company's litigation
group from 1996 to 2007 and, more recently, leading their
Digital Trust team.
Prior to joining Microsoft, Mr. Burt was a litigation
partner at Riddell Williams, a law firm in Seattle, where he
worked on voting rights cases.
Mr. Burt received a Bachelor of Arts degree from Stanford
University and a J.D. from the University of Washington Law
School, where he graduated magna cum laude.
We welcome all our distinguished witnesses, and we thank
them for participating in today's hearing.
Now, if you would please rise, I will begin by swearing you
in. Raise your right hands, please.
Do you swear or affirm under penalty of perjury that the
testimony you're about to give is true and correct to the best
of your knowledge, information, and belief, so help you God?
Thank you.
Let the record show the witnesses answered in the
affirmative.
Thank you, and please be seated.
Please note that each of your written statements will be
entered into the record in its entirety. Accordingly, I ask
that you summarize your testimony in 5 minutes. To help you
stay within that time, there is a timing light on your table.
When the light switches from green to yellow, you have 1 minute
to conclude your testimony. When the light turns red, it
signals your 5 minutes have expired.
Ms. Plunkett, you may begin.
TESTIMONY OF DEBORA PLUNKETT
Ms. Plunkett. Chairman Nadler, Ranking Member Collins, and
distinguished Members of the committee, thank you for the
opportunity to testify before you today.
My testimony focuses on potential security vulnerabilities
of our election systems and recommendations to better protect
our democratic processes and systems from cyber attacks.
We must take bold, decisive, and expeditious steps to
address cyber threats and then assume our efforts are
insufficient given the rise of attackers' capabilities. All
known threats must be addressed in order to better ensure
secure and trusted elections.
Bad actors, whether nation-states or lone criminals, focus
on gaining unauthorized access to systems that provide the best
opportunity to achieve their goals, including influence,
destruction, profit, espionage, coercion, or just fun and fame.
Attackers can make their attempts from across an ocean or from
down the street.
We must treat election security as imperative for
safeguarding our democracy. Intelligence leaders warn of
ongoing and escalating interference attempts by multiple
foreign actors who view our 2020 elections as an opportunity to
advance their interests at the expense of American democracy.
In the United States, elections are complex and
decentralized. The United States has over 10,000 election
jurisdictions. These jurisdictions vary by technology and
processes. Recognizing the variety of election jurisdictions is
central to developing and implementing strategies to improve
election infrastructure security.
While elections operations can vary significantly across
jurisdictions, there are fundamental similarities in some
infrastructures. Many election systems are built using general-
purpose technology and commercial off-the-shelf software. While
this means they are often subject to attacks popular in other
sectors, it also means experts have identified some best
practices to mitigate many of the risks. The key is to make
sure these solutions are kept up to date.
At Harvard, the Belfer Center's Defending Digital Democracy
Project produced a State and local elections security playbook
which identifies 10 best practices that apply to all elections'
jurisdictions, which I'll briefly summarize today.
The first is to create a proactive security culture. Most
cyber compromises start with human error. A strong security
culture makes a big difference as to the success of a malicious
actor.
The second is to treat elections as an interconnected
system. Any digital device that touches election processes must
be safeguarded. Device security management should be
centralized and streamlined.
The third is to require a paper vote record. It is
essential to have a voter-verified, auditable paper record to
allow votes to be cross-checked against electronic results. The
paper record must have a rigorous chain of custody.
The fourth is to use audits to show transparency and
maintain trust in the elections process. Auditing should be
embedded at points in the process where data, integrity, and
accuracy are critical.
The fifth is to implement strong passwords and two-factor
authentication. While strong passwords are important, two-
factor authentication is one of the best defenses against
account compromise.
Number six is to control and actively manage access, where
users should receive the minimum access required to perform
their jobs. When someone no longer needs access, it should be
revoked.
Number seven is to prioritize and isolate sensitive data
and systems so that you know which systems should be properly
protected.
Number eight is to monitor, log, and back up data, which
enables attack detection and system or data recovery after an
incident.
Number nine is to require vendors to make security a
priority. Detailed security specifications should be written
into acquisition documents, and vendors must be required to
notify officials immediately after becoming aware of a breach.
Finally, number 10 is to build public trust and prepare for
information operations. Transparency and open communications
will counter information operations that seek to cast doubt
over the integrity of the election system.
In conclusion, election systems are critical
infrastructure. To protect them, the Federal Government must
provide the requisite guidance and support by allocating
resources to upgrade election systems to the highest security
standards; ensuring information exchange between Federal,
State, and local entities is seamless; instituting security
standards that vendors must follow for election systems or
components; and encouraging a culture of security by keeping
the American public fully informed on malicious actors'
behaviors and intentions and the government's efforts to stop
them.
Thank you for the opportunity to participate in this
important dialogue today.
[The statement of Ms. Plunkett follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Nadler. Thank you.
Ms. Boockvar?
TESTIMONY OF KATHRYN BOOCKVAR
Ms. Boockvar. Chairman Nadler and esteemed Members of the
committee, thank you so much for your leadership on election
security.
As chief election official of Pennsylvania, I have the
privilege of working with dedicated election officials across
the Commonwealth, in all 67 counties, to make sure that all of
our elections are fair, accessible, and secure for all eligible
voters.
As has already been discussed, the issues surrounding
election Administration have become more complex and
complicated because of security issues. As we know, foreign
adversaries are continuously trying to influence our elections.
The key to thwarting this effort is to make sure that we are
building our cyber walls faster than those that are trying to
tear them down.
Election security is a race without a finish line, and our
adversaries are not slowing down. We need to make sure that we
are meeting and exceeding those technologies and making sure
that we invest, at all levels, substantial and sustained
resources.
Alongside the great majority of States, we urge the Federal
Government to provide additional election security funding but
also infrastructure.
We need to look at this like we look at other ongoing
initiatives. So, we don't do once-and-done appropriations for
other types of security, for healthcare, for education. We look
at these as ongoing investments, and that's how we have to look
at our elections. Nothing is more important than the security
of our democracy.
There have been great advances over the last many years. As
discussed, the EIS-GCC, the Election Infrastructure Subsector
Government Coordinating Council--say that five times fast--has
been a great collaboration among Federal, State, and local
officials to secure elections. It's working to formalize and
improve information-sharing, communication protocols, to make
sure that our local and State election officials can respond
timely to threats.
The great thing about EIS-GCC is that it has a wide range
of Members. So, we've got 29 Members; 24 of them are local and
State election officials. But, it also includes critical
Federal partners like DHS, EAC, NASED, the Election Center, and
the International Association of Government Officials.
Other key partners in this fight are DHS, National Guard,
and Center for Internet Security, who have been incredibly
strong partners, making sure that we have risk and
vulnerability assessments, shared intelligence, tabletop
exercises, and extensive communications.
There's more that we could do. So, one of the things that
I'd love to see the Federal Government being more involved in
is vendor oversight, tracking foreign ownership, making sure
that we're getting background checks, making sure that there's
a good chain of custody across all voting and election
components.
We also need to strengthen lines of communication in both
directions from Federal, State, and local. For example, when
there are local incidents reported to our Federal partners, the
Federal partners need to make sure that the State election
officials know so that we could timely respond to those
incidents.
On the Pennsylvania landscape, we've had some great
successes over the last year and a half that I've been very
proud to be a part of. We've really had a very--we broke down
silos. We knew it was really important to have an integrated
approach to election security. It's been incredibly effective.
We have an interagency workgroup that involves IT
professionals, security, law enforcement, homeland security,
elections, and emergency preparedness. We meet regularly and
work together to make sure that we are working together as a
front to make sure we have the most secure and accessible
elections in Pennsylvania.
We've provided tabletop exercises, and we were the first
State in the country to accept DHS's offer of free
vulnerability assessments to States.
One of our big successes over the last year has been our
transition in Pennsylvania to voter-verified paper ballot
systems. I'm happy to say that, whereas a year ago we had 50
counties across Pennsylvania that had no paper trails, as of
this November there will be 52 counties that will have voter-
verifiable paper trails. So, a huge flip, great success. The
credits to the county election officials for all their work.
I'm also happy to say that we have a post-election audit
work-group, as discussed by Chairman. This is a critical piece
of our elections, is making sure that we're auditing and
instilling confidence in our voters about confirming the
results of the election.
The right to vote is a fundamental right, and every voter
must be provided equal access to polls and a deep-seated
confidence in the security and accuracy of their votes. Our
democracy and bolstering our confidence in that democracy is
worth every dollar.
Thank you very much.
[The statement of Ms. Boockvar follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Nadler. Thank you.
Mr. Burt?
TESTIMONY OF TOM BURT
Mr. Burt. Chairman Nadler, Ranking Member Collins, and
Members of the committee, thank you for the opportunity to
testify today on the important topic of how emerging technology
can contribute to the security of our elections.
My name is Tom Burt. I'm the corporate vice President for
customer security and trust at Microsoft. My team includes our
Defending Democracy Program, which works to protect democratic
elections from cyber-attack around the world.
We know that skilled and well-financed adversaries have and
certainly will continue to attack elections in the U.S. and in
other countries, all in the pursuit of their goal of
undermining citizen confidence in democracy.
Defending democracy and our elections are important to
Microsoft, so we spent the last year working on what we, as a
technology provider, can contribute to this effort. I'm pleased
to inform the Committee that this week we released a free,
open-source software development kit called ElectionGuard.
Simply put, ElectionGuard technology can enable the most
secure and trustworthy elections in the history of the United
States. How does it do this? When a vote is cast, it is
immediately encrypted so that it can't be seen or changed. The
voter then receives a tracking number, and when the election is
complete, the voter can go online and check to see, for the
first time in history, that their vote was in fact counted and
unchanged.
ElectionGuard, more than that, also enables anyone--voting
officials, the media, third-party watchdog organizations--to
build a verifier application that will let them confirm that
the tally is correct and unchanged. All of this can be done
without ever decrypting individual votes through the use of
homomorphic encryption, a well-established technology that can
count votes without ever decrypting the underlying data.
ElectionGuard is designed to work with many of the voting
systems in use today, including electronic ballot-marking
devices or hand-marked paper ballots read by optical scanners,
and we have on our roadmap making it work with other forms of
elections.
We have made this technology free and open to everyone.
Microsoft is not making any revenue from ElectionGuard. We've
been working closely with all the major U.S. election vendors,
encouraging them to build systems with ElectionGuard, and we're
excited to report that their response has been uniformly
enthusiastic.
There is a significant impediment to the rapid adoption of
this and other new voting technologies: The complex and
outdated Federal election machine certification process. This
process is more than a decade old, and it's too slow and too
burdensome to enable voting officials to respond as quickly as
needed to our agile adversaries. Unfortunately, this means that
new machines using ElectionGuard likely will not be certified
in time for use in the 2020 national election.
This certification process also hinders basic security
hygiene. Today, if a voting machine is updated with a minor
security patch from a trusted vendor, it will have to go
through a full recertification process. This creates a
significant disincentive for election officials and vendors to
deploy security patches, leaving our elections vulnerable.
We're pleased that the Election Assistance Commission is in
the process right now of revising these certification rules,
and we would ask all of you to encourage the Commission to
adopt soon new rules that enable rapid and agile deployment of
new security technology and basic security hygiene.
While we and others in the private sector can contribute
technological advances to secure the vote, there is, of course,
an important role for Congress. We agree with Ms. Plunkett's
written testimony regarding the urgent need for long-term,
sustainable funding. This is critically needed to enable
election officials to plan ahead, to purchase new equipment
rather than letting outdated systems remain active, and to
invest in cybersecurity training and staffing that we expect of
all critical infrastructure providers.
We live in a world with agile enemies who are persistent in
their efforts to interfere in our democratic process. Our
citizens deserve to be able to cast their vote with confidence
that it will be counted without manipulation.
We believe ElectionGuard is breakthrough technology that
can help achieve this goal. We remain committed to working with
government, civil society, and the technology sector to take
even more steps to ensure that every vote is counted and every
voter has confidence in our free and fair elections. The
stewardship of our democracy requires nothing less.
Thank you, and I look forward to your questions.
[The statement of Mr. Burt follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Nadler. Thank you.
I thank all the witnesses for their testimony.
We'll now proceed under the 5-minute Rule with questions. I
will begin by recognizing myself for 5 minutes.
I'd like to focus initially on one component of our
election systems that I find particularly concerning: voter
registration databases.
The Mueller report concluded that in approximately June
2016 the Russian intelligence organization GRU ``compromised
the computer network of the Illinois State Board of Elections''
and ``gained access to a database containing information on
millions of registered Illinois voters,'' unquote.
Ms. Plunkett, in this case, the Russian hackers
successfully breached the databases, but they failed to alter
or to delete voting records. My question to you is, if Russian
hackers had changed voting records, including deleting voters
from the databases, can you describe the specific possible
impacts it could've had on the election?
Ms. Plunkett. If they--
Chairman Nadler. If they had altered the databases.
Ms. Plunkett. Well, it would've been devastating had they
altered the databases. ``Altering'' in this case could've been
changing records; it could've been deleting records, which
would have made it, in some cases, impossible for voters to
vote, to register to vote. Voters could've been turned away. It
could've inserted voters erroneously into the database that
could've provided an opportunity for those who shouldn't be
voting to vote. So, it would have been devastating had that
happened.
Chairman Nadler. So, thousands or tens of thousands of
voters might have turned up at the polls and been turned away
because--
Ms. Plunkett. That's correct.
Chairman Nadler. --there was no record of their
registration?
Ms. Plunkett. That's correct.
Chairman Nadler. Thousands of nonexistent voters might have
voted?
Ms. Plunkett. That's correct.
Chairman Nadler. Thank you.
Ms. Plunkett, the House-passed appropriations bill contains
$600 million in funding for States. It also includes
accountability measures and requires that funding cannot be
used to purchase non-qualified voting machines. The Senate's
version has only $250 million, with no accountability
restrictions.
Your written testimony emphasizes the need to replace
paperless machines and implement robust post-election audits
using paper ballots.
Now, we saw in 2000 how one county's failure to properly
maintain its chads or non-chads held up the entire country. One
county's dereliction could again conceivably hold up the entire
country's election, national election.
Now, I understand why some States or counties might not
want to spend the money necessary to update their election
machinery so they can't be hacked, but I was astounded to read
recently, a couple days ago in fact, that States are still
buying, spending large amounts of money, on voting machines
that are electronic, that do not have paper trails, that are
unauditable and vulnerable to hacking.
So, my question is, aside from the obvious necessity of
appropriating money to update our election machinery so that we
have hack-proof machines that cannot be tampered with from the
outside and that leave auditable trails, which means paper
trails, do you think that the Federal Government should mandate
this? Because, after all, the Federal elections are premised on
accurate counts in every State and county. Should we mandate as
well as providing the funds for modern election technology so
that we can be sure that no foreign actor is in fact hacking
it, in fact, phonying up our vote, and perhaps even doing so
and leaving no trail so that you knew it later?
Ms. Plunkett. So, woe is me to make a comment about Federal
and State roles and responsibilities, but here's what I'd say,
sir: It is incumbent upon every State to institute the
appropriate security measures and make sure that their
technology is their most robust available in order to protect
the democracy and their election and votes.
I believe that there's a role for the Federal Government in
this space that starts with requiring that vendors follow
certain security standards in the production and delivery and
maintenance of the equipment that these States are using. That
would thereby standardize, at least, the security of those
systems, everything from auditing and database management to,
on the back end, should something happen to the systems, being
able to report on that.
Chairman Nadler. So, obviously, if the Federal Government
mandated that only proper machines could be made, then new
purchases would only be of proper machines.
In the 5 seconds I've got left, do any of the other
witnesses want to comment on whether they think it necessary
for the Federal Government to mandate that existing machines be
replaced in time for the next election so that we can guarantee
an election un-dictated from Moscow or someplace else?
Mr. Burt. We think, as the Election Assistance Commission
is revising its standards for certification, there's an
opportunity there to inject standards for the security of
devices to be certified. I would caution, though, that we must
be careful not to specify specific technological solutions--
Chairman Nadler. Right.
Mr. Burt. --because our enemies move very quickly. We need
to be agile in response.
To have basic security guidelines that are part of that
certification process would be an advance in the current State
and would help us secure our elections.
Chairman Nadler. Thank you.
Ms. Boockvar, quickly, because my time has expired.
Ms. Boockvar. Chairman, I just want to say that I think
you've mentioned a lot of the areas that we need to invest. You
talked about voter registration systems. I think you talked
about sensors, intrusion-detection sensors, and all kinds of
other things.
So, what I'd like to see is that we define a continuum, a
number of different things that are critical priorities, but
allow the States, who know best what's the most critical need
in their State, to decide what the best use of those funds are.
Chairman Nadler. Thank you very much.
My time has expired.
The gentleman from Colorado.
Mr. Buck. Thank you, Mr. Chairman.
Mr. Burt, I'm interested in the ElectionGuard technology
that you were talking about earlier. One of the interests I
have is that the United States wasn't the only country that
Russia targeted in the last decade. It's clear that Russia
tried to impugn the integrity of the Brexit vote, the Scottish
independence vote. They've been involved in Spain with the
Catalonia independence movement.
Will Microsoft make ElectionGuard available to our allies,
foreign countries, or something similar, so that we can try to
make sure that democracies across the world have elections that
are considered by their people to have integrity?
Mr. Burt. Yes, that's absolutely our plan, Congressman. As
you may know, our AccountGuard service, which we offer for free
to help protect campaigns against being hacked, we've extended
that now to 26 countries around the world, and we intend to do
the same with ElectionGuard technology as well.
It is a free, open-source project, so any vendor in any
country is free to take that technology and build it into
election systems. We work to expand our protections to all
democracies committed to free and fair elections.
Mr. Buck. Okay.
Mr. Burt, one of the things I'm interested in is exactly--
you've used the word ``agile'' a number of times. I'm assuming
that there is a distinction between hardware and software when
you're talking about agility, and I'm wondering if you could
just explain that.
When Chairman talks about, and rightfully, you know,
updating systems, I think we're in large part talking about
hardware. I want to make sure that we have hardware that's
compatible with whatever the software is that we need to be
agile with.
Mr. Burt. Yes, it's absolutely important that both hardware
and software be the most secure, current engineering. There's
work to do, frankly, on both sides of that. Most importantly,
for most of these systems, it's the ability to update software.
As I mentioned in my written testimony, we just announced
recently that we are going to provide free security updates to
Windows 7 election voting devices, because we discovered that
there are many of those devices still in operation around the
country even though that's decades-old technology. It reaches
its end of life this January for most customers, but because of
the importance of securing our vote, we are providing for free
those security updates through the end of 2020.
The challenge, though, is, as I mentioned earlier, with
current regulations, it's actually very difficult and
burdensome for local officials to even apply security patches
to their devices. So, we need to work on both the software and
hardware side of the equation to ensure that we can be agile in
adopting the best technology to defend against these attacks.
Mr. Buck. So, for old folks like me, we think that, if it's
not on paper, it's not secure and it's not believable. I just
want to open this up for the young folks on the panel here, if
you have an opinion on how we convince the American public.
Because that's really the audience, in this case, is making
sure the American public understands we're doing everything we
can to make elections credible.
How do we convince the American public that something that
we can't see, that exists out there somewhere, is just as good
as a paper ballot and being able to see something on paper?
Mr. Burt. If I could start off, and at least I'll claim to
be young at heart, Congressman. There are two really important
things we can do to help establish that trust.
One which you've heard about from others, which we
absolutely endorse at Microsoft, is the existence of a paper
backup, at least, that can be used in risk-limiting audits. In
fact, our ElectionGuard technology supports an advanced form of
risk-limiting audits, which enables voting officials to audit
the outcome after the vote and show that it wasn't tampered
with.
So that's one important thing, is the application of audits
and the maintenance of at least a paper backup so that you
always have that as a resource to go to.
Again, if we can get to a world where the ElectionGuard
technology is broadly adopted, that provides a whole new form
of voter trust, because now voters will be able to, for the
very first time, actually see that their vote got counted and
wasn't changed. Today--I'm from Washington State--I have no
idea whether the ballot I marked was ever actually counted or
not. With this technology, voters will know, which should help
establish voter trust.
Mr. Buck. Thank you.
Mr. Chairman, I don't often do this, but I wanted to thank
you for holding this hearing. I think this is beneficial. It
has very little to do with partisanship. It's important for
everybody on both sides of the aisle and all around the
country, to make sure we have this integrity. So, thank you
very much.
Chairman Nadler. Thank you.
The gentleman's time has expired.
The gentlelady from Texas.
Ms. Jackson Lee. Thank you, Mr. Chairman. Let me add my
appreciation for this very crucial hearing as well.
Thank you to all the witnesses.
Let me ask one question from each of you, with a ``yes'' or
``no'' answer. Do you think it is important for there to be
governmental involvement in a regulatory structure, in review
of the technologies, as we move toward the upcoming elections,
as quickly as possible?
Ms. Plunkett?
Ms. Plunkett. Yes.
Ms. Jackson Lee. Secretary Brockner?
Ms. Boockvar. Boockvar. Yes.
Ms. Jackson Lee. Mr. Burt?
Mr. Burt. Yes, I do.
Ms. Jackson Lee. Let me ask, Ms. Plunkett, with respect to
the 2016 election and the Russian GRU officers compromised a
computer network of the Illinois State Board of Elections and
gained access to a database containing information on millions
of registered Illinois voters. The Russian GRU officers were
able to steal data of thousands of U.S. voters before Illinois
was aware of the hack.
If Russia had succeeded in all these efforts, can you
explain how attacking voter registration software in electronic
polling stations can impact an election?
Ms. Plunkett. Certainly.
Since the foundation of the voter system begins with the
registration databases, which validates that a voter is
eligible to cast a vote, should that database be altered in any
way, whether it be destroyed or deleted or additions made to
it, it could jeopardize the ability of a legitimate citizen who
has the right to vote from voting and would certainly alter the
outcome of the election because it would prevent those who
should be able to vote from casting their votes.
Ms. Jackson Lee. In essence, it would undermine the very
basis of our democracy.
Ms. Plunkett. That's correct.
Ms. Jackson Lee. Mr. Burt, you've mentioned the Election-
Guard. We are all fascinated by that. It's outstanding
technology.
In your marketing to the entire world, I'm not sure what
kind of litmus test you're going to use to determine whether or
not it is a democratic government. What is the potential of
innocent democratic governments now giving technology of that
level of sophistication to be utilized, then, to hack into the
system? What are the protections and the firewalls on your
system if, by chance, you sell it to an enemy, a foreign enemy?
Mr. Burt. Well, Congresswoman, we're actually being quite
deliberate and careful about the countries to which we expand
our services. Let me be clear about ElectionGuard: It's an
open-source project that anyone can access. That actually leads
to the security, because as people find any flaws or security
flaws in that software, it can be updated.
What's important to understand is that this technology is
not capable of being used as an offensive weapon. What it does
is secure the vote. What it does is ensure that votes are
encrypted and can't be changed or altered. It ensures that the
vote can be verified and that the count can be properly
verified by individual voters and by any third party.
So, to the extent that this technology is deployed even in
countries that we would not consider an ally, it just means
that their votes are going to be more trustworthy than they are
today.
Ms. Jackson Lee. So, it doesn't give them the ability to
breach or to hack into the votes of another country?
Mr. Burt. That's correct.
Ms. Jackson Lee. Let me ask Secretary Boockvar, what is the
importance of having a variety of technologies that States can
have access to, rather than the limited number of vendors that
we already have, in terms of protecting the election process?
Ms. Boockvar. So, I think one of the benefits that we have
is--decentralized systems have their advantages and
disadvantages, but having the variety of technology is
definitely an advantage, because the likelihood of the ability
to breach all the different technologies is certainly harder
than if you had one uniform across the board. So, it's key to
keep the diversity of our systems.
Ms. Jackson Lee. You only have, I think someone mentioned
three. So having us to be able to certify or legislation that
deals with expanding that opportunity would also enhance the
security and safety of elections.
Let me--you're all lawyers. In the past election, 2016,
we've determined that there were a lot of foreign operatives.
Do you think it's important to have legislation that indicates
that if you, an elected official, or a candidate, are
approached by a foreign adversary, that you need to report that
immediately to an organization, agency, such as the FBI?
Ms. Plunkett? I'm just asking everybody across the board.
Ms. Plunkett. Yes, I do.
Ms. Jackson Lee. Madam Secretary?
Ms. Boockvar. Yes, I do as well, Congresswoman.
Ms. Jackson Lee. Mr. Burt?
Mr. Burt. Certainly.
Ms. Jackson Lee. I ask unanimous consent to place into the
record H.R. 2353.
Chairman Nadler. Without objection.
[The information follows:]
MS. JACKSON LEE FOR THE OFFICIAL RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Jackson Lee. Can an effective deceptive campaign
spoofing attack be deployed through user search engine
requests?
I'll repeat it. Can an effective deceptive campaign
spoofing attack be deployed through user search engine request?
Can you just answer the question, Mr. Burt?
Chairman Nadler. The time of the gentlelady has expired.
The witnesses may answer the question.
Mr. Burt. Yes, that's possible, although a more fulsome
answer would take a considerable period of time in terms of how
that would work and how we can defend against it.
Ms. Plunkett. I agree, yes.
Ms. Jackson Lee. All right. Thank you. I yield back.
Chairman Nadler. The gentlelady yields back.
The gentleman from Florida?
Mr. Gaetz. Thank you, Mr. Chairman.
I'd like to associate myself with the comments of the
gentlelady from Texas and the gentleman from Colorado, that
election security issues must be viewed as a bipartisan
endeavor for us to be able to make progress and that all voters
deserve to have confidence in that process.
I must say, it was a little disheartening that Chairman
began the hearing by taking a bunch of partisan shots at the
President. I don't understand how that is helpful to the work
that we're doing here.
Really, thinking in terms of the value of elections most
broadly, I fear that the greatest risk to our democracy may not
be hacks or interference with the vote; it may be the efforts
by radical Democrats to try to impeach a President who was duly
elected. That seems to undo elections a lot more than hacking.
Alas, back to this important work of the committee. I
wanted to thank Congresswoman Murphy as the lead but also our
colleagues on the Judiciary Committee, Mr. Deutch and Ms.
Mucarsel-Powell from Florida, for coauthoring H.R. 3529. This
bipartisan legislation requires the head of the Department of
Homeland Security to notify State and local election officials
in the event of some intrusion or hack.
So my question is really to any of the Members of the panel
to speak to the utility and importance of real-time
coordination in the event of an intrusion and how you might see
State and local officials working cooperatively and proactively
with the Federal Government in such an endeavor.
Ms. Boockvar. I'd love to take a crack at that. Thank you,
Congressman.
It's critically important, that collaboration at the State,
local, and Federal level. We saw it in Pennsylvania last year,
in November of 2018's election. We were connected across the
country to other States and to the Federal Government, getting
real-time information about things that were being seen in
other States.
We could not only take--so, for example, there were
attempts to hack into--to send PDOS types of interruptions in
other States. IP addresses were identified, passed along to
other States. We then, in turn, were connected across the State
to the 67 counties, could pass along those IP addresses, so
they could block it proactively before having to have--it was
literally in-action collaboration that protected our elections.
So that kind of thing, both before, during, and after, is
critical to make sure that we have the most secure elections
possible.
Mr. Burt. Congressman, if I may, in 2018, under the
direction of Director Krebs from CISA, there was a war room
established at the Federal level to which technology providers,
State and local officials were all invited. We participated in
that, and that was a good step forward.
What you suggest is absolutely critical. I agree that the
more efficient we can have communication between all Federal
agencies who are aware of attacks in real-time with State and
local officials and, also, leading technology providers who
stand ready to assist with this effort of protecting our
elections, the better it can be.
So, we need to improve and expand on that rapid real-time
sharing of threat information at the time of the election and
before then.
Ms. Plunkett. I agree with both.
I'd just also add, it's critically important and a good
role for the government to create the environment where
information-sharing can happen without restrictions in a smooth
and precise and expeditious manner, such that everyone who
needs the information can get it and it's presented in a usable
fashion.
I would not limit that to State, local, and Federal, as has
already been stated. Vendors there are very good threat
intelligence organizations that are doing a great job in
uncovering good information that needs to be a part of this
dialogue.
Mr. Gaetz. That is incredibly helpful advice, especially
when I think about the experiences in Florida, where hackers
masquerade as the vendors. So, they would seem to be an
important part of that community. That's very helpful.
I would also observe that there seems to be some confusion
in Florida as to the extent to which any hack could lead to
voter manipulation in future elections, not based on changing
the tallies of the votes but by potentially manipulating
someone's name. I'm Matthew Louis Gaetz II, but if someone went
and changed my name to just ``Matt Gaetz'' on the voter rolls,
potentially I would have a hard time having my vote counted.
So, this may be a broader question than you're able to
answer, but I am interested--and I think the Judiciary
Committee could perhaps partner with others--on the utility of
blockchain technology to enhance the security of elections.
Because in an immutable, decentralized ledger, I would think
that such a manipulation of the voter rolls, themselves, would
be less likely.
I would seek any comment anyone would have.
I appreciate the chair's indulgence.
Ms. Jackson Lee. [Presiding.] The witnesses may answer the
question. The gentleman's time has expired.
Ms. Plunkett. I think there certainly the opportunity for
blockchain to be relevant in this space. If we think now about
the American public and their understanding of voting and
voting systems, we are talking about paper ballots as a backup.
Generally, people understand that.
Blockchain technology is very complicate and is untested. I
know it's being tested in West Virginia, as I understand it.
So, I think there's possibility, but it's not something that I
think is ready for use for a general or primary election.
Ms. Jackson Lee. The gentleman's time has expired.
The gentleman from Georgia is recognized for 5 minutes.
Mr. Johnson of Georgia. Thank you, Madam Chair.
Thank the witnesses for your appearance today and for your
testimony.
Ms. Plunkett, the Center for American Progress recently
reported that, quote, ``voting on paper is the most hack-proof
way of conducting elections.'' You agree with that, do you not?
Ms. Plunkett. Today, yes, I do.
Mr. Johnson of Georgia. What about you, Ms. Boockvar?
Ms. Boockvar. Absolutely. At least with a paper record, I
should say.
Mr. Johnson of Georgia. Uh-huh.
Mr. Burt?
Mr. Burt. Well, I would say that we actually believe that
ElectionGuard provides an even more hack-proof way of voting.
Paper as at least a backup or as primary--because the
technology would support either--is important to maintaining
the security of our elections.
Mr. Johnson of Georgia. Uh-huh.
So, when we talk about a paper ballot, we're talking about
a hand-marked paper ballot.
Is that right, Ms. Plunkett?
Ms. Plunkett. It doesn't necessarily have to be hand-
marked, but there should be a piece of paper involved that can
be--
Mr. Johnson of Georgia. Well, now, if the paper involved is
produced by a touchscreen voting machine and that piece of
paper also has a barcode along with the races that the voter
voted on, and this paper that the machine produces with the
barcode is given to the voter, who can then check it, make sure
that it reflects accurately what choices were made by that
voter, and then that piece of paper is then scanned into a
counting machine which counts not the actual choices made by
the voter but the barcode on top, that's the kind of paper
ballot that you're talking about?
Ms. Plunkett. I don't know about the barcode piece. I--
Ms. Boockvar. So, I think I can answer that. So, for
example, that's where audits come in, right? So, for example,
we're developing a process in Pennsylvania where--
Mr. Johnson of Georgia. Well, I guess the question that I'm
asking--if it's the barcode that is counted and not the box
that is identified as the one that was checked by the voter,
how does the voter know that the barcode which is counted
actually reflects the choices that the voter made? Or does the
voter just simply have to depend on the barcode to accurately
reflect--how can we get around that if we're counting the
barcode and not counting the hand-marked paper ballot?
Ms. Boockvar. So, most systems, whether they're hand-marked
paper ballot or ballot-marking devices, use some form of mark
for the tabulation process, whether it's a barcode, a QR code,
or timing marks, which some of the hand-marked paper ballots
use. So, there's basically triggers into the tabular, and then
the audit--
Mr. Johnson of Georgia. Then you're able to actually count
the hand-marked ballot by hand.
Ms. Boockvar. Exactly. That's what the audit or a recount
would do, would look at the plain text language on the--and it
can compare to the tabulation numbers--
Mr. Johnson of Georgia. The tabulation of the machine.
Ms. Boockvar.--yes, with the--
Mr. Johnson of Georgia. So, the hand-marked ballot is the
way that it produces an auditable trail. The ballot that is
counted by the barcode and is not hand-filled-out is just
simply a further extension of the mechanics of the computerized
voting?
Mr. Burt. If I may, Congressman. So, in the context we are
talking about the barcode, that paper still shows the specific
individual votes which the voter, in a well-run system, has had
an opportunity to verify the checkmarks in the boxes. So, now
you've got a--
Mr. Johnson of Georgia. Yeah, but those checkmarks are not
the ones that are counted, though.
Mr. Burt. I understand. What I'm saying is--
Mr. Johnson of Georgia. It's the barcode.
Mr. Burt.--even if it's not hand-marked, if it's marked by
the machine, but the voter has verified those boxes, now you
have a paper ballot that's verified that can be used for
counting.
Mr. Johnson of Georgia. How does the voter verify that the
barcode or the counting mechanism accurately reflects the
choices that the voter made?
Mr. Burt. Yeah, so that is part of the audit process that
can be performed by looking at the tally against the audited
subset of ballots that's selected for the audit, looking not at
the barcode, in this case, but looking at the boxes that are
checked. So, the audit system provides that.
Mr. Johnson of Georgia. Let me just say this, then. Isn't
it clear that a hand-marked paper ballot that is then fed into
a counting machine, which counts that tally, along with the
other voters--and then, at the end of the voting process, if
there is a recount, then you can actually count the paper
ballot, the hand-marked paper ballot by hand and compare that
to the tally that was produced by the counting machine, doesn't
that provide the most effective way of auditing the results of
an election?
Ms. Jackson Lee. The gentleman's time has expired. The
witness may answer the question.
Mr. Burt. I would say that it's not important whether the
ballot was hand-marked or marked by a machine as long as the
voter gets the opportunity to verify that what they see on the
ballot is what they intended before they deposit it in the
ballot box. Either way, whether it's my hand-marking or the
machine that checks the box, you have a clear representation of
the voter intent.
In fact, in the machine-checked box, sometimes that's
clearer. As you know, with hand-marked ballots, there's often
disputes about what a voter actually intended with the marking,
depending on the system.
Mr. Johnson of Georgia. There's no way of doing that--
Ms. Jackson Lee. The gentleman's time has expired.
Mr. Johnson of Georgia. --with the electronic voting
process.
I thank the gentlelady, and I yield back.
Ms. Jackson Lee. The gentleman's time has expired.
The gentleman from North Dakota, Mr. Armstrong, is
recognized for 5 minutes.
Mr. Armstrong. Thank you, Madam Chair, if I have time, I am
going to come back to this, but Mr. Burt, your written
testimony, you mentioned, you talked about future threats, and
one of those was deepfakes and synthetic media being a future
threat. I'm an old State party chairman. I understand how in
the last 10 days of a close election things escalate extremely
quickly. Just, why is this such a threat, and what can we do to
deal with it on the front end? I mean, I've seen some--our
colleagues, they did one yesterday, and I don't know another
word to say another than creepy, and they look absolutely
legitimate, so.
Mr. Burt. Well, Congressman, that's exactly why it's such a
threat. We know that our adversaries, among other things,
engage in disinformation campaigns, in which they attempt to
take the extreme positions on social issues relevant to the
campaign, and they try to incite conflict among the American
electorate. They seek to discredit candidates or positions
through their disinformation campaigns. We should anticipate
that they are going to become more sophisticated in their
efforts.
Synthetic media, or deepfakes as it's called regularly, the
technology that enables that, both in terms of audio and video,
is advancing rapidly, and as you point out, it's now possible,
with the most advanced technology, to really create videos that
appear to be entirely realistic. There's a lot of research
that's going into detection technology, how to detect these
deep fake videos and show that they are artificial and not
real. At the end of the day, the technology to create the
videos, because of the way the artificial intelligence works,
will always be ahead of any detection algorithm.
So, the opportunity for our adversaries to use this
technology, to try to influence a campaign or an election, is
very real. Today as it stands right now, we don't have a great
answer to that, other than to educate the American public that
it's going to be even more important now than it's been in the
past, that they consume the information that they use to make
election decisions from sources they believe are credible.
There are a number of services out that try to rank and rate
various sources to determine is this a journalistically
credible source or not, but in today's world, that's going to
become even more important.
Mr. Armstrong. Thank you. I get criticized for a lot of
things I say, so I'd prefer that I not get criticized by things
people make up that I say. Moving into that, as far as a
defense to that, as we're going forward, if the technology is
advancing faster than the detection of it, it probably behooves
us, as a body, and whoever else is doing some of these things,
to figure out a way, particularly with platforms and things, to
be able to have immediate removal and those types of efforts.
Would that probably be just as we're moving forward and going
towards this, there has to be a way. We have to have a way as a
Congress or as a government or just as an election, to be able
to deal with these things.
Mr. Burt. Yes. In the short-term, I think using available
detection technologies, working with the social media platforms
and others to try to identify those that originate from
adversaries, which is, cybersecurity technology we can deploy.
Those are going to be the best things we can do for this
election cycle.
We and others are investing in a number of different
efforts to try to come up with better ways, both to detect and
to identify legitimate sources of video and audio so that over
time, we will have a better approach to solving this challenge.
It is going to be a real challenge for us in the 2020
elections.
Mr. Armstrong. Going back to the encryption stuff, and how
does the broader encryption debate potentially affect
encryption in ElectionGuard. If a government has a backdoor
access, it's a backdoor that potentially could be exploited.
That could create a built-in weakness in the balance. How do we
balance law enforcement and the ability to do that with
cybersecurity?
Mr. Burt. So, this is a broader question that goes beyond
the election context. In the election context, the encryption
that we build in to ElectionGuard would never have a backdoor.
There would be no purpose to have the backdoor, and it actually
would reveal voter--specific votes, which you don't want to do
for a variety of reasons.
In the more broader context, this is a very nuanced
discussion. There was a recent paper from the Carnegie
Institute that I thought was very well done in talking about
the broad range of issues, relevant to encryption, law
enforcement access, protection of dissidents, for example, the
legitimate uses for encryption, why that's important. One of
the things that paper said, which we absolutely endorse, it's
important to get very specific about the problem you're trying
to address, and look at that problem and how to properly
balance all the competing interests as to that problem. There
is no general approach to encryption that doesn't create way
too many problems. So, we need to be very specific, look at
those specific things, and then balance the social issues to
find the right result, and that's going to be some work that we
all have to do, the technology industry together with
government.
Chairman Nadler. The time of the gentleman has expired. The
gentleman from Rhode Island.
Mr. Cicilline. Thank you, Mr. Chairman. Thank you to our
witnesses for this very useful and important testimony. One of
the things that I'm particularly concerned about is the
regulation of vendors. As you are aware, a large percentage--I
think it's 97 percent--of States and territories use vendors in
some capacity, from the computers they use to access
information to the servers that house information, the
management of databases that contain information to cast and
tally votes, websites and software used to display information
and results, to the software that creates ballot design and
helps transfer information across systems.
Three vendors in particular control over 90 percent of this
process. Of those three, over 60 percent of American voters
cast ballots on systems owned and operated by a single vendor.
Despite the incredible impact of vendors on our electoral
system, there seems to be very little regulation over vendors
that really ensures election security. As a result of it, we've
seen some very serious issues with vendor security.
So, my first question really is, for each of the witnesses,
should we consider regulations at the Federal level in creating
some standards for vendors, and if so, why? If not, why not?
Ms. Plunkett. I absolutely believe that we should, because
elections and election systems are a national security threat.
For national security threats, that has been the approach of
the U.S. Government. It is to develop Federal standards, and in
this case, it would be Federal security standards for election
equipment that range--that really run the gamut from how the
environment in which the software is developed, and ensuring
that it's developed in a secure manner, and appropriately
protected, straight through to the implementation and
maintenance, and then the responsibility for reporting any
vulnerabilities that are discovered even after that software,
hardware is deployed. I think it absolutely should be done, and
I believe it's a role for the Federal Government.
Ms. Boockvar. I agree on every level. We have the Election
Assistance Commission which does certification, but as you
probably know, not only has the AC been underfunded, but they
also were unable to update their standards, the voluntary VBSG
standards, for a long time. It didn't have a quorum.
So, for example, in Pennsylvania, we stepped in and last
year, when we knew we had to certify a whole bunch more voting
systems, we actually created our own more stringent security
standards, because we didn't want to rely on the outdated ones.
So, it would be much more effective if the Federal
Government were having stronger oversight both to standards and
then to oversight of, for example, we talked earlier about the
foreign ownership, background checks, and making sure that
there's chain-of-custody controls over every component of the
voting and election system.
Mr. Cicilline. To make those standards requirements, not
voluntary?
Ms. Boockvar. Correct.
Mr. Burt. Congressman, if I may add, we're all in agreement
on that, with the one caveat that it's important that the
standards not dictate any particular technology or
technological solution because that then sticks the States and
local governments with a particular solution. If that becomes
vulnerable, then it would take too much time to change. So,
they need to be generalized standards so that there can be
innovation in terms of the technology approach that's used to
meet those standards.
Mr. Cicilline. That makes sense. In addition to the
establishment of mandatory standards, are there other things
Congress should be thinking about with respect to the role
vendors play in our electoral process and the integrity of our
elections?
Mr. Burt. One thing that is another one of the future
threats that the vendors can be playing a more significant role
is, the risk of ransomware, and ransomware attack, especially
on the voter registration rolls. This is something that
Director Krebs from CISA pointed out a few weeks ago after this
whole rash of ransomware attacks, we've seen on small
municipalities around the country, ten in Texas alone
relatively recently. The risk that our adversaries will use
that same malware injected into the voter registration devices,
and basically it will show up on the day of the election, and
the entire database will be locked up and you can't see it.
That's a significant risk.
So, vendors need to work with their customers to help them
understand how to establish defenses, how to have and build
into the system backups that are offline backups, and do
tabletop exercises so that State and local officials know how
to restore those systems very rapidly, so there's no
interruption in the voting process in the event that everything
else that we do to try to maintain security is unsuccessful.
Mr. Cicilline. Thank you. I want to thank you, Mr.
Chairman, for holding this really important hearing. There's
nothing more fundamental than protecting the right of the
American people to have their voices heard and their votes
counted in our elections, and this requires strong leadership
from everyone at every level of government, and I really thank
you for conducting this hearing.
Chairman Nadler. Thank you, the gentleman yields back. The
gentleman from Texas.
Mr. Gohmert. Thank you, Mr. Chairman. I appreciate all of
you being here. I noted that Chairman said basically that he
was astounded to find counties still buying machines with no
paper trail. Ms. Plunkett, were you at the NSA back in 2000,
2001?
Ms. Plunkett. Yes, I was.
Mr. Gohmert. Do you remember who mandated that every county
or parish in America buy electronic voting machines, and there
was no requirement for paper trails because that was more
expensive? Do you remember who mandated that?
Ms. Plunkett. No, I do not.
Mr. Gohmert. Well, I was working for the State and county
as a judge, and counties were outraged that they had an
unfunded mandate by this Congress, that some people here were
in, Democrats intimidated Republicans because of the votes in
Florida, even though there were fifth graders tested. None of
them had trouble with the butterfly ballots and such.
Apparently, people that were trying to vote Democrat had a lot
of trouble with them. So, there was outrage, there was demand
for electronic voting, and the Federal Government, Congress,
mandated it. It was very, very difficult for counties, many
counties, to come out of the financial burden that this
Congress put on them, and so, if some of them have had trouble
recovering financially for the poor mandate from this Congress,
then hopefully they will be forgiven.
Mr. Burt, it's wonderful that ElectionGuard is being
provided by Microsoft to help secure elections. Does that work
as well on Apple or Mac systems as it does on Microsoft
operating systems?
Mr. Burt. Yes, Congressman, it works on any platform. It
doesn't matter what platform--
Mr. Gohmert. See, I've heard that about here in Washington,
I could have whatever computer system I wanted, and I have used
Microsoft operating system for years. I tell people, I thought
Microsoft Vista was the best thing that ever happened to
computers. It screwed up all my software. I finally got mad and
went and bought an Apple, it was a Mac. It was the best thing I
ever did. Bought dozens since. But, when I was in Congress, I
wanted a Mac, and I got one, but Microsoft system is what
things are based on here. It screwed up my computer, and they
said, look, you just can't have a Mac, if you're going to
communicate with other computers around it. So, I just didn't
know.
I understand that your job is security and trust with
Microsoft, so maybe they hadn't told you, but is there any
backdoor into Elec-tionGuard that Microsoft might have in order
to fix or deal with some problem in the system?
Mr. Burt. Absolutely not, Congressman. There is no--
Mr. Gohmert. As far as you know.
Mr. Burt. Well, not only as far as I know, but it was my
team that did the engineering work on this ElectionGuard--
Mr. Gohmert. Okay.
Mr. Burt. --and so, I am confident there is no backdoor.
The other thing I would say again is, we are making it an open-
source project. So, the source code is available today on
GitHub for anybody to look at. We actually encouraged hackers
to try to hack into it, so that we can find any security flaws
and fix them.
Mr. Gohmert. One of the problems since really we're all
very concerned about election security, no matter how good your
system is, it can't do anything about a county that hires a
vendor, as my colleague was just bringing up, and the vendor at
the end of our early voting, on Friday before the election on
Tuesday, takes the 48 flash drives from the 48 precincts home
and plays with them until Election Day. Your system can't help
with that kind of problem, correct?
Mr. Burt. Actually, Congressman, the ElectionGuard
technology, the way it works, actually provides security and
trustworthiness even if you have a vendor or an election
official who's been compromised or has some malign intent,
because the vote gets encrypted the moment that the voter votes
on it, and it never decrypts it after that.
Mr. Gohmert. Yeah.
Mr. Burt. So, it's protected against any of those kinds of
attacks. Then we--
Mr. Gohmert. If it's protected against that kind of abuse,
then a county may not want to use your system, if they need a
vendor to take them home and play with them. I'm concerned that
each of you think it is possible to rig an American election,
and if that's the case, I just warn you that in President
Obama's eyes, that would make you a nonserious person, because
he said, no serious person out there would suggest somehow you
could even rig America's elections.
I would encourage you, since traditionally dead people vote
nearly a hundred percent Democrat, that you figure out a way to
secure our graveyards so people don't keep turning out and
voting in our elections. My time is expired.
Chairman Nadler. The gentleman's time is expired. The
gentlelady from Washington.
Ms. Jayapal. Thank you, Mr. Chairman, and thank you all for
being here. It's really very important the information that
you're giving to us. As I've come to learn more about this
issue, I've been quite stunned that the United States is
currently the only major democracy without a centralized agency
governing cybersecurity. Although we have multiple Federal
agencies that have some role to play in protecting elections,
there's no clear place that a local county that's concerned
about hacking can go to. I read this recent U.K. report that
explains that there are single, centralized, cybersecurity
agencies that coordinate national security in Australia,
Canada, and New Zealand, but the same report notes that in the
United States international cybersecurity efforts must go
through multiple U.S. agencies, including the NSA, DHS, and the
FBI. So, I'm really interested in this idea of centralized and
cohesive coordination of our Nation's cybersecurity to better
protect from foreign and domestic threats.
Mr. Burt, I want to thank you for your work and say how
proud I am that Washington State is Microsoft's home State, and
that I have the honor of representing many, many, many
Microsoft workers as my constituents. I think you have brought
up some really--you've done some really important work with the
ElectionGuard technology. I'm curious--I know you just released
it--is it actually in use anywhere yet? Are we using it in
Washington, I guess, is the most relevant question?
Mr. Burt. No, it's not yet in use anywhere, because as you
say, just released it for public use just in the last few days.
We are working with all the major election--working with all
the election vendors. They're all very enthusiastic. They're in
the process now of evaluating the technology and thinking about
how they could build it into new offerings, new devices. So, we
need both the election vendors, as well as State and local
officials to understand the technology, think about how they
can use it to secure their election, and we're out, you know,
actively helping explain and educate that.
We do expect that either later this year, or certainly in
2020, there will be--we're working with a number of partners on
some, at least pilot elections, where it will be used for a
certain precinct or in a certain location so that we can
actually test the technology, make sure that it's working as
expected, hopefully in the coming months, and certainly by
2020.
Ms. Jayapal. Thank you. That's what I was wondering, is
perhaps if we were pilot-testing it in Washington. In your
testimony, you talked about imposing a culture of
cybersecurity, including training, and I was also struck by the
fact that many of the existing voting systems were using
Windows 7. In your testimony you talked--or in your written
statement, you talked about that. How do we, and maybe this is
a question for you, but also for you, Ms. Boockvar, how do we
make sure that we are providing the support and incentivizing
in some way States and local counties to update their
technology? Because we can have the best stuff, and we can put
it out there, but if people don't continue to update, we're
going to have this problem. Do either of you have comments on
that?
Mr. Burt. Well, I think you've heard a number of comments
that address that already today from the testimony. I would
say, we basically endorse the comments from both other
witnesses which is, among other things, a set of consistent
Federal standards on security for elections would be useful
guidance. But, you also need to have a sustained, durable,
long-term funding solution, so that State and local agencies
are not stuck because of financial considerations, with
outdated technology. This is just too important to our
democracy. We need to make sure that we have the most secure
systems possible in every State and local elections.
Ms. Jayapal. Is it just about money, though, or is it also
about people's fear of how to use technology, not perhaps
having their technology officers in place? Either of you,
please.
Ms. Boockvar. There's a role really for lots of different
pieces of the puzzle here, so from--everything from--sorry
about that. We were talking earlier about how it would have
been great if the new systems, for example, in Pennsylvania,
that we just certified over the last year, they should--it
would have been great if they were never made with Windows 7,
so that there was an earlier sort of prevention measure in
place that just involves regulation at the front end.
Then, I think at the county level, and at the State level,
and at the Federal level, to have easier certification, so when
there is the transition and the upgrade of technology, we need
to be able to make sure that those systems can be in use
without being out of play for a while. So, there's a lot of
different levels of it.
Ms. Jayapal. You mean made with Windows 7, because things
have an operating system within them, but what do you mean by
that?
Ms. Boockvar. So that's their operating system B. So, for
example, it would have been great if all the systems that were
even being made over the last year were already Windows 10.
Some were, some weren't.
Ms. Jayapal. Oh, I see. I see. They were updated as they
were being put out?
Ms. Boockvar. Correct. The counties, so there were
negotiations--in terms of the money piece, there were
negotiations with the vendors to make sure that they weren't
going to charge for the upgrade, but it would have been better
if there was never a need for upgrade because they had been
made with Windows 10 to begin with.
Ms. Jayapal. Thank you. I yield back.
Chairman Nadler. The gentlelady yields back.
The gentleman from Virginia.
Mr. Cline. Thank you, Mr. Chairman, and I'm grateful to you
for holding this hearing today. It's an issue that has needed
examination for some time, and I'm hopeful that after today's
hearing, we'll be able to Act on some of the excellent ideas
that have been discussed this morning and many others that have
been put forward by Members on this committee.
While the responsibility of carrying out elections is one
mainly for local and State governments, the Federal Government
does have a critical role to play as has been discussed. It's a
fact that other countries are trying to interfere in U.S.
elections--Russia, most notably--and we must remain vigilant to
ensure that foreign adversaries cannot mettle in our electoral
process.
New threats will never cease, and our Nation must stay on
the cutting edge to ensure our elections remain secure. Our
laws guarantee the American people just and fair elections, and
it's our duty to carry out that mandate and resist all forms of
tyranny that threaten our freedom.
I have listened with interest. It seems like we're moving
in two different directions--one toward less technology, paper
ballots, and one toward more use of technology,
decentralization, Blockchain. I'm curious about real-time
testing of Blockchain in West Virginia.
Ms. Boockvar, your neighboring State, West Virginia, had
apparent success in the midterms in using Blockchain to allow
deployed overseas servicemembers to vote. Have you explored any
similar initiatives in Pennsylvania, and what have you done to
ensure that overseas, deployed servicemembers can vote?
Ms. Boockvar. So, we have not explored directly--I think
across the country we are very closely talking with Virginia
and West Virginia and watching how this goes. I think it did
seem that the first run of it was successful. But, like we all
know, there's a lot of risks with using untested technology.
So, I think that's going to be something to watch over time. In
the meantime, we are effectuating an encrypted email process
that's going to be used for the first time--I'm sorry, I lost
my voice--but that's going to be used, that's going to allow,
instead of having to access a website, encrypted emails for
delivery of the ballot to those voters, and that's kind of our
next technology way to protect the vote overseas--of overseas
voters. I'm sorry.
Mr. Cline. Mr. Burt, your technology seems to--
ElectionGuard seems to utilize both ends of the spectrum there.
You're having a paper ballot backup but exploring open-source
solutions. Do you still--are you researching efforts to replace
paper ballots, design and create additional software efforts
that could replace paper ballots? Or are you of the mind that
you should always have that paper ballot backup?
Mr. Burt. So, our view is that whether paper ballot is the
backup or primary, either way, the ElectionGuard technology can
help provide this level of security and verifiability. We've
designed it so that it will work with paper ballots in either
way. But our position is that today, it's important to have a
verified paper ballot backup, at a minimum, to use for risk-
limiting audits and have it available in the worst case, so
that you can do a hand count if necessary. So, we think--and
our technology supports that as well--so we think it's
important.
If I just make comment quickly on Blockchain, our
researchers, who look really carefully at election-based
technology, do not think Blockchain is a great solution for a
nationwide election. We're very interested in the West Virginia
experiment. We'll continue to look at that. It has a very
specific focus which it may be useful for. For the most part,
there are two big problems with Blockchain. It's a distributed
ledger, and you really need to have a leader, which we have
leaders now with the State and local election officials who
establish what the rules are for voting and for who's on the
ballot and who's not. So, there's challenges with Blockchain
technology inherently, and furthermore, on a nationwide level,
it would not maintain the degree of security and privacy in
each individual's vote that is critical to our national
elections.
Mr. Cline. You've been working globally on this effort.
Have you seen in other countries any evidence of hackers and
whether your work in other countries on those issues has led
directly to denying hackers an option to penetrate election
infrastructure?
Mr. Burt. So, the work that we've done globally so far has
been with our account guard service, where we monitor Nation
State actors, attempting to hack into the accounts of
candidates or others involved in the election process,
including third-parties, academics, and NGOs. What we have seen
is that there are attacks in many other countries. We saw it in
a number of the ones that Chairman Nadler referenced in his
opening statement. We saw it as well in the French presidential
election following ours in 2016. So, this pattern of conduct by
the Russians, but potentially by other nation-states, is
absolutely continuing in multiple different countries.
Mr. Cline. I thank the witnesses.
Chairman Nadler. The time of the gentleman is expired. The
gentleman from Maryland.
Mr. Raskin. Mr. Chair, thank you. In 2016, Vladimir Putin
assessed the Russian posture vis-a-vis other countries. He
realized he could not defeat liberal democracies militarily or
economically, but he convened the equivalent of a Manhattan
project for electronic subversion of the cyber elections, and
the social media of Democratic countries.
So, from prior hearings I've learned it was a three-pronged
attack. Part of it was on the social media. There was an effort
to inject racial propaganda and other kinds of ideological
poison into Facebook and Twitter and so on. Two, there was a
direct effort to hack into the DNC, at the D triple C, Hillary
Clinton's emails. We're aware of that and had testimony about
that.
The third part was to go right to the State boards of
elections to try to get into those systems. I want to ask a
couple questions about that. I understand that they made their
most progress in terms of the Illinois system, actually got
into the voter registration database. Although, they were not
able to, but apparently they tried, but they were not able to
nullify the existence of voters on the database. What might
have happened had they been able to do that? How secure are we
against that in a similar attack, in 2020, Ms. Boockvar?
Ms. Boockvar. So, the way it's been described to me is,
what they did was kind of like, you know, if you're a thief and
you go around the neighborhood and you try to figure out which
houses have unlocked doors or windows, which are the easiest to
break into, and when they're locked, you move on to the next
one. So, they scanned a bunch of States, found most of the
doors and windows locked and moved on to the next. I think that
that's why we were successful at not having a worse situation.
It could have been, as has been discussed previously, it could
have been devastating.
Mr. Raskin. Are you a member of the National Association of
Secretaries of State?
Ms. Boockvar. Correct.
Mr. Raskin. How secure are the States? How ready are we?
People ask me all the time, how ready are we, but we don't have
one system. We have at least 50 systems, right? Or 51 systems
all over the country.
Ms. Boockvar. I think we are absolutely in a much better
place than we were 2 years ago, and the designation of
elections as critical infrastructure was a big start to that.
We still have a way to go, and that's why I'm really
interested, Congressman, on making sure that we don't focus
entirely on voting systems. Voting systems are really
important, but we need to be funding replacement of voter
registration systems, intrusion-detection systems, making sure
that the counties have the cyber protections, the passwords,
and the multifactor authentication. Those are just as important
as the voting systems, and we need to recognize that.
Mr. Raskin. Ms. Plunkett, would we be safer in protecting
our Presidential elections, which are obviously the biggest
magnet and target for foreign actors, would we be better off if
we had one national popular vote in electoral system for
President, or are we better off using the current electoral
college system where we have a State-by-State voting and we've
got to protect all those different systems?
Ms. Plunkett. What's most important is that we have the
right--whichever system we would choose to use, what's most
important is that we have the right security protections in
place. With the right security protections in place, either
would work equally effectively, I believe.
Mr. Raskin. Okay. Mr. Burt, I was very cheered to hear your
testimony. Are you telling us that we essentially have a
technological fix to the problem of security of the actual
voting systems themselves?
Mr. Burt. Yes, Congressman. We think the election, our
technology, once it's implemented in devices and those devices
have been adopted, will provide a high degree of security, and
more importantly, will provide this end-to-end verifiability,
which will enable individual voters and voting officials to be
able to trust the outcome, with the ability to have audits as a
backup to add a layer of verifiability and trust in the system.
Mr. Raskin. It will promote a lot more confidence in the
reliability of the results?
Mr. Burt. Yes. Ultimately, it would provide a much greater
degree of confidence in the outcome, in part, because
individual voters, for the first time, will see that their vote
actually was counted.
Mr. Raskin. Yeah. I mean, all of you have emphasized that
our electoral integrity is a matter of national security. If
you think about it, why does Vladimir Putin and Prime Minister
Orban in Hungary and Duterte and all the authoritarians and
despots and dictators want to destabilize our elections, it's
because they want to destroy people's faith and confidence in
democracy. They would like everything to be about authoritarian
despots who just make deals around the world and go and corrupt
each other's elections and interfere in each other's
governments. I yield back. Thank you for your testimony.
Chairman Nadler. The gentleman yields back. The gentleman
from Pennsylvania.
Mr. Reschenthaler. Thank you, Mr. Chairman.
Mr. Burt, thanks for coming in today, and thanks for all
you're doing to make our elections safe and protecting
democracy. I just wanted to see if you'd like to speak about
why Microsoft got into the election space and just generally
speak, say, if there's anything more you want to elaborate on
ElectionGuard.
Mr. Burt. Absolutely. This goes to a number of the
questions about how we got to where we're at today. We need to
keep in mind that our foreign adversaries' direct efforts to
intervene in our elections is a relatively new phenomenon, and
the process for certifying devices and so forth is an older
phenomenon. So, this is something that the entire election
community is reacting to in a relatively short period of time.
For Microsoft, this started in 2016, during the Democratic
National Convention when our security team saw that a group
that we call STRONTIUM, which we now know from the Mueller
indictment, is a Russian organization operated by the GRU, the
same group. When we saw that organization registering a bunch
of fake Microsoft domains, domain names, websites that looked
like they were Microsoft, but really were not, and because of
the timing, we immediately took action, and ultimately,
actually, went to court. We've been in a battle with that same
organization now over several years in court, where every time
they register fake domains, or use them to try to steal
credentials, we go to court, get an order, we take those down
and direct all of that traffic to our own sinkhole at our
digital crime's unit. So, we're in a constant technological
battle with that organization. It started then.
Then as we fast-forward over the next year, I had a
conversation with our president, my boss, Brad Smith, and we
talked about the obligation we have as a company, a company
based in a democracy, founded in a democracy, to help protect,
however we can, those democratic institutions and our voting
process as a core democratic institution. That's when we
founded our Defending Democracy Program which we're going to
continue to invest in and advance in coming years.
Mr. Reschenthaler. Thank you again, Mr. Burt. I really
appreciate all you're doing, and with that, I would yield the
remainder of my time to my friend and colleague from Florida.
Mr. Gaetz. I thank the gentleman for yielding. Mr.
Chairman, I initially have a unanimous consent request that
H.R. 3529, the bipartisan election security legislation I
referenced earlier be entered into the record.
Chairman Nadler. Without objection.
[The information follows:]
MR. GAETZ FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Gaetz. Thank you. I want to return to this issue of
paper ballots versus blockchain technology, and I know that we
all likely have a lot to learn on that. Mr. Burt, do you view
blockchain technology as potentially being more applicable to
the voter rolls and the maintenance of the rolls and ensuring
that there is no manipulation of those than to the actual vote
itself? Or would you view the technology as applicable or
inapplicable to those two silos of election data separately?
Mr. Burt. So, I think you do need to evaluate those two
things separately, because they really are different problem
sets, right? So, you need to look at the problem set and what
you're trying to address. There's two different problem sets
between voting, where we don't think blockchain is a great
solution for a nationwide election, and the voter registration
rolls where, to be honest, it's something I need to go back and
talk to our experts about, whether it's a potential solution.
Offhand, I'm not sure that it is, because again, you don't
really want in the context even of a voter registration roll,
you don't want a distributed ledger. You want a ledger with a
leader.
Mr. Gaetz. Why is that?
Mr. Burt. Because you want to have someone who has the
decision-making authority about what's a legitimate
registration and what's not. In a distributed environment,
that's being determined by every other participant in that
environment. Now, there may be a way to make blockchain
applicable to the voter registration process to help with this
security issue. I want to go back and talk to our experts.
Offhand, I think it's probably not the right technological fit.
Mr. Gaetz. Again I'm not asserting that it is, it's just
very interesting to me that it seems to be less susceptible to
manipulation because in the event that you had the circumstance
you describe, where someone was attempting to manipulate the
data, instead of us relying on one supervisor of elections, a
Department of State, or even some of these joint task forces
that I think we've very productively discussed today, you would
have potentially thousands of different nodes and capabilities
to be able to diagnose that manipulation.
My concern now is, if you can essentially flummox a
supervisor of elections, you can manipulate the voter rolls. As
I sit here today, having received the briefing that I know my
Florida colleagues received, I'm not certain that in my State,
there wasn't some manipulation of the voter rolls. No one's
been able to reflect that certainty than me, and so I'm just
trying to kind of democratize the oversight of that system,
potentially. So, again, I don't expect anyone to be an expert
on this. I think we've got a lot to learn about it. I just
reject the premise that only a piece of paper gives us a sense
of a lack of manipulation.
Mr. Burt. I don't disagree with that, Congressman. If I
may, I'd like to go back and--
Chairman Nadler. The gentleman's time is expired. The
witness may answer the question.
Mr. Burt. Thank you, Chairman. Let me go back and we come
back to you and answer the question more specifically about
blockchain and voter registration rolls, whether that or some
other approach is the best means of securing those rolls.
Mr. Gaetz. Thank you. I yield back.
Chairman Nadler. The gentleman yields back. The gentlelady
from Florida.
Mrs. Demings. Thank you so much, Mr. Chairman. Thank you to
all our witnesses for being here. I am from Florida, and I
represent Florida, and I do agree with my colleague's earlier
statement from Florida that every voter, regardless of their
party, where they live, their zip code, deserves to have their
vote counted. So, thank you very much, Mr. Chair, for this very
timely and important hearing.
Mr. Burt, I'd just like to ask you, have you faced any
obstacles at the Federal level with implementing ElectionGuard,
and if so, what have they been?
Mr. Burt. We have not faced any obstacles at the Federal
level to implement ElectionGuard. Now that the technology is
actually out and available for inspection and deployment, we
expect to have continued conversations with a number of
representatives, Federal Government, where we will explain the
technology and how it works. I don't anticipate actually any
Federal-level resistance because, I think we are aligned with
the Federal interest, especially those of CISA and others
responsible for our election security.
Mrs. Demings. If you could State again, what's the timeline
of implementation?
Mr. Burt. So, the technology is available right now for
implementation in devices. The timeline is complex, and that is
a bit of a problem. It's complex for a number of reasons, some
that really government can't do much about, because the vendors
have to inspect the technology, determine whether they want to
put it in devices. There must be a demand from State and local
vendors for the technology, which we think there will be, based
on our conversations so far. Then once those are available,
there has to be the funding at the State and local level to be
able to deploy the new devices that implement the technology,
and all of that is subject to this currently outdated
certification process that takes too long, it's too burdensome,
and it's too hard.
Those rules are being updated right now by the Election
Assistance Commission, but we need to make sure they're updated
in a way that provides much more agility and flexibility. So,
you've got all of those pieces that need to come into
alignment. We're confident they will. We're confident we'll
have some pilot elections utilizing this technology no later
than 2020, but the sooner that it can be deployed to secure our
elections, the better.
Mrs. Demings. My understanding is that certain of the
breaches in the 2016 election, when they were going door to
door looking to see which windows were unlocked, and doors,
were not immediately detected. So, my question is, what signs
should election officials be trained to look for on election
day, to ensure that there are no undetected attacks? Either
of--
Ms. Plunkett. The first and most important is to have a
baseline of what normal looks like. Every election jurisdiction
needs to know what normal operations looks like. So that they
can then have the appropriate monitoring in place, should there
be any abnormal activity, whether that be a flow of data that
looks unusual, a disruption of data that looks unusual, a login
from an unusual--someone who should not have access, from an
account that should not have access. So, knowing what normal
and having that baseline, and then being able to monitor for
any abnormal activity is the most important.
Mrs. Demings. Thank you.
Ms. Boockvar. I would say, every level needs to be trained
in this. Starting from technology, right, the intrusion-
detection systems should be in every single county in the
country and every municipality that runs elections, I think
that is one of the most critical components for protecting our
elections from here forward. I'd love to see resources from the
Federal Government to make sure that happens, so that we don't
have voters in under-resourced counties with less security than
others.
Then poll workers, my first job in elections was as a poll
worker, making sure that we had the support and training for
the poll workers to be able to recognize, not only signs that
are problematic, like people not being in the voting rolls, but
knowing about provisional ballots. We haven't mentioned
provisional ballots yet once in this hearing. We actually have
a provision that allows when people are not in the voter rolls
to still vote. Sometimes poll workers don't remember to do
that, or don't know to do that.
So, they need to be adequately trained. Every voter can get
a provisional ballot, and then it can be checked later. So, if
that person is eligible, they should never, ever be turned
away.
Mrs. Demings. Thank you so much.
I yield back, Mr. Chair.
Chairman Nadler. The gentlelady yields back. There are 4
minutes and 20 seconds left on a vote on the floor. We have a
number of votes on the floor. The Committee will stand in
recess but will reconvene immediately upon cessation of the
votes on the floor. So, please, I ask the Members of the
committee, come back as soon as the last vote is cast. The
Committee stands in recess.
[Recess.]
Chairman Nadler. The Committee will come to order.
The gentlelady from Texas is recognized.
Ms. Garcia. Thank you, Mr. Chairman.
Thank you for the patience of our witnesses as they waited
for us while we registered our votes, and that's what we're
focusing on, aren't we, voting. So, thank you for being here.
Election security is all about voter confidence and
participation. The more confident voters are in the integrity
of our election systems, the more confident they will feel that
their vote has been counted and that their voice has been heard
and, of course, this directly impacts their future
participation.
I listened with great interest to some of your testimony,
and I've looked at your written testimony. I wanted to start
with you, Mr. Burt. Quickly, I don't need a--I heard you
explain the system that you have, and I just want to make sure
that anyone watching is clear. Is yours a software system or a
software system and machines and an auditing system too or all
the above, one of the above?
Mr. Burt. Ours is a software system that needs to be
incorporated into the voting system that is utilized by the
State or local voting officials, and it supports multiple
different forms of voting systems. So, you can have an
electronic ballot-marking device. You can start with hand
marked ballots that are then scanned. We support those, and
we're working to support others that are not as widely used.
But, it's basically software that needs to be incorporated by
vendors into the voting system itself.
Ms. Garcia. The verification that the user can--the voter
can go to online, that will simply just verify that they voted,
or can they print something at home through your software
system?
Mr. Burt. So, the system, when they vote, when they go to a
polling place and they vote, they get a piece of paper that has
the code. They can then enter the code in later and they will
see, they will get verification that their vote was counted.
They can't see their vote. This is really critically important.
They can't see who they voted for. They know who they voted
for, but what the system tells them is your vote was not
changed and your vote was counted. It's important that they not
be able to see their vote, because otherwise, they could be
coerced into voting in a certain way, you could sell your vote.
This is an important character--
Ms. Garcia. Anyone doing an audit would also not be able to
see how they voted?
Mr. Burt. That's correct. That's actually--
Ms. Garcia. So there really is no paper trail?
Mr. Burt. There is a paper trail in the sense that our
system supports the creation of a verified paper ballot. So,
you vote, that's encrypted, but you also get a paper ballot
that the voter can look at and say, yes, this is correct. You
deposit that in the ballot box. That can be used for risk-
limiting audits, even for hand counts, if necessary, although
it shouldn't be necessary.
Ms. Garcia. Well, I'm thinking of a lot of people in my
district that don't have a computer at home, don't have a
laptop, don't have a way of doing any of that. So, what are we
to do with, quite frankly, the usual targeted populations when
there are some of this misinformation hacking? It's usually
many times, minority voter precincts that get attacked. So,
what would we do then for the person who doesn't have access to
a computer or internet to be able to go through that process?
Mr. Burt. So, our system is based on polling place voting,
whether it's hand-marked ballots or using an electronic voting
machine. The election guard supports going to the polling place
to vote. So, you don't need to have any technology in order to
vote--
Ms. Garcia. No, but to verify--
Mr. Burt. But to verify and--yes. So--
Ms. Garcia. I'm talking specifically about verifying that
you voted.
Mr. Burt. Correct.
Ms. Garcia. It's actually sort of happened to me once. I
voted and I thought I had done everything, and then they came
to the car to get me and said, I was a senator at the time,
they said, Senator, it didn't go through. I said, what do you
mean it didn't go through? So, I had to go back in and,
essentially, vote again. It made no sense to me that I had to
do that. I think that happens probably more often than not.
So, I'm just concerned about the populations who don't have
access to their computer to verify that, in fact, their vote
was counted.
Mr. Burt. Totally understandable. The good news is that you
can do the verification in our system with a smartphone. In
most populations, smartphones have penetrated much further than
laptops.
Ms. Garcia. Well, many in my district do not have
smartphones. They just have the one that you go to the flea
market or a store--what are they called? The click-it phones or
flip phones. They don't have a smartphone. Those are more
costly. They go in there--Cricket phones. They go there and get
1 month at a time. We're talking about people that are paycheck
to paycheck. They can't afford one like mine.
Mr. Burt. Yes. I understand, Congresswoman. The
verification does require some access to a system, whether it's
your neighbor's phone, your phone, go to the library and access
a computer, to get that personal verification. Now, keep in
mind, that's a new advance of the technology, but to do that
verification and see that your vote was counted, with our
system, you will need access to something, whether it's a
smartphone, a public computer, some device that lets you see,
yes, my vote, in fact, got counted.
Ms. Garcia. Well, thank you.
I've run out of time and I yield back. Thank you, Mr.
Chairman.
Chairman Nadler. The gentlelady yields back.
The gentlelady from Pennsylvania.
Ms. Scanlon. Thank you very much.
Ms. Boockvar, I wanted to thank you for your work in
removing barriers to voting in Pennsylvania for everyone who's
eligible to vote. In particular, I wanted to thank you for your
attention to modernization of Pennsylvania's voting system and
things such as, just 2 weeks ago, rolling out the ability to
request absentee ballots online. I know my three children, who
do not live in the district anymore, when they're at school,
appreciate that ability.
You've also paid a lot of attention to our young voters,
and I know particularly high school registration. Can you just
tell us a little bit about what you've done there?
Ms. Boockvar. Governor Wolf started a couple years ago the
Governor's Civic Engagement Award, and it's been a tremendous
success in Pennsylvania encouraging students in schools to
register eligible voters to vote. It's been terrific, both the
competition from school to school and from student to student,
but also their engagement in voting, which as we all know--
probably a lot of us started our civic engagement early, and it
really--research shows when you are engaged early, you probably
become life-long voters, and that's critical to our democracy.
Ms. Scanlon. Okay. Turning more to what's at hand here,
there's been discussion about needing to improve lines of
communication between Federal, State, and local agencies. Can
you explain a little bit about that?
Ms. Boockvar. Absolutely. So, one of the things that we've
been talking about a lot, and as we've developed these
conversations around election security, is the importance of
continuity of operations, or COOP planning. It's one of those
things that I think a lot of areas like emergency management
and law enforcement have been doing for a long time, but the
elections sphere, it's relatively new. One of the critical
components of effective COOP planning is to know who to call at
the moment you need to call them. Because the last thing you
want to do when an incident happens is figure out who the right
person is to call.
So, the more clarity we have about who at the Federal
Government is the call to make at incident X, Y, or Z, the
better it would be for the counties to not to have to figure it
out at the moment. We're doing a lot of work with the counties
to develop those COOP plans, but we need that to come from the
Federal Government as well to make sure we have centralized
lines of contact.
Ms. Scanlon. Okay. If you have one piece of advice for
Congress as we debate the appropriate vehicles to legislate and
to fund this, what would that be?
Ms. Boockvar. I'd have to go back to our conversation about
diversifying the types of election security that's implemented
across the country. So, there's been a lot of attention to
voting systems, which is a very important thing, to transition
to paper records. As we discussed earlier, so many other
components of this process are at least as critical. So, we
need to allow funding to go to voter registration databases,
intrusion detection systems, making sure that we have layered
defenses to all our networks, phishing and security training
and multifactor authentication, and COOP planning. All those
things are equally important, and I'm most worried about
thinking that one solution is going to fix everything. We need
to give the States the ability to decide what their most
critical components are.
Ms. Scanlon. As I understand it, that involves both work
and helping establish best practices that the Federal
Government can help push out and then providing funding to
achieve those best practices?
Ms. Boockvar. Exactly.
Ms. Scanlon. Okay. Thank you.
I yield back.
Ms. Boockvar. Thank you.
Chairman Nadler. The gentlelady yields back.
The gentleman from Arizona.
Mr. Stanton. Thank you, Chairman, for hosting this
important hearing today. It's one of the most pressing issues
facing our Nation.
Thank you to the witnesses for not only appearing today and
sharing your expertise, but for taking such a leading role in
protecting the integrity and security of our elections at all
levels of government. It's much appreciated.
Our Nation came under attack in 2016. The special counsel
described Russia's efforts to interfere in our elections as,
quote, sweeping and systemic, unquote. They deceived Americans,
hacked into campaign email accounts, hacked into the very
systems and databases that conduct our elections at the State
level.
We know that these same kinds of attacks continue to this
very day. The Federal Bureau of Investigation Director
Christopher Wray, stated that, quote, ``this is not just an
election-cycle threat. It's pretty much a 365-day-a-year
threat,'' unquote. Despite that, this White House has done
nothing. It joins the Senate in sitting on its hands in the
fight to defend our democracy. It's a real travesty, and I hope
with this hearing and the legislative efforts, we can begin to
turn the tide.
Unfortunately, my home State of Arizona, its voter
registration database was one of Russia's targets. Their attack
wasn't successful, but it shows the heightened importance local
officials must place on election security.
Ms. Plunkett, you mentioned in your written testimony the
importance of the integrity of voter registration databases and
ePollbooks. When it comes to the use of ePollbooks for voter
registration rosters and ballot-on-demand printers, do you
agree that it is a best practice to use encrypted
communications in all circumstances when data is transmitted or
received?
Ms. Plunkett. Yes, I do.
Mr. Stanton. Can you think of a circumstance--is there ever
a circumstance where election officials should transmit or
receive data on these devices in a nonencrypted manner?
Ms. Plunkett. I cannot envision a circumstance such as
that.
Mr. Stanton. Thank you.
Ms. Plunkett, you also mentioned that the steps the Federal
Government and State governments must take will cost more than
$2 billion. Not all States are adequately investing in election
security. Some, including Arizona, are cutting election
security funds.
What type of outcomes and risks are States that don't take
this issue seriously exposing themselves to?
Ms. Plunkett. Well, they're exposing themselves to the
potential for their election outcomes to be corrupted, invalid,
not accepted, not trusted by the populous that they represent,
and ultimately, the impact of the perception could be much
worse than the reality, which would mean people would not come
out to vote.
Mr. Stanton. Thank you for that answer.
This is a question for all of the witnesses. Some elected
officials use USB devices to transfer data from one device to
another. Is it best practice to use those devices only a single
time to minimize the possibility of malware or to use those
devices repeatedly?
Ms. Boockvar. I would go with, yes, that it is certainly a
best practice. There are some circumstances where as long as
there's effective reformatting, that that might be effective,
but I think using new ones is always, I would say, the best
practice.
Mr. Stanton. Mr. Burt?
Mr. Burt. I would caution that USB devices are a known
vector for the transmission of malware which can be installed
at the time of their manufacture. So even using new USB devices
from anything other than a very highly trusted source, and
increasingly that would mean of American manufacture, if you
are using it in an election in the United States, is a
challenging thing to do.
You can try to scan that device, you can try to make sure
it doesn't have malware on it before it's ever used, but that
could be a very costly and time-consuming practice. So, the use
of USB devices is something that we would say you should be
very cautious about doing it even once because the malware may
be present on that device when you first use it.
Mr. Stanton. Thank you.
Ms. Plunkett, have any thoughts on that subject matter?
Ms. Plunkett. I would go so far as to say that, unless
there are no other alternatives, the use of thumb drives should
be prohibited.
Mr. Stanton. Thank you very much.
I yield back.
Chairman Nadler. The gentleman yields back.
The gentlelady from Pennsylvania.
Ms. Dean. Thank you, Mr. Chairman. Thank you for holding
this important hearing.
I want to associate myself, so as not to be repetitious,
with Representative Stanton's remarks of the gravity of the
situation, as well as Chairman.
Secretary Boockvar, as you said--and you're not alone in
saying this--nothing is more important than the security of our
elections. Nothing in this democracy is more important than
that. So, I am glad we're talking about these issues.
Secretary Boockvar, of course, I am delighted to see you
here from Pennsylvania. I thank you and Governor Wolf for your
service, particularly in the area of election security.
I'm thinking back to Mueller coming in and telling us and
telling the world that certainly we--our elections were
interfered with in 2016, and if I recall him correctly, he
said, and it's going on
24/7. That interference continues.
Can you describe some of our vulnerabilities as of 2016 and
maybe lay out some of the vulnerabilities that you still see?
Ms. Boockvar. So, I think the good news--and going back to
what we talked about earlier, is the good that arose from what
happened in the past is that we are--with the declaration of
being critical infrastructure, it's provided us with a lot more
resources. So, one of the things that I really think is
critically important across the country as well as in the State
are these collaborations that we've been talking about. So, I
think the lack of collaboration and intersection of resources
could be a vulnerability if it's ignored.
So, for example, we found in Pennsylvania, as we started to
have like tabletop exercises and really improve our
collaborations, a lot of times in the counties, the election
officials didn't even know the emergency management personnel.
That's crazy, right. So, in 2018, the primary was almost like a
real-life tabletop exercise. I don't know if you recall, but
there was a tornado that crossed the State literally on primary
day. So, we had to have--trees were down, polling places were
blocked, electricity went out. The intersection of the
emergency management, law enforcement, and elections was
critical--is critical.
So, one of the vulnerabilities is not feeding that well.
Again, it goes back to the COOP planning, too. Then I also want
to make sure that our counties have the resources they need to
have really advanced intrusion detection systems, effective
plan--training of phishing and security and all that, and every
advanced sensor and protection, layered defenses of their
network.
So, those are the areas that I would really focus on.
Supporting the local counties and municipalities would be one
of the areas I'd want to direct most attention.
Ms. Dean. The issue of certification, I guess, of the
equipment itself, what is the delay there? How could we
streamline that? Either you or any of the witnesses.
Mr. Burt. The issue there is that the standards that--the
guidelines that are promulgated by the Election Assistance
Commission are more than 10 years old. In fact, the most recent
modification of those guidelines, there's not a single election
system that's ever been certified under those most recent
guidelines, and they're 10 years old.
So, what the Election Assistance Commission is doing right
now, which is revising those guidelines, is critically
important, but they need to move quickly. They need to move
with expeditious activity, because this threat, as you pointed
out, Congresswoman, is 24/7. It's happening now. It's going to
happen through the 2020 election cycle.
So, we need the EAC to adopt new guidelines for
certification quickly. The current ones are--don't adequately
address security, and they take too long and they're too
burdensome. So, we need to streamline that process, make it
faster.
One of the really critical things for all State and local
election officials is we need to make it very easy to apply
security updates. That's a key defense to these adversaries
from every vendor, and so we need to be able to apply security
updates quickly, expeditiously, without so much bureaucracy so
that we can respond.
Ms. Dean. Thank you very much.
This will just be by way of sort of a rhetorical statement.
I was struck by something you wrote in your testimony,
Secretary Boockvar. You wrote that election security is a race
without a finish line, that our adversaries are continuously
advancing their technologies, and we must do more all the time.
So, we know that we can't see a finish line for this, and we
have to identify the threats.
I have to wonder what conversations all of you have had to
have with your own organizations based on foreign threats, but
now the news of this past week, domestic threat to our
election. It couldn't be a more grievous, grave time. None of
us is pleased with the news of the Ukraine conversation by the
President of the United States in an attempt to interfere in a
future election. So, I praise you all for your work. Help us do
better at our work to protect our elections.
I yield back.
Chairman Nadler. The gentlelady yields back.
This concludes today's hearing. We thank all our witnesses
for participating.
Without objection, all Members will have 5 legislative days
to submit additional written questions for the witnesses or
additional materials for the record.
With that, without objection, the hearing is adjourned.
[Whereupon, at 12:02 p.m., the Committee was adjourned.]
APPENDIX
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]