2019 Election Security Forum
0 Comments


>>Seemingly unlimited needs
including ever evolving growing activities associated with
securing elections. My goal is to conclude the meeting with a
better understanding of election officials’ needs and concerns as
well as suggestions for how industry leaders, federal
agencies, Congress, others can best support local efforts to
secure elections. Faith in our nation’s election systems is on
the line. Protecting that faith will take all of us working
together and today’s forum is that opportunity to do that and
to show our commitment to our nation’s voters. Thank you for
participating. I look forward to a robust conversation on the
issues. >>Thank you.
>>Thank you. Commissioner Hicks, do you have an opening
statement. >>I do. Thank you. Good
afternoon. I welcome our witnesses to this EAC security
election forum. I thank all of you in attendance and watching
online and those in our overflow room on this very interesting
topic. With next year’s presidential election less than
15 months away I am pleased to be joined by fellow EAC
commissioners for this essential timely discussion. As I travel
across the nation to visit election offices, give
presentations, attend conferences, election security
is often the center piece of those conversations. After the
2016 election, it was clear that our nation needed to look under
the hood of its election systems. Through the process we
identified a number of areas where we need to do better. A
lot of progress has been made including improvement of
communications between state and local election leaders and
federal partners who support their work. Today’s forum will
likely provide even more evidence of the progress we’ve
made, it’s also a chance for us to collectively identify
opportunities to further advancement and cooperation
including how we expand the market for election equipment
and better track supply chains. The challenges faced by election
officials today are often tied to aging voting equipment or
lack of resources. I saws we’ll hear some of that reflected in
today’s testimony as well and the reality that the EAC strives
to reflect day to day work including today’s forum and our
on going efforts. I am proud of the work we did last year after
Congress appropriated $380 million in much needed financial
support to the states and territories. EAC quickly and
responsibly got the vital resources out the door. Today we
continue to provide oversight and guidance of all the funds.
Our most recent conversation with those who received these
funds project that 85% of the money is likely to be spent by
the 2020 general election with at least 90% going to replacing
aging voting equipment or improving security and
resiliency. We know that more resources are always welcome and
my fellow commissioners and I have passed that along with our
interactions to members of Congress. Today’s forum is a
perfect opportunity for us to examine all the entities in the
rooms, lawmakers, federal agencies, election
manufacturers, and others can continually work together to
improve security and strengthen voter confidence. It is also a
chance for us to remember that our efforts must not undermine
access to the polls. As work to make elections more secure
continues, we must also safeguard the statutory right
that every eligible American can cast their vote independently
and privately regardless of ability. I look forward to
today’s forum and again thank our participants for being here
and being part of the work to help America vote in a way
that’s secure, accessible, and accurate.
>>Thank you commissioner Hicks. I would like to invite our
executive director Brian newby to make remarks on behalf of the
EAC staff. >>Thank you. We will have three
panels representing three flights of testimony that was
arranged as, first, secretaries of state and then EAC testing
and certification director Jerome L, Jared from Kentucky
and other stakeholders related to certification and software
changes including federal partners DHS, Microsoft. Third
represents many EAC registered voting equipment manufacturers
as well as test labs. Jeffrey hail has
been participating in another meeting and will be arriving
after the second panel begins. If he has difficulty getting
here in time, we will move him to the third panel. One final
comment though about today. When Microsoft Windows 7 was the
topic that started the discussion for the meeting and
we are pleased Microsoft is here today. Today’s meeting topic is
broader. Today you will talk about risk, a word that’s
central to security. But I wanted to acknowledge risk at a
different level today as well. All of you as commissioners have
discussed security and certification issues with
election officials, vendors, Congress, other stakeholders. By
pausing to discuss the items today in an open meeting to
engage in public dialogue where clear end result is not yet
known is a risk. I hope all will see and appreciate the
leadership role the commission is taking in this regard.
Similarly the election equipment vendors and Microsoft have taken
a risk to come here to talk openly about security issues the
election industry shares. I know you as well as the staff
appreciate their willingness to come in today and speaks
candidly at this forum on the issues. Beyond those speaking today and dominion
voting. Copies are available for the public in attendance and
will be posted on our website. This represents one of the
broadest public meetings on elections security held
certainly the largest at the EAC with 13 individuals appearing
today. I hand things back to the chair woman.
>>Thank you. Our first panel is right now just secretary. We
will start with you. Honorable Kyle A, Louisiana’s 44 44th
secretary of state. A resident of Baton Rouge he was elected on
September 8, 2018. He brings wealth of knowledge to the
office having served as interim secretary of state and first
assistant secretary of state for eight years prior. Currently he
is treasurer of national association of secretaries of
state and on the election infrastructure subsection
government coordinating council. Goals include securing new
voting equipment for the state, protecting security of sensitive
voting data and continuing high tech protections for the
election and commercial. Welcome.
>>Thank you, madam chair. Mr. Vice chair, commissioners, it’s
a pleasure to be here. It’s a pleasure to represent the great
state of Louisiana. It is so important to be here to discuss
the important issues to securing our future elections. In
November 2015, Microsoft announced they would no longer sell windows 7
computers. They announced end of support would be January 14,
2020. In December 2018, I informed the Governor of our
state that windows 7 operating systems conflict with the
state’s legacy election voting machines for early voting and
election day. I also provided information for resources that
would be necessary to move Louisiana forward in our
elections processes. In the summer and fall of this year, we
are switching out 250 windows 7 PCs in registrar voters offices with windows 10. Clerks of court
have already received windows 10 used for uploads to the state’s
election registration information network or ERIN
system. How did this affect Louisiana? This has been a
costly endeavor. Replacing all windows 7 computers used in
registrar voters and clerks of court offices with windows 10
virtual laptops over the past years has cost well over
$250,000. Currently, the state is leasing voting machines with
its current vendor until the request for proposal process is
completed and awarded to a vendor due to windows 7 end of
life issue. The machine requires use of windows 10. This endeavor
has cost us, just the leasing of the machines, in excess of $2
million. We have been diligent in keeping the virus definition
files updated for our systems. All laptops are scanned
regardless of whether or not they are connected to the
internet prior to each election. We have sent strict directives
to registrars, clerks, voting machine employees, secretary of
state election division staff stressing they are never to insert random memory
sticks into the laptops or charge their phones or any other
device. We also discussed this a great deal when training and our
support staff reminds entities regularly in person during the
test and seal process of voting equipment of how critical it is
to follow the strict correctives. In addition they
are instructed never to insert a memory stick issued by the
office into any other computer. All memory sticks are scanned
for viruses upon their return as a preventive measure. That means
any homework environments that are used by our local election
officers. All this has led to addition a the security
measures. I would like to say that additionally, the cost of
windows 10 desktops has been $670 per machine and that does
not include the cost to configure, test, deploy, train,
or maintain. All windows 7 equipment is air gapped meaning
none of the devices ever touch the internet connected. All are
updated with virus definitions or scanned for viruses before
every use. By the end of the year, all units will only be
used with password protected memory devices or iron keys. How
does software upgrades affect our office? Upgrades can be
mandated at inopportunity times and cause set backs preparing
for elections leaving us short on time to get everything
completed and tested. Installing upgrade and not properly testing
the upgrade would be detrimental to our system. Being methodical
and thorough and establishing infrastructure to control
deployment and adhere to a routine is critical. Testing and
various environments such as development testing, staging,
production with one week between each with production scheduled
around the electioncal end arrest or cycle can be and
usually is very time consuming. And not a corner that we can
afford to cut. Updates can — excuse
me. As an example, if an important patch comes out three
to four weeks before an election, it causes us to wait
to implement because we can’t interfere in the election
process that is already in motion. Updates can incur down
time and require extensive troubleshooting to identify and
resolve upgrading the software. For example, during this last
qualifying, due to a situation, a cyber incident in our state
not affecting our election system, but certainly of concern
because it affected local governing bodies, we had to
instill new PCs this very cycle. Those new PCs, once turned on,
because we weren’t able to have the time frame we normally have,
as I referred to earlier, began implementing new updates as soon
as they were turned on. This sucked the entire ability of
bandwidth for the local entity that had to use them and thus
affected the clerk of court’s office which then caused us
issues with qualifying. This is a graph. Microsoft sends patch
updates every second Tuesday of the month. Then we provide
through development and testing, do the updating and testing by
our I.T. division. We perform staging mimicking production pre
deployment. Then we deploy. How software upgrades affect our
office. We perform extensive inhouse testing on components
used in the field to test and write detailed instructions on
the usage of the new units. Upgrade can sometimes cause
issues that only occur in the parish due to their system being
slightly different from the secretary of state’s office. For
example, if we order a tell AB123, which doesn’t exist, all
parties needle AB123 to ensure uniformity. Nonuniformity
makes fixing issues more difficult. Certainly the EAC is
making it quicker and cheaper for vendors to certify upgrades.
Certifying components verses systems whether it’s election
results, publishing vote capture devices, vote tabulation, etc.
is helpful. Vendors are using same results format through
scanners or DRE so are able to certify using automated tests by
running standard series of result output through the
component and assuming a common input election results
publishing are able to make sure that the components output is
what is expected. Encouraging asymmetric encryption on data
transfers is more important and integrity and authenticity data
transfers could be paren. ourer and system, EMS, vice versa.
Integrity, confidentiality, authenticity are most important.
Asymmetric encryption offers us that, not symmetric encryption.
Implementing for future equipment purchases requires
devices to apply. Now we are requiring implementation of
future equipment for devices to apply security patches and firm
updates no less than 3 months after release from vendor or
manufacturer. We will be requiring any commercial off the
shelf equipment to remain within the mainstream support window of
the manufacturer and be upgraded and EAC certified for use within
one year of the release of updates by manufacturers. When
accommodating older technology in general, we require
additional layers. What I mean by additional layers is we are
buying password protected thumb drives to transfer data.
Requiring additional layers of protection that are costly and
time consuming and can lead to taking stronger measures when
reacting to threats. Reacting to threats is cutting off local
access to networks out of abundance of caution.
Implementing these addition a the layers can break things.
What I mean by breaking things is that after rush to deploy new
windows 10 all bandwidth which I referred to earlier was consumed
at one co-located site during qualifying with windows updates
we had to block temporarily. Vendors will state you can force
the updates but it will break EAC certification. This leaves
our offices vulnerable to anything that happens. EAC
certification in our opinion is the utmost importance. How are
mediation of potential vulnerabilities can be
addressed. I am closing out. This red light keeps blinking at
me. Reaching to users and educating on vulnerabilities we
face in today’s world is key. Stressing to them that while
additional security measures may be cumbersome, they are
absolutely necessary. The sooner this is understood and accepted
the easier it will be transition to new means of ensuring
elections and maintaining election of our system. Addition
a the security will become second nature and be accepted as
common business practices. State and for the most part local
election officials understand what is at stake and are
vigilant in efforts of securing our elections. It’s important to
note that we were doing election security before 2016. Unless you
have been an election official and actually have put on an
election, there is a huge air gap by federal officials elected
or appointed regarding reality of processes and procedures
verses magnitude of speculation going on in Washington DC.
Election security is not a partisan issue. What is partisan
is using election security to create fear among for partisan
policies which have absolutely nothing to do with election
security. >>Thank you.
>>Thank you. >>I would like to welcome
secretary Merrill. She was elected to third term at
Connecticut’s 73rd secretary of the state. As Connecticut chief
election official and business registrar she’s focused on
modernizing elections business services improving access to
public records. Since taking office she’s supported and
expanded Democratic participating ensuring that
rights and privileges are protected and every vote is
counted accurately. She’s worked to expand voter participation
through election day and online voter registration. A
series of rapid response processes to election day
problems. She was elected president of national
association of secretaries of state for 2016-17 term and
serves on board of advisors. Prior to her election as
secretary of state, Denise Merrill served as state
representative from the 54th general assembly district for 17
years. Thank you secretary Merrill and welcome.
>>Thank you. Apologies for my delay. My flight was delayed. I
don’t know why. They never told us. As you heard, I did have the
privilege of being president of NAS during the 2016 election.
Sometimes I just think I drew the short straw. It was quite an
experience. So as such I was very involved in the reactions
to what happened during the 2016 election and there after in
terms of setting up lots of different communication
structures and other structures to start to deal with the cyber
security risks that we just became aware of really during
that time that were aimed at the election systems in our country.
So I think all of my colleagues would agree that we have come a
long way since then in terms of setting up lots of communication
systems and other systems so that we can have a better
response if we do uncover some of these problems during
elections. And we have a much better understanding, I think,
of these threats. Many of us have availed ourselves of the
services of the department of homeland security over the last
couple years and Connecticut is no different. We have done that.
I think first I should paint you a picture of Connecticut because
it is quite different than what my colleague was describing in
Louisiana. First, Connecticut has the distinction of being the
only state that really basically has no counties. What we have is
an election situation where we have 169 mostly very small towns and very independent minded,
really administrators of the elections. My office acts as an
advisory body. We do however of course house the voter registry.
We had one of the earliest voter registries and have used the
same vendor now for almost 20 years which started PCC and has
been acquired by other companies in the interim. Most of what we
have done has been through that company, that vendor. The voter
registration system has had many upgrades over the years but it
is housed and managed by the state I.T. department. I have
almost no I.T. staff of my own and the security is all managed
really out of our state I.T. department. Naturally we
collaborate with them. As my colleague said many of us have
been doing security on voter registry which in my state is
one of the biggest we keep for many years. We do of course
avail of ourselves of things DHS had to offer and I was told that
most of it was redundant to things we were doing. I guess
different products do different things. Essentially we were one
of the 21 states that were told they had seen probes in our
system. None of them got in, and I am not going to be as
technical in my presentation. I am kind of giving an overview of
what we have done rather than getting into the nitty gritty.
But I would say that the most important thing that happened
last year was the release of the $380 million. I would like to
tell you a little bit about what we have done with it. Bearing in
mind, we have taken a very conservative view of technology
in Connecticut. Though we had one of the original voter
registries and do now have an election management system as do
many states. We have not adopted E poll books. We do have an
organization which is very, very valuable in our state called ewe
con voting system. I think we may be unique in the country of
having services of the computer science department based, part
of the computer science department, for lack of a better
word, it’s a division I guess. They test equipment. They
evaluate equipment. They evaluate systems. And they of
course are completely nonpartisan, objective. They’re
not vendors. They’re not selling anything. That has been a very
big help to us. Also every election they test all the
computer chips in our tab lay torrs. We have been using the
same ones since they were purchased many years ago.
They’ve served us very well. We have paper ballots. We have a
fairly strong audit process after the election though I
would like to see us do more with an audit process. I think
right now people’s trust is the most important thing we are
dealing with here. I think the strong Aaron audit process we
can have, the better off we will all be. It’s I think the next
thing I would like to do in Connecticut, to strengthen our
audit. We do have one. We audit 5% of the precincts and three
offices in each precinct after the election. We used to do 10%.
But it’s really a machine audit. It’s proven to be 99.9 persac
rat. In other words, it’s working. The cards are tested
before and after by the UCONN center. Election officials mail
them to the voting center, check them to be sure they’re proper
and mail them back. We do nothing online. That’s why when
we did get dollars from the state actually to purchase
electronic poll books, because at the time it seemed like a
good idea. This was five years ago. It’s much more efficient,
much more accurate. There is no doubt about any of that. When
they evaluated three different versions of electronic poll
books, they came back and advised us not to purchase them.
Because they did not think they were secure. I think the reasons
that they offered at the time — it rather surprised me to be
honest. A lot of states are using them. They said their
question was about recovery. What happens if they crash? I
think we’re on the verge of having a solution to that. But
the more important question they had was, you know, yes, it’s
true we are going to order people not to connect them to
the internet. But they’re capable of being connected. Even
that was enough to have questions in their mind at the
time. We’re still looking at it. But that’s what I am saying. We
are taking a very conservative approach. With our election
management system which is quite sophisticated, has lots of bells
and whistles, it has the capability of uploading results
from the tab lay torrs if you put them on a memory stick and
have some other software that you need to make that happen.
But we do require them to type in the results. We do not feel
comfortable with having that information uploaded, even from
a memory stick. Like I said, conservative approach.
That has its share of problems too. Many election officials
come in once a week. Some don’t have many computers. There are
towns that have no computers in the town hall deliberately. I
have had many a fight with several mayors about this issue.
Some towns are as small as 2000 in the town and maybe 800
voters. It’s a challenge. We have cities also. That’s the
challenge we face. We have taken our $5 million which was our
allotment from the 380 million and spent a good deal on
something called a virtual desktop. I am
not a techy here but I understand it does two things.
It solves the problem of the Microsoft 7. We don’t really
know what towns are, what operating systems they’re using
in their towns. We gave them Microsoft 7. I am sure at the
time we installed all the equipment with the original
system. However apparently if you use this virtual desktop,
which essentially allows us to log into every desktop on the
system and to help see what’s going on, because we spend a
great deal of time on the phone with people who can’t log in,
who don’t know how to do whatever function it is they’re
looking for. This would allow us to override their systems and as
I understand it, it will use a Microsoft 10 operating system so
that that will, as I understand it, you know, make it not
necessary for us to go with buying all new operating systems
for every town. We’ve also had to spend some of our money on
used tab lay torrs. The ones we have now are coming to the end
of their useful life. They were purchased almost two decades
ago. That’s ancient history in computer talk. We are looking at
purchasing with as I recall about $500,000 or maybe almost
$1 million of the money we will I can to purchase used tab lay
torrs. We have no funds for buying an entirely new system.
There is just no way. I haven’t priced it out. I am planning to
have a committee put together that will look at what we are
calling the future of voting. We don’t know where it’s going.
That’s always the case with any kind of computerized system. I
would say my biggest ask of this organization is to hustle up
with the certification standards. We are going to be in
a position where we are going to have to replace our current
system within the next few years. We have been very
satisfied with their — the usage of these. We have gotten
used to them. We have paper ballots. People mark them
themselves. I think there is trust in our election processes
because we do use the best practices. I can see there will
be a big need for us to have a lot of information from a source
that understands this and knows where the field is going . The $5 million has been
incredible. Connecticut is unique. We don’t just have
clerks or county clerks managing elections. In each of the 169
towns, with he have two registrars of voters voters. One
from each party. Then you have a town clerk who does absentee
ballots and that sort of thing. It’s a very de centralized
system, we like to say, but there is lots of training
involved. These are not folks familiar with technology
necessarily. Some are. Some aren’t. I think our biggest
challenge is really training, making sure people change
passwords, know what a phishing E-mail is. It’s very basic
really. Thank you very much for having this hearing and let us
talk about what we are doing. I feel like we’re in a pretty good
place. >>Thank you secretary Merrill.
We appreciate it. >>I would like to open for
questions from commissioners. I will start with you secretary
Merrill. Given the city towns jurisdiction schema in your
state, are you comfortable with the level of visibility and
control your office has over the state’s security as it pertains
to voting system, equipment, software.
>>When it comes to voting systemming registry, yes. The
state is spending its resources doing the security and it’s
housed in our I.T. department, state I.T. department. It’s
called do it. [Laughter] >>We won’t go there. I think
they do a very good job of it. The system itself is getting on
in years. We have made significant upgrades. Again, I
think in the next few years we are going to look at another
upgrade. It is difficult to manage. I have made proposals to
state legislature to have a little more centralization,
bring back sort of a county level of government, but to know
avail. I think we are going to be where we are. It works
remarkably well for some purposes. For example, I can’t
imagine trying to hack mid election tabulators. It is
unimaginable really. Yes, I am comfortable at the moment. I can
see two or three years from now, maybe not.
>>Thank you. You mentioned a cyber incident that you were
dealing with in Louisiana that obviously caused great concern
and you are changing your computers from windows 7 to
windows 10. Do you have the tools and resources necessary to
combat such incidents? What have you learned from this incident
you are discussing? >>I learned from the incident
that you are only prepared when something happens. Basically you
don’t know exactly what to expect until you are in the
situation. I was very pleased with how my staff reacted and
the steps that we were able to take. I think it is because of
the unique situation of Louisiana being a top down
system. We immediately quarantined our system. What we
knew was with some having windows 7 and very few having
windows 10, we knew there were vulnerabilities there. Also
because of everything that we have been doing, we kept a
strict inventory if you will of which parishes had windows 7
units and how many. Those were the ones we immediately banned
from the system permanently from the moment the incident was
brought to our attention. The incident affected some local
governing bodies but never touched the election system.
Knowing there were some who interact with parish governing
authorities, we felt the need to shut down that system. We
decided to take money that had been allocated from self
generated revenues within our agency and not purchase censors for clerk
of court office which we had intended to do and used those
funds to buy the windows 10 units. Given that we felt that
was a more secure opportunity and need in our system moving
forward. That’s basically what we did. We were able to move
fast, quarantined the system immediately because we were able
to shut off local access. Our next step was we knew which
parishes had been hit and we unquarantined the other parishes
and kept those quarantined until we knew through cyber security
commission that we were able to bring them back up. And we did
it one parish at a time. But if another parish was hit, then we
took them offline and continued that quarantine process. It was
very successful. I am very pleased and thankful for my
staff reacting very quickly. It takes that type of incident for
you to realize how quickly things can happen within your state. I immediately
with what information I could contacted the president of NAS
and asked for a conference call with other secretaries in order
to inform them because we were told this could be a much larger
than one state attack. The importance here is that
information is key for elections officials. If we don’t get
information, we can’t protect our system. The timeliness of
the information is absolute. For us to be able to make sure our
systems are secure, we’ve got to get that information as quickly
as possible, whether it’s a local or state partner or a
federal partner. Sometimes we just don’t get it.
>>Thank you. I don’t want to monopolize time but I have a
question for both of you. You can give me a quick shout if you
can. How do you field updates? Talking about Microsoft 7 and
updates to systems in the hearing. When you are running
several elections a year, how do you work that into your schedule? Elections start with primaries as well.
>>The best we can. As I stated in my presentation, the monthly
Tuesday updates when they come in, the problem for us is, and I
would imagine for any election official, is once we start the
clocker for election preparation, there is no
stopping it. The time lines are so detailed. We have a
deadline to meet. We can’t avoid those deadlines. So even if a
patch comes through, we may have to delay the implementation of a
patch. I said earlier it affected us having to adjust
with regard to this incident. It affected our ability to do qualifying online because
of the patches being automatically updated. It’s a very delicate operation.
It’s very concerning to us. I think that’s something EAC needs
to delve more into in order to make sure that our voices are being heard .
>>Again, we are unique. We do not have any form of early
voting. We just have the one election day.>>We have very little control
over their local systems. This virtual desktop hopefully will
override that problem. We won’t be able to do a pilot. This year
is our municipal election. We’ll be able to pilot this year but
it hopefully will be in place for 2020. Up until now, we do
patch our own system and that’s the basic voter registry.
Everything else is really at the local level.
>>Thank you, secretary Merrill. Vice chair, do you have
questions? >>Thank you.
>>Thank you all for being here. I appreciate your testimony. Secretary, you
were talking about the process. Obviously it’s extensive, not
just taking out your phone and hitting update. One of the
things that that really sends home to me is is the cost
associated with this. People in labor in addition to equipment.
One of the questions we get asked a lot by Congress is about
the $380 million that secretary Merrill mentioned. Do you all
see — would it be useful if there was obviously federalism
and this gets split up, if there were a consistent modest federal
funding stream that was specifically towards security
upgrades, maintaining equipment, maybe implementing programs like
Illinois cyber navigator program where you have state based
election technology, I.T. experts, that assist counties,
parishes, towns with fewer resources, do you think that’s
something that would be helpful and needed?
>>Of course. Resources are always helpful and necessary. I
would say that what we have been doing in Louisiana is we set
aside our 5.8 million funds strictly for the new voting
technology, to purchase new equipment. What we have been
doing is absorbing in our regular budgets all the cyber
security needs that we have, which is growing exponentially
each and every year. What we would hope for is if the federal
government does make additional resources necessary that there
be no strings attached. Each state is different. I think just
the two of us sitting here, we have explained how different our
states are. The cultures are different. The voters have
different expectations. We all have the same expectations which
is a secure environment for our elections and every vote is
accurately counted. Everybody gets to participate who wishes to participate. I would
say this. The federal government providing additional resources
would be helpful. But the federal government also needs to
communicate to states that they have an absolute responsibility.
I am no different than my colleague here who are
constantly asking for additional resources to fend off cyber
security issues, to update equipment, and to do what’s
necessary to secure our elections and offer our people
the right to vote. In addition to that, we are taking on, in
Louisiana, we have a strong responsibility. We have all the
I.T. operations for elections in my agency. We do that for the
locals as well. We provide obviously as I have said
equipment to the locals. That takes a lot of money. All
partners, parish, local, state, federal need to cooperate and
work together on this funding issue for resources for securing
elections. Let’s face it, we are all in one large ship and that’s
the ship of America. If we aren’t working together to
secure our elections and fund our elections appropriately,
then what are we here for? >>Secretary Merrill, would you
like to add? >>Yes. I would concur with
that, just recognizing states have very different capacities
for funding their elections. Connecticut, for quite a while,
we funded most of what we have done through bond funds which is
perfectly appropriate because it is equipment and infrastructure
for the state. But not every state can do that. Right now,
Connecticut isn’t too willing to do that at the moment. We are in
a budget crisis that’s been going on for four or five years
now. I think there is certainly a role and that would be helpful
in my state, I know, because the reason we have not gone forward
with providing more local equipment, you know, upgrading
their operating systems and so forth is because we don’t have
money for that. Traditionally it’s been funded by the towns
and the state. I agree with my colleague that the states have a
responsibility here too. Like I said, they have different
capacities for doing things. I think it is imperative that this
country and the states and the local governments and all of us,
as you say, work together to do this. This is one of the
fundamental operations of government. You are not going to
privatize elections. So it’s time we put some dollars behind
what’s happening. I think this is a really recent development.
You know, it was only in 2016 that we realized there were all
these cyber threats and so forth. We have reacted, I think,
pretty well in the short term with what we can do. But in my
state for example, it’s much more efficient I suppose to
control security for these big databases from a central level.
I respect that. Actually it makes a lot of sense as long as
I have someone in my office who can work with the person. I
think we ought to take the same attitude overall that we work on
it together, that we are able to articulate what our needs are
around the questions and that you provide some sort of
framework for that for the funding. I do think some funding
needs to come from the federal level.
>>Thank you. I want to be sensitive to our time. So I will
hold off other questions until after my colleagues go.
>>Thank you. Vice chair, commissioner palmar, do you have
questions? >>Just a few. What I hear I
think from both of you is the priority as your chief election
election official in your state is you need to upgrade your
voting systems and voter registration systems and these
are fundamentals of the process. That is where most of the money
could really help your states. Is that a true statement?
>>True statement. >>We have our job do which is
to try to set new voting system standards, get those out so
manufacturers can start designing equipment to those
standards. I think that’s all I have.
>>A comment with regards to that, the new standards. My
state is about to embark on an RFP process. We will be dealing
with standards set in 2015. Much of that blame is to the federal
government for not having a functional EAC with a full
commission. I am thankful that we now have a full commission
and you are working very hard. But we are now behind times
because of that. And 2016 snuck up on us quickly and we reacted
as quick as we could with the resources that we had. The fact
is I am going to have to go a little bit further as I stated
earlier in what the requirements that we will have to work under
that aren’t necessarily even issued by you all yet. That’s
very concerning to me not to mention all the various
legislation rolling around Congress that could require
this, that, or the other. >>I have one follow up
question. As Congress looks at different grant funding
potential or otherwise, one of the things we hear is — I am
fairly comfortable in my observations having worked at
the state level, the executive branch, Governor, or I.T. at the
state level has a lot of the protections as secretary Merrill
talked about. Do you think it’s possible you have experience
with HAV grants that the money could be used in a way to help
localities upgrade their local I.T. systems to be more
resilient inwarding off some of the attacks? DO
>>I would YOU say that’s THINK exactly IT’S what POSSIBLEI am
doing with the money that I got, the $5 million. THAT By THOSE
instituting MONIES COULD BE USED IN the A WAY virtual TO desktop
HELP we LOCALITIES UPGRADE THEIR essentially LOCAL have given
I.T. them SYSTEM TO more BE capacity. MORE Maybe RESILIENT
that’s ANDa direction WARD OFF that SOME others OF could
follow. THESE We ATTACKS? >>haven’t tested it out yet so
I don’t I know WOULD how SAY THAT’S EXACTLY WHAT I’M DOING.it
will work out. Rather than purchasing 169 towns worth of
new equipment, it might be better to work with what they
have as long as it’s the virtual desktop that takes care of the
security part. MAYBE THAT’S A DIRECTION OTHERS
COULD FOLLOW. WE HAVEN’T TESTED IT SO I DON’T KNOW HOW IT’S
GOING TO WORK OUT. RATHER THAN PERCHING 169 POUNDS WORTH OF NEW EQUIPMENT
THEY MIGHT WANT TO WORK WITH WHAT THEY HAVE AS LONG AS THIS
VIRTUAL DESKTOP TAKES CARE OF SECURITY FOR THEM. AND THEN THE
TRAINING IS ALL LOCAL CAPACITY BUILDING.
YES, YOU’RE RIGHT. ACTUALLY, MY BIGGEST FEAR IS VULNERABILITY
LOCALLY. THAT IS EXACTLY WHAT WE ARE WORKING ON.
>>THAT WAS EXACTLY MY FEAR. IT ALMOST CAME TO FRUITION. BY THE
GRACE OF GOD IT DID NOT. WE ARE TAKING THOSE STEPS. WE WERE ABLE
TO RETAIN OUR ELECTION I.T. AND NOT GO TO A CONSOLIDATED SYSTEM ALONG
WITH THE REST OF THE STATE AGENCIES. WE WERE ABLE TO
CONTROL OUR OWN DESTINY AND WORKED WITH LOCAL ELECTION
OFFICIALS TO SECURE OUR ENVIRONMENT AND CONTINUE TO
SECURE OUR ENVIRONMENT AND TRAIN THEM ON OUR ENVIRONMENT. BEING
ABLE TO SEE IT FROM A LARGER PICTURE, 30,000 FEET, IF YOU
WILL, THAT WAS THE RIGHT THING TO DO. THEY ARE LOOKING FOR NEWER WAYS
TO SECURE OUR SYSTEM. IT GIVES US THE ABILITY TO QUICKLY REACT
VERSUS HAVING TO GO TO THE STATE AND ASK FOR PERMISSION. I’M NOT
SAYING IT’S NOT WORKING FOR OTHERS, IT IS AN IMPORTANT
COMPONENT FOR US. >>MR. HICKS, DO YOU HAVE A
QUESTION? >>YES. I’M GOING TO HAVE SOME
COMMENTS AND I HOPE I CAN PUT SOME COMMENTS IN THERE AS WELL.
>>I WANTED TO SAY, I WAS SADDENED TO HEAR THAT EDDIE
REEVES RETIRED. I HAVE NOT WORKED WITH HER REPLACEMENT. SHE WAS VERY
IMPORTANT AND I THINK SHE’S DONE A GREAT JOB FOR YOUR STATE. I WANTED TO ASK A LITTLE BIT
ABOUT THE OVERALL TRAINING. I KNOW THAT A SECRETARY OF STATE AND OTHER ELECTION OFFICIALS,
YOU HAVE MORE THAN ONE JOB. IT’S NOT JUST TO RUN ELECTIONS THERE
ARE OTHER ASPECTS AS WELL. ARE THERE OTHER PORTIONS OF YOUR JOB
, SAFETY DID TAX COLLECTION OR OTHER ASPECTS, YOU HAVE TO HAVE
UPDATES DONE? HOW WERE THOSE INCORPORATED?GO ABSOLUTELY. I HAVE THE OTHER LARGE DATABASE
IN THE STATE WHICH IS THE BUSINESS REGISTRY. WE ARE
CONSTANTLY UPDATING THAT. IT HELPS THAT WE USE THE SAME
VENDOR FOR BOTH SYSTEM. THAT IS RIGHT. IT IS NOT AS CRITICAL.
YOU DON’T HAVE JUST ONE DAY. I COMPARE AN ELECTION TO GIVING A
WEDDING. YOU HAVE ONE DAY. EVERYTHING HAS TO GO RIGHT.
UNLIKE THE BUSINESS REGISTRY WHERE THERE ARE CONSTANT
DEADLINES FOR THIS AND THAT. WE DON’T HAVE THE SAME ISSUES IN
THAT SENSE.>>ALSO, I AM RESPONSIBLE FOR THE
COMMERCIAL REGISTRY IN LOUISIANA AND IT IS THE SAME THING. WE DO
USE THE SAME VENDOR AS WELL. WE ACTUALLY HAVE THE SAME VENDOR I
BELIEVE. >>IT IS A CONSTANT CONCERN
BECAUSE THAT SYSTEM ALSO IS CONSTANTLY SCANNED AND PROBED
AND BUSINESS IDENTITY THEFT IS A GROWING PHENOMENON. WE ARE
PROTECTING BUSINESSES AS MUCH AS WE ARE PROTECTING THE ELECTIONS.
AS THE SECRETARY SAID, THAT IS AN ONGOING PROCESS. ELECTION DAY
IS CRITICAL. ELECTION, WE HAVE EARLY VOTING, SEVEN DAYS IN
LOUISIANA. THAT IS CRITICAL AS WELL. VOTERS HAVE TO CHECK IN.
THAT IS USING OUR SYSTEM ON A DAILY BASIS. THERE IS CONCERN.
WE DON’T HAVE ELECTRONIC POLL BOOKS AND GIVEN THE SITUATION
WHERE WE ARE, I WILL NEVER ASK FOR THEM. IT — YOU HAVE TO BE LOOKING FOR
THINGS THAT YOU DIDN’T NECESSARILY HAVE TO LOOK FOR
BEFORE. AS WE SAID, CYBER SECURITY IS NOT AN END TO GAME,
THERE IS NO FINISH LINE. >>THAT REMINDS ME OF SOMETHING
YOU SAID EARLIER ABOUT HAVING PLANS OF FOR YOUR PLANS. IT
REMINDED ME OF A FORMER HEAVYWEIGHT CHAMPION MIKE TYSON . HE SAID EVERYONE HAS A PLAN
UNTIL THEY GET PUNCHED IN THE MOUTH. THEN WE ALL HAVE OUR
PLANS READY BUT I THINK THERE’S GOING TO BE A LOT OF SWINGS AT
US. I DON’T THINK WE WILL GET HIT HARD BUT THERE WILL BE A LOT
OF ATTEMPTS FOR FOLKS TO HIT US. I THINK STATES ARE DOING A GOOD
JOB OF PLANNING FOR THAT. I WOULD PUT THE PLUG-IN THAT THE
EAC DOES HAVE I.T. TRAINING FOR ELECTION OFFICIALS AND I
PARTICIPATE IN A COUPLE OF THOSE AND OUR DIRECTOR OF TESTING HAS BEEN GOING OUT TO STATES. IF
THERE IS AN OPPORTUNITY TO TAKE ADVANTAGE OF TRAINING,
DEFINITELY DO THAT. I HAVE BEEN TO BOTH OF YOUR STATES. YOU HAVE
BOTH DONE A GREAT JOB WITH THE ELECTION PROCESS. THE LAST THING
I WOULD ASK IS A LITTLE BIT MORE, OTHER THAN MONEY, WHAT CAN
THE FEDERAL GOVERNMENT DO FOR YOU? I KNOW NO STRINGS ATTACHED.
>>WE WON’T SAY THAT AGAIN. >>IT IS MORE, WHAT SORT OF
THINGS CAN WE HELP YOU WITH MOVING FORWARD IN 2020 AND 2022?
>>CAN YOU CONVINCE MICROSOFT NOT TO CHARGE
US? THAT WOULD BE A GOOD START. THAT’S PRETTY EXPENSIVE. ARE
PART WAS $300 PER UNIT. THAT’S FOR A THREE-YEAR PERIOD. THAT
CAN BE QUITE COSTLY IF WE ARE UNABLE TO REPLACE ALL
THOSE UNITS. I’M TELLING LOCALS, WHATEVER YOUR PARENTS JUST
BOUGHT FOR YOU, PUT IT ASIDE. IT IS NOT WORTH THE THREAT. THEY DON’T HAVE THE MONEY
BECAUSE THEY JUST BOUGHT THE NEW EQUIPMENT. THEY DIDN’T BUY THE
10 .
>>HUSTLE UP WITH THOSE CERTIFICATION STANDARDS. THAT IS
THE SHORT ANSWER. ALSO, JUST THINKING OUT LOUD ALMOST I CAN
HEAR A DIVISION. THE MAINTENANCE COST ON ALL
THESE SYSTEMS IS AN ONGOING AND LARGE COST. MAYBE THAT IS WHERE
THE STATE SHOULD BE. THAT’S NOT SOMETHING WE CAN EXPECT FROM THE
FEDERAL GOVERNMENT. INFRASTRUCTURE COST COULD BE
WHERE WE COULD USE THAT. THAT WOULD BE MY SHORT ANSWER. CERTIFICATION STANDARDS. PEOPLE
ARE BUYING THINGS RIGHT NOW AND THEY NEED HELP.
>>THANK YOU. >>I WANT TO EXTEND MY THANKS FOR YOU BEING
HERE. WE WILL TAKE ALL THIS AND AS WE CONTINUE FORWARD LOOKING
AT THESE ISSUES. THANK YOU VERY MUCH.
>>THANK YOU FOR HAVING US. >>THE SCALLOP PANEL 2, PLEASE.
>>I WANT TO THANK YOU FOR BEING
HERE FOR THIS FORM. THIS IS IMPORTANT
INFORMATION FOR US TO LEARN FROM YOU. WE NEED TO KNOW THE ISSUES
THAT ARE CRITICAL AT THIS TIME. I LET THE
SECRETARIES GO A LITTLE BIT ON TIME. I WANTED TO LET YOU KNOW
THAT THE CLOCK IS SET FOR FIVE MINUTES AND IT FLASHES YELLOW AT
ONE MINUTE AND THE RAIN AND THEN THE RED LIGHT COMES ON WHEN YOUR
TIME IS UP. LET ME INTRODUCE THE PANEL. TO MY RIGHT IS OUR
DIRECTOR OF TESTING. THIS IS JEROME. HE PUBLISHED A WHITE PAPER TO
PROVIDE FOUNDATIONS FOR ELECTED OFFICIALS ONE HOW AUDITS WORK
AND WHAT TO CONSIDER BEFORE CONDUCTING PILOTS. HE WORKED AS A BUILDING
SPECIALIST AT THE SECRETARY OF STATE’S OFFICE FOR 10 YEARS
WHERE HE WAS A LEAD . NEXT TO HIM IS JARED DARING
THE STATE ELECTION DIRECTOR FOR KENTUCKY. HE HAS WORKED IN CAMPAIGNS FOR
OVER 10 YEARS. HE HAS WORKED IN THE PUBLIC AND PRIVATE SECTOR AT
THE LOCAL AND STATE LEVEL INCLUDING FOR THE CITY OF
LOUISVILLE AND OFFICE OF CALIFORNIA GOVERNOR, JERRY
BROWN. HE HAS TECH STARTUPS IN THE BAY AREA IN BOSTON. HE IS A
GRADUATE OF THE UNIVERSITY OF CALIFORNIA BERKELEY. NEXT IS
JENNY , THE DIRECTOR OF STRATEGIC
PROJECTS FOR DEFENDING DEMOCRACY. HER WORK FOCUSES ON
THE THREAT OF NATIONSTATE AT TAX THIS TEAMS EFFORTS INCLUDE
INCREASING SECURITY OF CAMPAIGNS AND ELECTIONS AND ADDRESSING THE
ISSUE OF INFORMATION HER WORK PREVIOUS TO THIS ROLE
WAS ENGAGEMENT WITH POLITICAL ORGANIZATIONS AND THEIR USE OF
DATA ANALYTICS AND EMERGING TECHNOLOGIES. JENNY WAS THE VICE
PRESIDENT FOR POLITICAL ACCOUNTS THAT SEE MDI WHERE SHE WORKED
CLOSELY WITH CUSTOMERS. SHE HAS 15 YEARS OF EXPERIENCE IN
POLITICAL TECHNOLOGY AND HAS BEEN RECOGNIZED AS A RISING STAR
AND HAS RECEIVED THE AMERICAN ASSOCIATION OF POLITICAL ASSOCIATIONS 40 UNDER 40 AWARD.
THEN WE HAVE MATTHEW SCHOLL THE CHIEF OF SECURITY DIVISION AND
THE INFORMATION TECHNOLOGY LABORATORY .’S RESPONSIBILITIES AND INCLUDE
CRYPTOGRAPHIC STANDARDS USED BY THE GOVERNMENT AND CYBER SECURITY STANDARDS FOR
FEDERAL AGENCIES SECURITY PROGRAMS. HE LEADS PARTICIPATION
WITH NATIONAL AND INTERNATIONAL STANDARDS DEVELOPMENT
ORGANIZATIONS AND PERFORMANCE TESTING PROGRAMS. HE
IS AN ARMY VETERAN AND HAS OVER 20 YEARS OF FEDERAL SERVICE.
>>FINALLY, WE HAVE JEFFREY HALE THE DIRECTOR OF ELECTION
SECURITY AT DHS AND THE INFRASTRUCTURE SECURITY AGENCY.
HE HAS SUPPORTED HIS PREDECESSOR AND BEGAN THIS IN RESPONSE TO CYBER SECURITY IN
2016. HE HAS BEEN INSTRUMENTAL TO COLLABORATION WITH DHS. THANK
YOU ALL FOR BEING HERE. I WILL START WITH YOU, JEROME, THEN WE
WILL GO DOWN THE LINE. >>I’M SORRY. I DON’T KNOW HOW TO
OPERATE A MICROPHONE. >>GOOD AFTERNOON. THANK YOU FOR HOSTING TODAY’S
FORM AND FOR TAKING THE LEAD ON ADDRESSING SOFTWARE SECURITY SYSTEMS. I
WANT TO ACKNOWLEDGE AND THANK PANELISTS FOR PARTICIPATING IN
THIS DISCUSSION. I GREATLY APPRECIATE YOUR INPUT AND LOOK
FORWARD TO HEARING YOUR THOUGHTS. I HAVE BEEN HEAVILY
INVOLVED IN THIS PROCESS FOR OVER 12 YEARS AND HAVE INSTALLED
VOTING SYSTEM SOFTWARE ON THOUSANDS OF
DEVICES. I WOULD LIKE TO HIGHLIGHT THAT ONCE THIS IS
CERTIFIED THAT SYSTEM IS CERTIFIED TO REQUIREMENTS AND IT IS IN THAT MOMENT IN TIME.
THE CERTIFICATION PROGRAM MANUAL PROVIDES GUIDANCE ON CHANGES TO
VOTING SYSTEMS THAT I CAN TALK ABOUT MORE IN DETAIL IF IT IS
ALLOWABLE. I WOULD LIKE TO MORE HEAR FROM PANELISTS THAT I’M
GLAD TO ANSWER ANY QUESTIONS THAT YOU MAY HAVE. I WANT TO LAY
THE GROUNDWORK BECAUSE WE DO HAVE LIMITED TIME AND HAS SOME
OF YOU KNOW I CAN TALK ABOUT THIS STUFF FOR A LONG TIME. I
WILL REFRAIN AND ALLOW OTHERS TO HAVE THE OPPORTUNITY TO EXPRESS
THEIR THOUGHTS ON THIS MATTER. >>THANK YOU.
>>THANK YOU. MY NAME IS JERRY DEARING I AM
THE REPRESENTATIVE FOR THE NATIONAL ASSOCIATION OF STATE
ELECTION DIRECTORS. PRIOR TO MY CURRENT POSITION I HAVE WORKED
IN THE PUBLIC AND PRIVATE SECTOR WITH PUBLIC POLICY AND
DEVELOPMENT. I’M GLAD WE’RE HAVING THIS CONVERSATION. I WISH
IT COULD HAVE TAKEN PLACE A LITTLE BIT SOONER. MICROSOFT
ANNOUNCED IT WAS ENDING SUPPORT FOR WINDOWS 7 SEVERAL YEARS AGO.
THIS IS NOT HER FIRST TIME TO EXPERIENCE THIS AS A COMMUNITY.
SINCE THE HELP AMERICA VOTE ACT THE ADMINISTRATION HAS GROWN
RELIANT ON TECHNOLOGY. EVERY STATE WAS TO REPLACE PUNCH CARD MACHINES AND THERE WAS THE
VOLUNTARY VOTING SYSTEM GUIDELINES AND THE TESTING
CERTIFICATION PROGRAMS. THE MOVE AWAY FROM THESE MACHINES MOVED
ACTIVE VOTING TO MODERN TECHNOLOGY. THE MOVE TO ANY
TECHNOLOGY REQUIRES ONGOING MAINTENANCE. IT IS IN A
CONSTANT STATE OF ITERATION. OPERATING SYSTEMS, FIRMWARE AND
SOFTWARE REQUIRE UPDATES TO MAINTAIN FUNCTIONALITY AND
SECURITY. THE MSI SENT OUT 81 UPDATE ADVISORIES IN 2019 ALONE
FROM VENDORS . ANYONE WHO HAS TRIED TO USE A
LAPTOP OR CELL PHONE KNOWS THAT KEEPING TECHNOLOGY CRITICAL AND
PATCHED IS CRITICAL. THE STATE AND LOCAL OFFICIALS NEED VOTING
EQUIPMENT TO LAST AS LONG AS POSSIBLE. WHEN WE INVEST IN NEW
TECHNOLOGY WE DO SO KNOWING THAT WE MAY NOT HAVE FUNDING TO DO THAT AGAIN FOR 10
TO 15 YEARS AND SOMETIMES MAYBE LONGER. THIS IS KEPT UNDER TIGHT
PHYSICAL SECURITY. THEY WORK HARD TO KEEP MACHINES PATCHED.
WITH MOST THINGS OUR ABILITY VARIES STATE-BY-STATE. VOTING
SYSTEMS ARE MAINTAINED AT THE COUNTY LEVEL.
COUNTY OFFICIALS MUST UPDATE AND PASS PATCH AFTER MODIFICATIONS ARE APPROVED BY
THE STATE. COUNTY OFFICES AND OFFICIALS, LIKE MANY AROUND THE
COUNTRY ARE RESOURCE DEFICIENT. WE CAN’T COMPEL EQUIPMENT
UPDATED . WE CAN ENCOURAGE IT BUT NOT
REQUIRE IT. MANY LOCAL JURISDICTIONS MUST MAKE VOTING
MACHINES PATCHED. THAT CAN COME WITH A PRICE TAG. EVERY DOLLAR COUNTS.
UNFORTUNATELY THAT MEANS THAT PATCHES ARE NOT MADE WHEN THEY
SHOULD BE , OFTENTIMES. THERE ARE
CHALLENGES WITH THE NATIONAL CERTIFICATION PROGRAM. DIFFERENT
STATES HAVE DIFFERENT NEEDS AND LAWS AND STRUCTURES.
CONSTRUCTION NATIONWIDE REPRESENTS A MOMENT IN TIME.
THERE IS AN OPERATING SYSTEM ESSENTIALLY A TIME CAPSULE OF
WHEN THE SYSTEM WAS DEVELOPED. WE ALL KNOW THAT IT IS NOT HOW
TECHNOLOGY WORKS RATHER THAT’S NOT HOW IT WORKS. THAT IS
NOT HOW BAD ACTORS WORK EITHER. WE NEED TO BALANCE THE NEED FOR
CERTIFICATION WITH THE EVIDENT SECURITY NEEDS OF OFFICIALS ON
THE GROUND FOR TIME AND RESOURCES OF ESSENCE MATTER.
LAST MONTH I TALKED TO CONGRESS, THE AC, THE CYBER SECURITY
INFRASTRUCTURE SECURITY AGENCY AND VENDOR COMMUNITY AND
TECHNOLOGISTS AS WELL. THERE ARE A LOT OF ENGINEERS WHO WANT TO
USE THEIR SKILLS FOR GOOD TO MAKE ELECTIONS MORE SECURE. WE
NEED TO DEVELOP A PROCESS BY ETHICAL HACKERS CAN COMMUNICATE VULNERABILITIES. ELECTION
OFFICIALS ALSO NEED TO BE ABLE TO RESPOND QUICKLY TO HAVE FIXES
BEFORE THOSE ARE EXPOSED. IS NOT ENOUGH TO FIND AND REPORT BUGS
THERE MUST BE A WAY FOR ADMINISTRATORS TO DIGEST AND
REMEDIATE ISSUES AFTER NOTIFICATION. BEYOND THE HACKER
COMMUNITY SOME VECTORS HAVE ALREADY HAD A CRITICAL
EVALUATION OF THEIR SYSTEMS TO TAKE ADVANTAGE OF THE EXPERTISE
OUR FEDERAL GOVERNMENT CAN OFFER. THE ASSESSMENT CONDUCTED
IS A MORE IN DEPTH THAN THE SECURITY TESTING PREFERRED BY
THE TEST LABS. AS PART OF THE CERTIFICATION PROCESS. THERE IS
NOT A PROCEDURE IN PLACE TO INCORPORATE THESE RESULTS INTO
THE VOTING CERTIFICATION PROCESS THE SECURITY TESTING MUST ALSO BE
DONE. THIS IS TIME-CONSUMING AND EXPENSIVE FOR MANAGERS TRYING TO
MAKE SYSTEMS MORE SECURE. THERE MUST BE A PROCESS TO CERTIFY
MODIFICATIONS MADE BY THE VOTING SYSTEM VENDORS TO BE ADDRESSED
FOR POTENTIAL VULNERABILITIES.
CERTIFICATION NEEDS TO BE A STAMP OF APPROVAL TELLING US OUR
TECHNOLOGY IS SECURED NOT THE OBSTACLE TO MORE SECURE SYSTEMS.
HER CURRENT SYSTEM OF CERTIFICATION DOES NOT ENCOURAGE
SYSTEM UPGRADING AND PATCHING. AS A COMMUNITY WE MUST COME
TOGETHER TO ADAPT QUICKLY AND CREATE A CERTIFICATION
PROGRAM ACCOMMODATING THE SECURITY ENVIRONMENT WE ARE NOW
IN. THERE ARE A LOT OF INTELLIGENT INDIVIDUALS WORKING
ON THIS INCLUDING HERE. WE NEED TO CONTINUE TO WORK TOGETHER TO
DEVELOP A DEFICIENT PROCESS TO DRIVE THESE MODIFICATIONS
PATCHES AND UPGRADES. THANK YOU AGAIN FOR THE OPPORTUNITY TO
SPEAK TO YOU TODAY AND I LOOK FORWARD TO YOUR QUESTIONS.
>>THANK YOU. >>THANK YOU.
>>THANK YOU FOR THIS OPPORTUNITY TO JOIN YOU TODAY TO
DISCUSS SECURING ELECTIONS. I AM THE DIRECTOR OF STRATEGIC
PROJECTS FOR DEFENDING DEMOCRACY. THIS COMES FROM THE COMPANIES
BELIEVE THAT BUILDING AND MAINTAINING SYSTEMS
IS A TASK THAT CANNOT BE ACCOMPLISHED BY ONE ORGANIZATION
ALONE. IT TAKES PARTICIPATION FROM ALL OF US. WE MUST COME TOGETHER AND DRIVE
SOLUTIONS. LAST YEAR MICROSOFT FORMED THIS PROGRAM WHICH WORKS
WITH GOVERNMENT AND NONGOVERNMENTAL STAKEHOLDERS TO
TACKLE ISSUES AROUND ELECTION SECURITY AND THIS INFORMATION. ELECTION SECURITY AND
CERTIFICATION REFORM HAS BEEN GIVEN CONSIDERATION. ONE THING I WANT TO NOTE IS THAT
MANY OF YOU ARE FAMILIAR WITH THE ADVOCATE FOR THE NDN. WE ANNOUNCE THE CREATION OF
ELECTION GUARD AND OPEN SOURCE SOFTWARE ALLOWING VENDORS TO
BUILD FUNCTIONALITY INTO SYSTEMS. WE
HAVE BEEN WORKING WITH ELECTION VENDORS TO IDENTIFY HOW THIS
MIGHT ENTERED AND ACT WITH THEIR SYSTEMS. ONE INTERSECTION THAT HAS GAINED ATTENTION AND
HAS BEEN DISCUSSED IS THE ISSUE OF WINDOWS SEVEN END OF LIFE. I
THINK WE HAVE ALREADY GONE OVER THIS A LOT, SEVERAL YEARS AGO THE COMPANY ANNOUNCED THE
WINDOWS TEAM WOULD END ONGOING SUPPORT. WE ARE COMMITTED TO
HELPING CUSTOMERS REMAIN SECURE AS THEY MODERNIZE SYSTEMS AND
MOVE TO WINDOWS 10. SOME CUSTOMERS WILL NEED MORE TIME.
WE WILL OFFER EXTENDED SECURITY UPDATES FOR SOME. DETAILS ARE
BEING WORKED OUT AND WE WILL HAVE MORE
INFORMATION TO SHARE IN THE COMING WEEKS ABOUT HOW THESE
UPDATES WILL BE MADE AVAILABLE TO WHAT THESE WILL COST. MICROSOFT WILL DO
WHAT IT TAKES TO ENSURE CUSTOMERS HAVE SECURITY UPDATES
THAT ARE UP STRAIGHT AND AFFORDABLE. WE ARE DEDICATED TO
DOING OUR PART. I ALSO WANT TO HIGHLIGHT A RELATED ISSUE
BROUGHT UP THIS AFTERNOON. PROTECTING ELECTION SYSTEMS IS
EXTREMELY IMPORTANT. THAT’S WHY WE SHOULD BE FOCUSING ON HOW TO
REMOVE DISINCENTIVES CREATED BY
REQUIRING RECERTIFICATION AFTER PATCHING OR UPDATING THE SYSTEM.
IN OUR PERCEPTION THERE IS A LACK OF CLARITY ABOUT IF AND HOW
A SECURITY UPDATE COULD BE APPLIED WITHOUT TRIGGERING RECERTIFICATION. WE SHOULD STOP
GIVING ADMINISTRATORS THE CHOICE OF USING SYSTEMS WITH KNOWN
VULNERABILITIES OR APPLYING SECURITY PATCHES AND TAKING
THEIR SYSTEMS OUT OF CERTIFICATION. I LOOK FORWARD TO
DISCUSSING THIS AND OTHER ISSUES THIS AFTERNOON AND WELCOME YOUR
QUESTIONS. >>THANK YOU.
>>MR. SCHOLL? >>WELCOME.
>>THANK YOU. >>THANK YOU FOR HAVING ME. MY
NAME IS MATTHEW SCHOLL. I LEAVE THE COMPUTER SECURITY
DIVISION WITH IN THE INDIVIDUAL TECHNOLOGY LAB. ONE OF THE
THINGS THAT WE PROVIDE IS A SET OF TOOLS, REFERENCES AND
INFORMATION TO ASSIST ORGANIZATIONS, STATE AND LOCAL AS WELL AS U.S. INDUSTRY IN
SECURING TECHNOLOGY AND INFRASTRUCTURE. IN THESE TOOLSETS WE HAVE A
SERIES OF DOCUMENT TERRY GUIDANCE TO ASSIST ORGANIZATIONS
IN ESTABLISHING AN EFFECTIVE PATCH MANAGEMENT PROGRAM. THIS
ALLOWS ORGANIZATIONS TO MAKE CRITICAL DECISIONS ABOUT
SETTING UP A PROGRAM AND MAKING THE CRITICAL BUSINESS DECISIONS
ABOUT PRIORITIZATION, TIMING AND APPLICATION OF PATCHES AND
UPDATES TO IMPORTANT SYSTEMS THAT THEY USED TO MEET THEIR OWN
OBJECTIVES. WE HAVE GUIDANCE ON CONFIGURATION MANAGEMENT AS WELL
AND IMPLEMENTING AND MAINTAINING SECURITY CONFIGURATIONS FOR ENDPOINTS AND BACKEND
MACHINES. NOT JUST DOCUMENTATION OR GUIDANCE, ALSO TOOLS FOR THE
AUTOMATED IMPLEMENTATION FOR SECURITY CONFIGURATION AND
ALLOWING TOOLSETS TO IDENTIFY ITEMS, ENDPOINTS, OPERATING
SYSTEM THAT ARE IN SPEC AND SECURE AND IF NOT OTHER TOOLSETS TO
REMEDIATE AND FORCE SECURITY REGULATIONS. THERE ARE
REFERENCES FOR ORGANIZATIONS TO IDENTIFY IF THEY ARE VULNERABLE.
ONE REFERENCES THE NATIONAL VULNERABILITY DATABASE WHERE
NIST CATEGORIZES EVERY KNOWN PUBLICLY DECLARED TECHNOLOGY AND PUBLISHES IT. WE
ALSO HAVE THE SEVERITY METRICS FOR ORGANIZATIONS TO USE TO
PROVIDE AS CENTRAL METRICS FOR THEM TO DECIDE HOW TO PRIORITIZE
PATCHES AND WHETHER OR NOT A PATCH IS CRITICAL TO THEM AND
THE INFORMATION TECHNOLOGY THAT THEY USE. I WOULD LIKE TO ECHO
SOME THINGS THAT WERE SAID BY PRIOR SPEAKERS AS WELL. THIS HAS
WON SEVERAL CYBER SECURITY PRODUCTS. IT IS
IMPORTANT FOR CERTIFICATION PROGRAM TO CLEARLY COMMUNICATE
WHERE THE CERTIFICATION BALANCES LIKE BETWEEN UPGRADED AND PATCH
OF VERSES MAINTAINING THE CERTIFICATION TO A VERSION
NUMBER. OFTEN WE GIVE ORGANIZATIONS A BUSINESS REST
RATHER THAN AN INFORMATION TECHNOLOGY OR CYBER SECURITY
RISK IN DECISION MAINTAINING A CERTIFICATION VERSUS PATCHING.
CLEAR AND CONCISE COMMUNICATION IS ESSENTIAL IN
THIS DYNAMIC ENVIRONMENT. PEOPLE NEED TO MAKE GOOD RISK DECISIONS TO MAINTAIN
THE SECURITY OF THEIR PRODUCTS. THANK YOU FOR HAVING ME HERE AND
I LOOK FORWARD TO ANSWERING ANY QUESTIONS YOU MAY HAVE.
>>THANK YOU.>>>MR. HILL. WELCOME.
>>GOOD AFTERNOON. I WANT TO THANK YOU FOR THE OPPORTUNITY TO
SPEAK TODAY ON ELECTION SECURITY AND I THANK YOU FOR CONSIDERING
ME AS A ROLE ON THIS COMMITTEE. I SERVE IN THE CYBER SECURITY
AGENCY. WE ENSURE STAKEHOLDERS HAVE THE INFORMATION TO MANAGE RISK TO THEIR SYSTEMS.
WITHIN OUR CHARGE WE OVERSEE SPECIFIC AGENCIES AND PROVIDE
TECHNICAL ASSISTANCE, CONTRIBUTE TO NATIONAL SECURITY APPARATUS
AND SUPPORT THE ELECTORATE TOWARD THE OBJECTIVE OF
ADVANCING ELECTION SECURITY OUR SUPPORT COMES AT NO COST TO OUR PARTNERS. WHAT WE
HAVE SEEN IS THE NEED TO DO FUNDAMENTALS. UNDERSTANDING THE
DIFFERENT IMPACTS OF INTEGRITY AVAILABILITY ON THEIR SYSTEMS
AND ENSURING SYSTEMS ARE AUDITABLE AND ABLE TO DETECT AND
RECOVER FROM EXPLOITS. THERE ARE SERVICES HIT ON THE CYBER
SECURITY PROGRAM PROMOTING EMAIL SECURITY PRACTICES, PROTECTING ONLINE PRESENCE,
SECURING IMPORTANT INFORMATION AND DEVELOPING INCIDENT RESPONSE
PLANS. WE HAVE BEEN THRILLED BY THE ENGAGEMENT OF THE ELECTION
COMMUNITY WITH ALL 50 STATES AND SEVERAL MAJOR VENDORS
PARTICIPATING IN SOME CAPACITY. THIS HEARING IS TIMELY. THE END-OF-LIFE FOR WINDOWS 7 IS
CONSISTENT WITH THE FINDINGS WE HAVE FOUND. TWO OF THE MOST
COMMON VULNERABILITIES ARE INSECURE PATCH MANAGES AND
TERMINATING SECURITY SYSTEMS. IMPROVING VULNERABILITY
MANAGEMENT CAN REDUCE ONE RISK. FOR THE OTHER, IT CANNOT SOLVE A
TECHNOLOGY DEFICIT. GRANT FUNDS CAN BE USED. THE EAC SHOULD BE
COMMENDED FOR HOW RAPIDLY THAT WAS FUNDED. IT IS WORTH NOTING THAT
ALTHOUGH WE PUT A LARGE PORTION OF OUR EFFORTS ON SECURITY
PRACTICE OF DATABASES WHERE WE SEE A HIGH
LIST OF AVAILABILITY THAT IS NOT TO TAKE ANYTHING AWAY FROM
SECURING VOTING SYSTEMS. WE HAVE OPEN VULNERABILITY. THIS IS
CRITICAL EVALUATION. WITH SEVERAL HAVING COMPLETED
THE EVALUATION AND STILL MORE KEYED UP TO DO SO. THESE
EVALUATIONS WILL ENUMERATE VULNERABILITIES ON VOTING
SYSTEMS, ELECTION MANAGEMENT SYSTEMS AND OTHER COMPONENTS . AS THIS MATURES THERE CAN BE A
COMPLEMENTARY RELATIONSHIP BETWEEN OUR ASSESSMENT AND
COMPLIANCE TESTING. AS YOU MOVE TOWARD THIS WE SEE AN
OPPORTUNITY TO WORK WITH YOU TO HELP WITH THE PROCESS. NOW MORE
THAN EVER THE EYES OF THE SECURITY WORLD IS ON THE ELECTIONS. IT
BRINGS SECURITY EXPERTISE. FOR ELECTION OFFICIALS TO BENEFIT , I BELIEVE THEY WILL LOOK TO
THE EAC. BECAUSE OF THIS LEADERSHIP ROLE AND SERVING AS
AN HONEST BROKER, WE ARE IN A POSITION TO PROVIDE ADDITIONAL
VALUE TO THE ELECTION COMMUNITY THROUGH IMPROVING COORDINATION AND MANAGEMENT. ANY
COORDINATED VULNERABILITY PROGRAM WILL BE AS EFFECTIVE AS
THE TESTING AND CERTIFICATION PROCESS ENABLES. WE WORK WITH
THESE CHALLENGES ACROSS SEVERAL SECTORS. WE IDENTIFY
VULNERABILITIES AND WE HAVE A MANAGEMENT PROGRAM WHERE
RESEARCHERS TURNED TO US FOR ASSISTANCE FOR FORECLOSURE. WE LOOK TO YOU
FOR HOW WE CAN INTEGRATE INFORMATION WITH YOUR POLICIES
AND PROCESSES ALLOWING ADAPTABILITY INCLUDING THE
ABILITY TO PROVIDE UP GRADES AND PATCHING IN A TIMELY
FASHION. WE VALUE OUR PARTNERSHIP AND WE LOOK FORWARD
TO BRING CORRESPONDING EXPERTISE TOGETHER NOW AND IN THE YEARS TO COME.
THANK YOU. >>THANK YOU.
>>THE PROGRAM YOU WERE DISCUSSING, IS THAT THE IDAHO
LABS PROGRAM? >>YES. WE ARE WORKING OUT OF THE IDAHO
NATIONAL LABS CRITICAL PRODUCT EVALUATION.
>>I THOUGHT THERE WERE ONLY A COUPLE OF VENDORS. YOU HAVE HAD
MORE VENDORS SIGNED UP TO HAVE PENETRATION TESTING?
>>OPEN-ENDED VULNERABILITY TESTING YES THERE HAS BEEN AN
INCREASED INTEREST. >>HOW ARE THOSE GOING? ARE YOU
DISCOVERING VULNERABILITIES THAT ARE ACTUAL?
>>YES. >>I KNOW YOU CAN’T SHARE THEM
WITH US. >>I THINK THE VENDORS WOULD BE
BEST POSITION TO SPEAK TO THEIR EXPERIENCE. WE HAVE GOTTEN
POSITIVE FEEDBACK AND THERE IS DISCUSSION ABOUT HARDWARE AND
SOFTWARE VALIDATION AND HOW PERFORMANCE CAN BE HOT SWAPPED . OBVIOUSLY THIS RESULTS IN A
LEVEL OF INFORMATION THAT WE GET TO WORK WITH THE VENDOR
FOLLOWING THE ASSESSMENT ON MITIGATION OPPORTUNITIES.
>>THANK YOU. >>MR. SHOW YOU DESCRIBED
INFORMATION THAT NIST HAS FOUR VULNERABILITIES. DO YOU HAVE
SOME SORT OF RESOURCE TO HELP STATES AND LOCALITIES WITH DATA
RECOVERY AFTER A COMPROMISE? THAT IS VERY IMPORTANT IN THE
ELECTION WORLD WITH HIS ESSAY, VOTER REGISTRATION.
>>WOULD YOU HAVE GUIDANCE AND RECOVERY OBLIGATIONS AND
PROTECTION AGAINST MALWARE AND SOME GUIDANCE AT THE SPECIFIC TO
RANSOMWARE AND PROTECTIONS AGAINST RANSOMWARE AND RECOVERY
FROM SOME OF THOSE SPECIFIC THREAT MODELS. THE SERVICES WE
HAVE FOR THAT WOULD BE THE DOCUMENT TERRY GUIDANCE AND THE
RECOMMENDATIONS WE HAVE FOR SETTING UP THOSE TYPES OF
PROGRAMS.>>OBVIOUSLY WE HOPE IT DOESN’T
GET THAT FAR WE TAKE PREVENTATIVE MEASURES FIRST I WANTED TO KNOW ABOUT DATA
RECOVERY. >>ABSOLUTELY. THAT IS A KEY
CAPACITY NEEDED TO RECOVER FROM SOMETHING LIKE THIS.
>>OKAY. YOU PROVIDED US WITH THE SECURITY UPDATE SEVERITY
RATING SYSTEM, IS A SHEET THAT I GUESS YOU CATEGORIZE THESE
DIFFERENT VULNERABILITIES AS CRITICAL AND MAYBE LESS SO.
MAYBE YOU DON’T KNOW THIS. HOW OFTEN DO YOU CATEGORIZE AN UPDATE OR SECURITY
PATCH AS CRITICAL? WE HEARD THAT THERE ARE HOW MANY, OVER 1000
SECURITY UPDATES . OBVIOUSLY THEY ARE AT
DIFFERENT LEVELS. HOW OFTEN ARE WE LOOKING AT CRITICAL?
>>THAT THE GREAT QUESTION. I AM HAPPY TO GET THE
ANSWER TO THAT. YOU DO CORRECT WE DO CATEGORIZE AND EMPHASIZE
THOSE THAT ARE MOST CRITICAL. >>HE KNOWS.
>>SECURITY VULNERABILITY IS SCORED THROUGH AN OPEN STANDARD
CALL A COMMON VULNERABILITY . IT’S CALLED THE CDS S.
GENERALLY IT IS A SCORING SYSTEM THAT RANKS ONE TO 10 WITH
SEVERAL UNDERLYING CRITERIA OF MAKING UP THE UNDERLYING SCORE.
THAT SCORE, ONE IS LOW-END 10 IS CRITICAL AND THERE ARE GRADIENTS IN
BETWEEN THAT IS USED TO APPLY TO HOW IMPORTANT A PATCH MIGHT BE
WITH REFERENCE TO A VULNERABILITY. AT THE COMMON
SCORING SYSTEM USED BY ALL VENDORS NOT JUST MICROSOFT>>THIS IS THE SEVERITY METRIC I
HAD MENTIONED EARLIER THAT NIST USES.
>>THERE IS ALSO A SEPARATE INDEX,
RIGHT ON EXPLOIT ABILITY? >>YES. AS PART OF THAT SCORE
IT’S LIKE THE LIKELIHOOD AND SEVERITY AND THE TYPE OF ATTACK IT MIGHT BE FOCUSED
ON, CONFIDENTIALITY, IN AVAILABILITY, THE EXPLOIT
ABILITY MEASURES LOOK AT THINGS LIKE IS IT REMOTELY EXPLOITABLE,
MUST IT BE DONE LOCALLY. THE LEVEL OF EXPERTISE THAT MIGHT BE
NEEDED. THERE ARE SEVERAL THINGS WHEN THEY LOOK AT CREATING THAT
SPORT SCORE TO MAKE A DECISION ON HOW
CRITICAL THAT IS. >>OKAY. WINDOWS 7 WAS THE TOPIC
THAT BEGAN THIS CONVERSATION. HOW IS THE COMMUNICATION GOING
BETWEEN THE ELECTION VENDOR COMMUNITY AND MICROSOFT AS FAR
AS FIGURING OUT WHAT NEEDS TO BE DONE TO GO FORWARD AND ADDRESS
THAT ISSUE. >>IT HAS BEEN POSITIVE. WE HAVE BEEN WORKING WITH THE
VENDOR AND IT IS SOMETHING THEY WERE LOOKING TO RESOLVE AND
TRYING TO UNDERSTAND WHAT ROLE MICROSOFT COULD PLAY.
IT HAS BEEN A POSITIVE WORKING RELATIONSHIP. THEY GAVE US THE
OPPORTUNITY TO TAKE TIME TO THINK HOW WE MIGHT ELECT TO
ADDRESS THIS SITUATION. THE COMMUNICATION AND THE
WORKING WITH THE VENDOR COMMUNITY HAVE BEEN VERY GOOD.
>>THANK YOU. THAT IS GOOD TO HERE.
>>WE HOPE THAT ISSUE IS FIXED THE BEST IT CAN. WE KNOW THIS IS
PROBABLY A RESOURCE ISSUE FOR MANY. IT IS IMPORTANT FOR US TO
KNOW. >>MR. DARREN, YOU WERE TALKING
ABOUT THE FACT THAT MOST OF THE PATCHING AND UPDATING IS DONE
LOCALLY. WHAT IS YOUR ASSESSMENT OF THE TECHNICAL EXPERTISE AND
COMPETENCIES OF LOCAL OFFICIALS WHO ARE RESPONSIBLE FOR THESE
SECURITY UPGRADES AND PATCHES? >>I WOULD SAY IT IS LIKE THE
GENERAL PUBLIC. IT VARIES DRASTICALLY. WHAT I DEFINITIVELY
CAN SAY AS A STATE DIRECTOR WORKING
CLOSELY WITH LOCAL ADMINISTRATORS IS THAT THEY CARE
VERY DEEPLY ABOUT ELECTIONS. IT IS THERE ONE PART OF A JOB THAT
THEY HAVE THAT IS WIDESPREAD WHETHER THEY’RE DOING MARRIAGE
LICENSE, REGISTRATIONS FOR VEHICLES AND BOATS, OFTENTIMES
ELECTIONS IS THE THING THAT MOST OF THESE INDIVIDUALS CARE DEEPLY
ABOUT. THEY ARE OFTENTIMES NOT DEALING
DIRECTLY WITH ELECTIONS BUT THEY ARE STILL CALLING US. THEY STILL
HAVE TECHNICAL NEEDS THAT NEED TO BE FILLED. AT THE LOCAL
LEVEL, IT IS WHERE WE ARE MOST SEVERELY IN NEED OF RESOURCES.
THEY ARE , NOT THE INDIVIDUALS
THEMSELVES, BUT THE COMMUNITIES ARE THE WEAKEST LINK WITHIN THE
STRUCTURE. THEY ARE DRASTICALLY UNDER
RESOURCED. MANY COUNTIES IN MY STATE IF YOU WERE TO SHOW UP IN
THE TOWN AT 6 PM, McDONALD’S IS THE BUSIEST PLACE IN TOWN . THAT’S NOT BECAUSE PEOPLE ARE
EATING THERE, PEOPLE ARE USING FREE WI-FI. THIS ISSUE CAN BE
MAGNIFIED. I HAVE 120 COUNTY CLERK SAID DEPUTIES AND OTHER
STATES, ELDERS DO A DIFFERENT . SO IF WE ARE FEELING OUR LOCAL
ADMINISTRATORS, WE ARE NOT DOING OUR JOBS AND PART OF THAT MUST
BE RESOURCE ALLOCATION. I SAY THAT SPECIFICALLY BECAUSE I HAVE
CLERKS THAT MIGHT HAVE ONE OR TWO STAFF MEMBERS. THEY ARE NOT
DIGITALLY NATIVE. THESE ARE INDIVIDUALS WORKING ON ANALOG
SYSTEMS FOR THEIR WHOLE CAREER AND WE ARE ASKING THEM NOW TO
PARTICIPATE IN NATIONAL SECURITY. WE ARE TALKING ABOUT
LOCAL COMMUNITIES HAVING TROUBLE FUNDING ROADS AND WATER BILLS AT
THE HOSPITAL AND NOW WE WANT THEM TO TAKE PART IN DEFENSE
AGAINST FOREIGN AND STATE ACTORS. THE CLIFF BEFORE US IS
THAT WE ARE FAILING TO FUND THEM APPROPRIATELY FOR CRITICAL
INFRASTRUCTURE. PART OF THAT , TO ANSWER YOUR QUESTION, SOME
COUNTIES HAVE AMAZING I.T. STAFF BECAUSE THEY ARE LARGE AND CAN
BE FUNDED BECAUSE THEY MIGHT BE A LARGE CITY. A LOT OF THE
COUNTIES ARE INCREDIBLY UNDER RESOURCED. THAT MEANS THEY DON’T
HAVE I.T. STAFF. WHILE WE PROVIDE AS MANY SERVICES AS WE
POSSIBLY CAN TO THEM, I AM ALSO STAFF STRAPPED. I WAS TALKING TO
SOMEONE A COUPLE OF DAYS AGO . IF YOU HAD MONEY COME YOUR
WAY, WHAT WOULD YOU DO WITH IT? THE CYBER NAVIGATOR PLAN WOULD
BE ONE THING THAT I WOULD DO. HAVING TRAINED I.T.
STAFF THAT UNDERSTAND THE CLERK’S NEEDS AND SECURITY HAD
TO BE ABLE TO BUILD RELATIONSHIPS THAT ARE TRUSTED . IF THEY SHOW UP TO BE ABLE TO
HELP THEM WITH THEIR I.T. NEEDS TO SECURE SYSTEMS AND TEACH
BACCHUS PRACTICES IS AN IDEAL SITUATION. IT IS A LONG WAY TO
SAY WE NEED MORE. >>AT EVERY LEVEL OF GOVERNMENT.
>>YES MA’AM. >>OKAY. WE WERE TALKING ABOUT
PATCHES. IF THERE IS A PATCH AND IT IS SAID TO BE THE MINIMUS WHO
TESTS FOR THAT. ? THIS IS WHERE IT GETS A LITTLE
MORE COMPLICATED. IF OUR PHONE OR COMPUTER HAS A
PATCH WE CAN CONNECT TO THE INTERNET AND UPDATE WORKING ON A
NETWORK. WHEN IT COMES TO A PATCH FOR VOTING SYSTEM, IT
MAY APPEAR TO SOME TO BE THE MINIMUS WE HAVE TO LOOK AT VENDOR
SOFTWARE APPLICATIONS AND HOW THEY INTERACT WITH OPERATING
SYSTEMS. ONE PATCH WE MIGHT SAY WE ARE JUST AT DRESSING ONE
VULNERABILITY BUT THEY MAY HAVE SOME SOFTWARE APPLICATION MEANING THE SOFTWARE THAT TABULATES THE
VOTES, FOR INSTANCE, THAT SAYS IF YOU DO THAT THEN THIS WILL
MESS UP THIS PART OF IT. SO THEN IT GETS WAY DEEPER THAN THIS . BY OUR PROGRAM MANUAL, IT
WOULD GO INTO MODIFICATION AND BE CONSIDERED. IT’S A 1.0
SYSTEM. IT WOULD GO TO 1.1. THAT WOULD BE IN MODIFICATION THAT
WOULD REQUIRE MORE TESTING FROM THE VOTING SYSTEM TEST LAB.
IDEAS HAVE FLOATED AROUND IN THE COMMUNITY ABOUT — ONE IDEA I
HEARD WAS VOTING SYSTEM MANUFACTURERS SHOULD SELF
CERTIFIED. THAT WOULD NEED MORE DISCUSSION AROUND WHAT THAT
LOOKS LIKE . FOR INSTANCE, FOR ME, ON MY
END, HOW DO WE TRUST THAT? I AM MORE SKEPTICAL ABOUT THINGS JUST
IN GENERAL. THE IDEA OF HAVING A SYSTEM MANUFACTURERS SAY WERE GOING TO
SELF CERTIFIED DOESN’T SOUND REALLY GOOD TO ME BUT IF WE HAVE
A GOOD PROGRAM TO OVERSEE THAT, IT COULD BE A GOOD IDEA. THEY NEED TO FOLLOW THE SAME
PROCEDURES OR PROCESS OR POLICY. THAT IS SOMETHING THAT WE WOULD
NEED TO HAVE MORE DISCUSSION ON. THAT IDEA MIGHT WORK. WE DON’T
KNOW. WE JUST CAN’T SAY SOFTWARE PATCHES ARE NOT GOING TO WORK IN
A BLANKET STATEMENT. SOME TEST LABS COULD HAVE MORE DETAIL SINCE THEY DO THE
HANDS ON STUFF DAY IN AND DAY OUT. THAT IS THEIR LIVELIHOOD
AND THEY COULD TALK MORE IN DETAIL ABOUT THINGS THEY RUN
INTO THAT HAVE THEM COMING THAT WAY.
>>THANK YOU. YOU HAVE QUESTIONS?
>>YES. >>YES. AS STATED SOME OF THIS MIGHT BE
APPROPRIATE FOR THE NEXT PANEL BUT I THINK THE DIVERSITY OF THE
EXPERIENCE ON THIS PANEL COULD BE USEFUL SO MR. DEARING HAD
TALKED ABOUT FINDING THE BALANCE BETWEEN
CERTIFICATION AND SECURITY UPDATES AND OBVIOUSLY
CERTIFICATION NEEDS TO MEAN SOMETHING. WE HAVE
A TO ATTEST TO A QUALITY OF THE SYSTEM BUT IN THIS ENVIRONMENT
OF LOOKING AT SECURITY UPDATES AND BALANCING THOSE I’M
INTERESTED TO THINK ABOUT OBVIOUSLY THE MINIMUS HAVE BEEN
BROUGHT UP. WE HAVE MODIFICATIONS . I HAD A CONVERSATION RECENTLY
WITH SOMEONE FROM ANOTHER INDUSTRY THAT TALKED ABOUT THE
TRAFFIC LIGHT SYSTEM WHERE DIFFERENT LEVELS HIT DIFFERENT
PIECES OF TESTING IN ORDER TO BE
RECERTIFIED. HAVE THERE BEEN THINGS THAT YOU HAVE SEEN AT
NIST OR MR. HALE, THROUGH OTHER SECTIONS
OF INFRASTRUCTURE WHERE YOU HAVE A CERTIFICATION ENVIRONMENT
REQUIRING THESE UPDATES AND DOES IT WORK WELL?
>>SO LET ME ANSWER THE FIRST PART . THE PART ABOUT WORKING WELL,
I’LL HAVE TO THINK ABOUT THAT. >>NIST MAINTAINS THE
CALIBRATION SYSTEM. WE HAVE A AN ACCREDITATION PROGRAM WHERE WE
CERTIFY LABS TO CONSTRUCT CERTIFICATION ACTIVITIES. WE
HAVE SIGNIFICANT EXPERIENCE IN
STANDARDS CONFORMANCE ACTIVITIES. MUCH OF WHAT YOU
CALL CERTIFICATION IS TO SOME EXTENT IS AN ASSESSMENT
AND AT THE STATION THAT A PRODUCT HASN’T MET A SPECIFIED
STANDARD. THERE IS A BALANCE THEN THAT WE HAVE BEEN
DISCUSSING AROUND THE LEVEL OF RIGOR AND TRUST EXTENDED TO THE
PRODUCT VERSUS THE RISK AND FAILURE OF THE PRODUCT TO MEET
THOSE STANDARDS AND HOW WE WISH TO BALANCE THOSE RISKS. THE COSTS ARE ALWAYS THERE.
TIME, DOLLARS AND IMPACT TO INNOVATION AND
TECHNOLOGY ON THE COST SIDE. ASSURANCE AND RISK MONITORING IS
ON THE BENEFIT SIDE OF THIS PROGRAM. WE DO PROGRAMS, VENDORS
SELF-DECLARED . YOU PUT TRUST INTO THE VENDOR
AND YOU PUT THE LIABILITY ON THEM. THE VENDOR, THEMSELVES ARE
THE ONES WHO ARE MAKE THE ATTESTATION VERSUS A SECOND OR
THIRD PARTY. THAT REMOVES SOME LIABILITY. THERE ARE BALANCES
THAT EVERYONE MUST LOOK AT. SOME DO IT WELL. SOME HAVE LEARNED
LESSONS OVER DIFFICULT BUSINESS SITUATIONS.
THAT IS ONE TYPE OF RISK VERSUS THE CYBER SECURITY RISK OR
PATCHING AND POTENTIALLY LOSING YOUR CERTIFICATION. FOR EXAMPLE,
THE CENTERS FOR DEVICES HAS UPDATED REQUIREMENTS
FOR DEVICE CERTIFICATION TO MAKE SURE THAT GOOD RISK DECISIONS
ARE MADE IN MAINTAINING THE SECURITY OF MEDICAL DEVICES IN A
BALANCED WAY WITH THE MEDICAL DEVICE CERTIFICATION. THEY ARE
IN AN ORGANIZATION WHO HAS LOOKED AT THIS VERY HEAVILY. SO
THAT MIGHT BE A MODEL THE COUNTRY COULD LOOK AT.
>>THANK YOU. >>THERE ARE A COUPLE OF SECTORS
THAT COME TO MIND WHERE CHANGES GET PUSHED DOWN STREAM FOR
VALIDATION AND ACCEPTANCE TESTING. TRANSPORTATION,
AVIATION, MEDICAL DEVICES, THOSE MAY NOT HAVE THE SAME UNIQUE
FACTORS OF THE ELECTION COMMUNITY. ELECTION DAY DOESN’T
MOVE. HOW YOU ARE TIME BOUND OR THAT TEMPORAL SENSE AND URGENCY ABOUT
WHEN THE SYSTEMS CANNOT BE TOUCHED AND WHEN THEY MUST BE
PATCHED. THERE IN OUR UNIQUE FACTORS HERE THAT DRIVE A CALL
TO ACTION EARLIER IN THE PROCESS THEN PERHAPS OTHER TESTING CAN
ALLOW FOR. >>ALSO. I’M SORRY.
>>I THINK A LOT OF THAT, FROM MY PERSPECTIVE IS WHEN YOU FIND
A VULNERABILITY AND IT HAS BEEN IDENTIFIED, HOW CRITICAL IS IT AND WHERE
DOES THAT SIT AT THE CERTIFICATION PROCESS. IT
DOESN’T GET PUT BACK IN LINE WITH ALL THE OTHER
CERTIFICATIONS THAT WE NEED OR DO WE SAY THERE IS A TRIAGE
PROCESS WHERE WE CAN SAY IF THIS IS FOUND AND IT IS HIGHLY
CRITICAL WITH THE DAMAGE IT COULD DO AND WITH SOME OF THE
NIST STANDARDS, HOW DO WE DERIVE WHAT BEST PRACTICES ARE PER
CERTIFICATION PER THE SPECIFIC EXPLOIT. IT IS VULNERABILITY
THAT IS DIFFERENT. How often do these high critical
issues come in? When they do come in it is
imperative we addressed that in a good way. One thing I would
love to see is that you guys are so perfectly centered as a hub
of communication between all of the sector, election
administrators and security partners and vendors . We look to other sectors for
best practices and I think of the automobile sector. They set
standards 10 years, 15 years ahead of time
letting them know that here are the goals we would like to see
is a sector it can be omissions or safety features that will be
expected to be put into cars as they come off the line. The EAC
you have a certification team and
engineers and the ability to produce research to guide this
sector as we move forward. Having the vendors be reactive when issues
like Windows 70s, there is a lifecycle. We all know that.
What happens at the nice next life cycle end? In my
perspective I would love to see that as an idea that as we move
forward we can talk about things that are happening today and
what happens five and 10 years from now and weather I am and an
elections administrator, I don’t know. We are making decisions
today to determine the success or failure of that person,
whoever they might be. >>I am conscious that my time has
expired. Thank you. You have questions?
>>I would like to tease out a little more. There was
discussion about imminent security risk versus [ inaudible
]. Somebody mentioned the risk of failure of that product. That
begs , we need to make sure it
operates as a voting system. Even though it is a patch it
still works as designed to tabulate securely.
The liability rest on the vendors and the entire community
if there is a failure. I would like to, there are comments
about how we can way that risk. As was said in doing something
with the patch or a self-assurance testing with some
sort of abbreviated testing. Any ideas on how we can have a
procedure in place to sort of, it would not be an entire certification
program, a limited review to make sure there is nothing that
will result in catastrophe from an electoral oriole perspective
but will meet the needs of addressing the risks associated
with imminent vulnerability assessments.
>>Maybe more abbreviated you could
frame that. >>The larger question . If you tell me exactly I will
give you a more direct response.>>From a local and state
perspective that might inform us little bit
if there was an immediate change necessary. You’re looking at a
two-month certification program. What would you do in these
circumstances? You have to balance that risk. We may not
necessarily have an abbreviated — we have a hold between the
change which requires certification. We need to limit
our risk of failure yet address our risk of failure.
>>I think it’s the scale issue. In the Commonwealth of Kentucky,
we certify systems at the top level of the state. The purchasing and maintenance
of those systems is done at the county level. If a vendor were
to come in and tell us we found a fairly critical vulnerability,
that is something we will work directly with the counties with.
We can’t force them to do that at the end of the day. This is
part of dashed this part of it is a negative. Having local rule
and local administrators and the diversity of the election
systems is a vital. How do we balance that need? I don’t know
if there is an answer to that. We were talking about it
earlier. It needs to be triaged. Each item has to be looked at
and that is this something that rises to the level where I need
to drive to every county and help them patch what that is
going to be? Do we pass that? What happens when — if we say
that is not going through the
certification process but now the voting public finds out that
there may be a vulnerability. Part of my job is not the
protection of the system, the reputation of the system as
well. That is one of the most important jobs we do is protect
the reputation of the system. If people don’t vote, it’s not
working. How do we balance that need to act as to whether or not
we have the right to force a patch and maintain the security
of our system in the eyes of the public. I don’t know if there is
directly an answer. >>Mr. Scholl, do you have an
answer to that. You raised the issue between balance and risk.
It was expressed clearly it’s also reputational and public
confidence and there are factors other than that that are looked
at. What is the meaning of this certification? Part of it is
public confidence and trust , not just for those who are
running the elections, but the public as well and, who is the
certification authority. I talked about communication being
important. IMO certification authority for several small cyber security modules for use
within the federal government. I have run across similar
situations where communicating to all of my stakeholders to say
patch this no matter what it does to the current certification. This is
the important thing to do now. That becomes a risk decision for
the certification authority that alleviates the users of the
responsibilities of those other reputational or business risk issues as well. It
is a difficult thing to balance. Some of it is look at locally.
Anything that a certification authority can do when a decision
is made to assist with that is extraordinarily helpful.
>>Yes, John? >>Along those same lines I see
the issue in two pieces. One seems relatively simple and the
other is a lot more complicated. The one is what we can do to
address this from a certification point of view.
There are solutions to that that will take us vetting it with our
federal partners and vendors in the community. That is an easy
lift . I think. Who knows?
>>But, where it is complicated and as Jerry was pointing out,
you can’t force, depending on how the state is organized, you
can’t just go into accounting office and say update it now and
they have to do it. That will take more work and even if we
had something that said the vendor is liable for then the
vendor could go bankrupt and get out of town and still the
government is left holding the pieces.
Another issue along those same lines is that say, it could
possibly happen that , especially next year when
there are so many primaries staggered throughout the U.S.
and you say the first state to hold up primary has system X and
then state number 27 also has the same system but is later
in the year. Vulnerabilities will be determined because this is what we are using for
the election, how do we address that if all the sudden our first
state says I was operating a voting system on a vulnerable system? This is where the
complexity really comes in and the fact that Jeff stated
earlier, the one thing about elections that
no other industry has to deal with is the deadline. Elections
have to happen on election day. There is no other time for that.
That is how I see this issue is that one piece we can work on
and have guidance on how you implement the patch
and for further discussion — how does it looked when — okay , the AC has the certified
system with all the patches and all this great stuff and then
push down to the localities that are resource strapped that can’t get those updates as
quickly as the public would like. What does that look like?
That is to me the bigger question. Without diminishing or
dismissing the fact that we still have a job to do and
relatively quickly. >>Mr. Hicks for
>>Thank you. >>I have a couple of quick
questions. Yesterday I flew back from Denver and the pilot came
on and talked about the number of planes. He was talking about
the fact that this airline only dashed the industry has built 53
of this particular type of plane. This company owns 26, a
relatively small portion to the number of planes in the system
of air travel. My question goes to, what are the numbers we are
talking about in terms of updates? Is it just voting
machines, poll books, other aspects? Are we talking
millions, hundreds of thousands that need to be updated from
Windows 7 to 10 and what time frame are we talking about. And
of — I probably should have asked this of the last panel. Of
the — I heard a lot about updates being toward
vulnerability. Are we updating on other aspects as well? Not
just on her ability? That’s the first question that I have.
>>Does anyone want to answer ?
>>Jenny? >>Thank you.
>>The first answer is probably better addressed in the third
panel that the vendors will have a much better volume of the devices running
that. I think we need to draw a distinction between the types of
devices we are referring to here there seems to be a confusion to
those systems that are considered certified. Those need
to have an update , that’s when the certification
concerns come into play. There other systems that are running
Windows 7 that are not inside that certification and updating
them or having a constant update and patches a
little bit of a different story. There are still complications as
the secretary mentioned around doing those. I do think they are
just different stories when it comes to those that have
certification concerns versus those that have just normal patching concerns and updates.
The volume, that’s not something we would necessarily have access to that information. I
suspect the next group of panelists will have better ideas
as to the numbers. >>And not every voting system
runs on Windows. There are other operating systems.
>>That was my next question coming up. How do they do their updates as
well? >>I think the number question would be better for the
next panel, for sure. It is a smaller percentage. I do know
that. I don’t know, I have no ballpark figure.
>>Then my next question, in terms of
working with the vendors in terms of penetration tests, that
is completely voluntary, correct?
>>Yes. That is correct. >>All right.
>>I’m sorry. I noticed there was a minute and 20 seconds.
>>You asked a question which was what can we do to help move
forward. I would be remiss in my job if I didn’t mention the
union, the universal postal union. It’s wonky and it seems
like a large subject but we have an election coming in November.
For those that are not familiar with it, there is potential that
the Postal Service could pull out of the UPU which allows us
to have contracts with foreign nations. My requirement to send
out will be prior to whether USPS decides whether they will
pull out. I am concerned on how I notify my voters when that
goes out. How do we educate them and say there is a potential
that if this ballot comes to you now
and you do not submit it in the next several weeks that it could
cost $60 to send this and that is even if they agree
to deliver it in the first place. That gives me great
concern about my overseas voters and voters abroad, it grieves me
to think that I have military voters who are
protecting our right to vote and might not have the ability to
turn that in. If there is anything that can be done to
intervene on some level, maybe provide guidance to the states that have this. Not all states
are on federal schedules. If there is anything you can do for
guidance on how we should treat this and how we should notify
voters of how they can fully involve themselves in the voting
experience in shorting their ballots count, that would be of
immense value. >>That is great. My fellow
commissioners and I can talk these issues through to see how
we can help to improve the process. There is another issue
occurred in 2018 with overseas voters and with the foreign
states national influence on elections. Those
people living overseas were trying to contact election
offices here in the states and were being denied because they
had foreign addresses. We worked with helpful states and we set
up things to alleviate those issues. I hope we can work with
the Postal Service and whoever else to alleviate this issue as we move forward.
>>I want to thank each of you for coming here and spending
your time with us today. It was very helpful for us to hear your
points of view. We will take that into consideration as we
move forward addressing this important issue.
>>Do need a break? >>The others don’t.
>> this is the third panel. Thank
you for joining us. I will quickly go through your bios. We have a hard close at
3:30. We do want to hear from you.
>>Where my starting? >>I am starting at this and. Clear ballot certified learning
systems have been used in Ohio, Wisconsin Colorado and for [ inaudible ] next to will is Chris wash and system security for the SNS. He
joined ES an acid in April 2018. He is responsible for company security efforts
including infrastructure security. He drives security
innovations and ensures the best practices during the
product development process and engaging in the certification
process. He partners with the ES and S for the external security organizations that may be
engaged to help. Then we have Bernie Hirsch he is the quality continuous [ inaudible ] for the past 12 years Bernie has
been responsible for having quality assurance and system
certification. Next to Bernie is Ed Smith, director of global
services for USA smart Maddock. He joined them in 2001 with the
position at heart inner civic and was the vice president of
several groups. These positions he led state certification campaigns
and operational functions quality insurance and field
appointment. He Leed certification and global
services for the sales region and leads federal and state testing and compliance with
systems prior to testing. He leads field the appointment
across the United States and has served as delivery manager for
the Los Angeles [ inaudible ] project. Next to Ed’s jacket,
laboratory director. They are a national Institute of
standards and technology accredited. They excuse me —
the voting systems test laboratory. It is in EAC test
laboratory. He has 18 years of development and test
experience with the application and development and
implementation using object oriented design. He has given technical assistance for testing
arenas and voting system manufacturers and is accepted by
the system as a subject matter
expert. He currently serves as SME examiner to multiple state
election bodies providing technical guidance for the
examination and re-examination of electronic voting systems.
Lastly, at the end of the table we have Jesse Peterson, a
security specialist with 20 years of experience in hardware,
software, functional performance and network design.
Systems and network security experience including
implementation of intrusion detention and prevention
solutions, patch management and removal of malicious
software and managing and maintaining firewalls. He is a
vestal security specialist. He works with boating manufacturers
to validate and verify electronic voting systems comply
with certifications he also works on
state security security environments. He works with encryption system designs and
architecture assessments. Thank you all for being here today. We
will start with Will on the end.>>Thank you.
>>Thank you commissioners and staff and to my fellow
panelists, this has been an illuminating discussion. I will
be brief to allow more time for discussion. I am will crumbly.
At clear ballot we believe that security is not just a
regulatory requirement, is a business imperative and it is
one of our four values. We view this as the foundation of our
security strategy that not the entirety of it. Additionally we
secure our own infrastructure and we can incorporate security
best practices going be of excuse me above and beyond. Also
product features that have emphasized things like hand
marked paper ballots. We are excited to participate in
cooperation across the industry on initiatives such as
coordinated vulnerability programs so we can leverage
expertise of the industry . Finally, as a vendor, we aim
to certified new versions of our systems and get them out to our
customers as often as we can. We look forward to continuing to
certify as often and securely as possible.
>>Thank you. >>Good afternoon . Thank you for this opportunity
to come and talk to you. I am the VP of security and the chief
information security officer for ES and SS . I am also the chair of the
sector coordinating Council. A team of manufacturers, many
represented here and 27 altogether entities, technology providers,
advocacy groups, they are focused on advancing election
security and the state of election security in our nation.
When I look at the panels you assemble today, the witnesses
that you brought forward, the state of our nation’s election
security is better than being reported because of
the focus on election security. Our state and local officials,
this is where they shine when it comes to protecting the
integrity and validity and reliability of our nation’s
elections. I am thankful for the EAC leadership. I believe that
as we talk through these issues about Windows 7 and other
vulnerabilities, the EAC is the right place to exert leadership
and empower the voting system test labs to take on a security
testing role. The certification process you have in place now
that nearly all vendors comply with could be modified to
embrace some security testing that would meet the needs of 2.0
and beyond. The EAC is the right body to oversee that and further
protect our elections ecosystem. We need to be aware that various
election vendors are partnering to develop a program of
vulnerability disclosure and earlier today a white paper was
released where many major election
tabulation manufacturers have contributed to understanding
what that might look like and we are excited to move forward on
that issue but we need support. As you heard from other panel
members, the coordinated vulnerability programs won’t
work unless the testing and certification processes modified
to accept that input. I will close with the comments about
DHS and other organizations and exerting
leadership in the field. Officials are more empowered and
more aware and more focused on election security and cyber
security than they ever have been before . There is a measurable
contribution to awareness and protection through the risk and
vulnerability assessments, the testing that some election
manufacturers and jurisdictions are going through, that needs to
be resourced and continued. I will close with looking forward
to your questions and advancing the knowledge about security and
where we need to go. >>Thank you.
>>Mr. Hirsch? >>Yes. Thank you for hosting
this event. I think we all agree that cyber security and the
security of our elections is a primary concern for the public
right now. This is something that we have
been concerned with through our history. We are not new to the
table of trying to protect the system. In the past the way we
have done that and the way most vendors have done that is by
complying with certification programs locking down our system
in a way configured, tested thoroughly and then isolated
from the surrounding world. We consider each individual vote
gathering device as a separate election that we are empowered
to help our customers to protect. We protect tens of thousands of elections
leading up to and including election day. We have several
initiatives we have taken up in the last few years in response
including , I am a diamond member of a
hotel chain traveling to all the security initiative information
sharing meetings that many of us have attended. We have spent almost 3 years certifying our
system to move from Windows 7 to Windows 10 with a great
percentage of our system, we are currently upgrading 7000 voting
machines in Indiana and I think hundreds of servers to go to
Windows 10 . We have a component for that
state that up to now has used very successfully our DRE for
decades. We have continued to upgrade that. We are — that’s a
large project for our company , I think it’s very worthwhile.
We began developing that 18 months ago and we began the
process of getting certified in the state within the past month.
We are looking forward to having a paper back up to our
internal rate in all kinds of different technical things we
are doing to keep up with the threats that we all face.
Ultimately, the thing that I think we are most progressive
about trying to enforce is a new service that we call PCS , pre-and post election security
suite. We have been championing that. We feel the certification
that we took initially three years to gain from our new
system, back in 2007 to 2010 and then modified it for another
year and sold the first certified system in 2011, it
took us four years, in that time our system has improved because
of the process we went through with the EAC. We feel that it is
very important that these systems be carefully configured
and identified and protected and if there is an intrusion we can
detect that and we have tools to do that. The system
identification tools that come with every certified system. Our PCS cyber security sweep
leverages the tools to make sure the jurisdictions have and
conduct an election that has integrity. We have jurisdictions
with as few as 20 priest things and some that have 720. The voting system has to scale
to those sizes. Am proud that we do a bang up job. Our company
quality assurance statement is we insist our customers are 100%
satisfied. That is a job that everyone of us does. I am the CIO, this the Q0 and
the C ISO. We consider all these roles
important for all of us to constantly maintain. Thank you for bringing us
together and I look forward to your questions.
>>Thank you. Mr. Smith, welcome.
>>Thank you. >>Mr. vice chair and commissioners
thank you as well for the honor of coming before you today. This
security derives from many sources. I will confine my
remarks to things like providers and maintaining infrastructure,
vigilance over security fence threats and continued agility
and development by the providers followed by fast and faster
cycle times through certification, that’s aided by
administrative capability and capacity. Coupled with provider preparation. Better input makes
your job easier and allows for better and faster outputs. That
requires changes to the certification process. It is
monolithic. The comment was made of a time capsule, that is what
I’m saying. It requires longer cycle times . I have attended some early
meetings and saw the origins of TBS G and I am familiar with
people who aided in the test and certification program before it
was stood up and therein lies some of the reasons why
certification is so monolithic. People’s backgrounds for
instance in the space program and Apollo in previous programs.
Once you sent the rocket up there wasn’t much you could do
with the software. A focus on security, even back then. It was
interesting that the secretary invited and the predecessors
accepted a VST test report for security updates
followed by administrative review and approval . Thereby they generally had
some of the most up-to-date or if not the most up-to-date
software across United States because of flexibility in the
state process. That is something to think about.
>>Another comment I would like to make, providers need to
monitor for threats. That is actually in today. We need to manage
products and keep them updated. Looking at myself in the mirror
and other providers I think it showed a gap in product
management to have Windows 7 come up obsolete while products
were in certification or had not entered certification with the
operating system. Microsoft publishes the
information when it will be obsolete. We need to pay
attention to that and move forward. I go before I move into the
second phase of my remarks there is an emergency procedure for
certification. It is not meant for something wide-ranging
like OS patches and other patches to the system that I
will speak to in a moment. It is a specific situation and it is
not applicable although it has come up
sometimes as a possible solution to moving forward with faster
certification. >>I have given all this
background so I would like to make a proposal. I tell my staff don’t come to me with
problems unless you also have a solution. I have to follow that.
>>We can build from existing testing and certification causes
as well as clauses in VV SG. If you look at volume 1
section 8 and volume 2 section 2 when they talk about assurance
and configuration management there is a requirement is
commercial off-the-shelf. Those causes can be built on with relative ease. They could
require an expansion of the program to include security
updates. What does this do? >>You can require to be
provided from the provider with the quality assurance program
they would use to approve on a rapid basis patches to the
system. The EAC could intake those draft
procedures review and approve them and once approved give them
back to the provider to actually use. So what does this do for
you? You have a vetted procedure that , if a system provider comes
forward with a patch you can at least benchmarked, did you file
your own procedures ? If not, send it back to the
provider. If so, enable the expertise to evaluate that
upgrade and then added to the existing
certificate. You will probably want to tear these. OS patches have been tested already. Driver
relays excuse me replacements is the most risky and would need
the most vetting. There is a place for third-party libraries
that we know are in the system. In the sense, this follows but is expanded on the procedure
that already exists for your own technical staff evaluates
changes to the system. Her you tear up and have something above
the minimus but below baseline. One ad that would really help,
we used to have technical reviewers. At one point there
may have been seven, there were certainly three to five. They
had expertise in security and database management. They
provided expertise to augment the expertise on your staff over the
years and certainly presently. I believe those were cut due to
funding constraints and that is a shame. That’s a place where Congress could restore these
very needed technical augmentation positions. Thank
you. >>Thank you, Mr. Smith.
>>Okay. Thank you. Thank you for inviting me here
to speak at this form. I would like to state that this is the
second time I have been in the President’s of an election assistance commission. It’s good
to see that and I hope it stays that way. I’ve been in this
industry since 2004 or over 15 years. These are not new issues.
I believe at the first meeting in Aurora , Colorado in 2006 or early 2007
we had these discussions. This was before there was an adoption
of the program manual. The industry has struggled to find a
balance of the certified system and the ability to update for
vulnerabilities. I do find immigration management of all
components including off-the-shelf products and software and hardware and
proprietary software and hardware. They are required to document
all pieces of software and hardware submitted for testing.
When this discussion has come up in the past the argument has always one out
for configuration. With the security landscape it is more
important to find solutions to tip the balance of the scales
from 100% configuration and 0% security to something manageable
and more secure. The arguments being put forward for
configuration management are, is the system the same as the
certified systems if there have been updates? How do we know the
system is updated and it will function the same as tested and
certified? These are all good questions. We have seen updates
in the lab that were not applied. The application
software ceased to function. That just include the latest
pass and everything will be fine. In
that case it wasn’t. The argument for the security side
is that if you have a vulnerability in a certified
system that tells the hacker where to start. This is true.
The security professionals I have dealt with have pull their
hair out the moment I tell them there will be no updating of
this system under test. This is the first and most important
thing to do to keep a system secure. They have tried to find
solutions to this issue. We have allowed or thought of allowing a
number of minor updates before requiring testing. The
modification is something the Commissioner was thinking about.
System certifications running after certification. We have
even talked about allowing updates if the trusted
build of the system has not changed allowing updates to
third-party products. These are a few ideas that have been
kicked around. Hopefully the discussion we have here today
can provide useful information to determine how we can move
forward. Again, I thank you for the opportunity to speak on this
important topic and I will gladly answer any of your
questions. >>Good afternoon. I would like
to thank you for having me here today. As you know SOI is one of
two SNL’s. And SLI has been an independent test authorities
since the program was established in 2001. As such we
employee voting system test and security professionals
and have experience with every voting system used in the U.S.
today. As such we also participate in
Department of Homeland Security coordinating Council for the
election infrastructure sub scepter. As you can see,
compliance is dedicated to helping the election assistance
commission evolve in the process and of all those used to protest
[ inaudible ] the federal certification
testing includes a robust testing of 1000+ requirements and usability accessibility,
hardware testing and security testing just to list a few. I
feel the voting system test labs have unmatched expertise when it
comes to standards and understanding of testing systems
to these specific standards. As we all know it is imperative to
get voting system to the field as quickly and in any manner
that does not impose too much cost. Patch election systems
must be updated. The infrastructure provided with
vulnerability patches and security additions as they may
be has been a well-known issue for some time as my panelists
estate is. It is my professional opinion that a patch for making
security -based additions to Arathi
certified voting solutions is necessary. As was said the
federal certified system is locked to a specific place and time. The testing and
certification program details a path for modifications, as we
all know of a certified system . The documentation or data
minor in nature and effect. It further determines if the change
is a modification. This is the process it needs to explore to
determine guidelines for how a certified system would have an
expedited patch for firmware updates,
malicious software definitions as well as some potential
further security enhancements. With the current climate we all
realize the threat landscape changes faster than
certification. That could lead to a certification process
continuously. This can be tedious and time-consuming
involving parties from the labs and manufacturers in the EAC and
can hinder the process of getting systems through the
modification process and testing and certification in a
timely manner. To have a change process it is focused on
security. There would have to be some kind
of guidelines and definitions about the exact nature of the
procedures and modifications to address the security changes.
The guidelines would be required that in certain cases they are
not introducing instability or additional vulnerabilities.
There are lesser and greater degrees of security patches that would have to be examined
and determined if the impact of the system warrants extra
testing or if could not. Once again I appreciate the
opportunity to provide a statement today. The path for
keeping these current with vulnerability patches, the key
is to instill trust and keeping cost and time complete so that everybody can process
these changes. I appreciate you listening to my feedback and I’m
happy to answer any questions. >>I will forgo my questions if we
run out of time. Please go ahead, Mr. Hicks.
>>>>Who should be responsible for
these updates? Is it the manufacturer, Microsoft, Lenox, that’s my main question
for today who is responsible and who should pay for it?
>>I will start and then other representatives can chime in.
>>It is a true teamwork process to deliver updates specifically
for voting systems and election management systems on a closed
network that are not reachable. They require hands-on delivery.
Some juror jurisdictions have those that can apply updates.
Vendors are stepping up to help deliver updates. It is a mix.
>>Know what else? >>So , when we are talking about
updates, a lot of the talk was about one or ability, one of the
things — how should we categorize that? You talked a
little bit about that as well. >>Yes. There are security and
there is enhancements. There are a number of things that you can
do. Audio quality for instance read back for accessible voters
is far better than it was in early touch screen devices . That is just one example.
>>Okay. >>I would like to speak to
that. We are all talking here about operating systems. It has
been isolated to the operating systems but many of them have
third-party products, there are lots of products out there that
have updates and bug fixes or bugs that can
cause a security vulnerability. We don’t need to just think
about the OS. There are lots of other products that put out
patches that we need to be considering
as well. >>I could also add not all
longer abilities are equal. Those that apply to a consumer
grade computer that you might have in your house where the
vulnerability represents a high risk of compromise is not the same as
the vulnerability when applied to a closed system. It is up to
the manufacturers and Microsoft is great at this, working with
the technology providers to assess the degree of risk with
any particular vulnerability. Many of us have teams assessing
those for applicability and risk to our systems.:Conversation
must continue . Assess each of vulnerability
as presented to its applicability to the system and
determine rest. >>I guess my last question
would be to we know numbers? Not just voting machines and pole
books, is everything needing to be updated?
>>I think it is just as important as patching of three party programs is the
general hygiene that we use and the training that we give our
customers on safe practices. The voting systems themselves
are extremely mature. Most of us are great hardened. Where they
become vulnerable is the data coming in
and coming out. That is where we can make big improvements and
that is where, if we can find ways to improve the way we
insert a flash drive into a computer or how we use the
Internet to communicate with one another or how we use
authentication are all these other things that we can do to
better dashed just common sense things
will have at least met as much impact as applying a patch to a
hardened system that is isolated and is pulled out once a year
for one day. The funny thing is when I developed this I had to get five
or six different companies to coordinate efforts together. One
thing that was required for the certification is the mean time
between failure. Most of these types of printers are used in a
parking lot somewhere under the hot sun. They know how long that
will last. I calculated how long it would last in a voting system
that used in a voting cycle in our calculation was 3000 years. At some point, we are focusing
our efforts on something with little impact any ignoring or
not focusing enough on some of the other areas that could have
a much bigger impact. >>Okay. Thank you.>>Commissioner Palmer?
>>Thank you. >>Going back to you, Mr.
Hirsch, I was intrigued by your discussion of the updates taking
place in Indiana could you give us a description of that? How is
that going with the tens of thousands of machines that are
in the state of Indiana. >>It is proceeding well. We had
a lot during the development process
and during the testing we conducted usability test with a
live situations. In Tennessee we actually conducted an election
between the election officials voting for their own leadership . It has been in the statehouse.
It is a no-brainer to go from Windows 7 to Windows 10. The
difficult thing is to get it certified. I piggyback onto a
modification we were doing and said as long as we are doing
that dashed >>We didn’t do it because we
were concerned with the vulnerabilities or end-of-life
for Windows seven, it was end of life making it more difficult to
buy it more modern computers. We get our computers from large
retail manufacturers who — we are blip on their radar. We
could certify something and three months later they are no longer making it. If
all of us have funding to buy 10,000 laptops upfront, we could
hand those out like candy. We can’t do that. So having windows
10 has been a big advantage just from the standpoint of being
able to buy current hardware. It takes
years in order to get through certification with that. That is
an issue. I have another product that is sitting on my desk right
now which is a Windows 10 enterprise system that I would love to put out in
the field next month. I am convinced that works great. I
have to convince the rest of the world that it will be a good product. I am going to go
through that process and then we will add some other features,
something we want to do as a company is an even better job at
inventory control for customers. We do the physical security as
important as cyber security. We have seen great inroads
especially with the funding provided . To that extent, our industry,
we maintain an inventory for our customers. They have their own
and we also maintain an inventory for them in addition
to our own inventory. We provide better tools within our
management system for them to manage their inventory.
>>I appreciate your comments. The one thing I wanted to
highlight was the fact that counties and states
are going through this update process. It doesn’t happen
overnight. It takes time. They are proceeding with this. It’s
being done orally and we are all focused on the issue.
>>I have one more question. There is a discussion about the
vulnerability disclosure program and how we could help with that.
What can we do to work with the vendors? You need to make that a
reality and we can do that moving forward.
>>Okay. The leadership in managing the current
certification and testing process could look for an
opportunity to expand the role of a voting system test lab to
have timely security testing and a conduit
for security researchers to submit vulnerabilities they have
found in the field or that they have theorized in a lab and
allow the voting system test lab and the manufacturers to work
together to find a fix or patch and apply it during the
certification program. As you heard we are sensitive to the
length of the current certification program we don’t
want to add to that. We would like to see a channel of
communication that security researchers or the DHS
vulnerability assessment program have a path to comment on and help the EAC in
the voting system test lab understand the vulnerability and
what it looks like, its applicability and where it fits
in the certification program. >>Thank you.
>>All right. thank you. That is in a great lead into a question
that I have for all of you. So, thinking about vulnerabilities
and what that would look like, in 2015 the testing and
certification manual was updated to include changes for software,
not just hardware. That has not been utilized that often is my
understanding and not to a degree that it would apply to
patching and the way we have been talking about it today. So
what I’m interested to know about is, do you all see natural
bright lines? Are there places in the testing and certification
program where you could identify a sliding scale for what would
need to be involved in testing that based on the type of
change? I think about something like, for example, if it were
simply to a third-party operating system, a patch and
not impacting any of your software, would that be a
natural break? Are there others that we could consider changes
to the regime that would allow updates if there is a vulnerability
disclosed and in a timely and cost-effective way? I welcome
your thoughts. >>I would like to take that.
>>The reason it hasn’t been used much is because you can’t.
Any change to the software takes it out of the arena. If these
gentlemen have to perform tests to assess the change it falls away. That’s why it has
not been used. It’s way too narrow.
>>Batten I guess my question is, is there a definition or definitions logical?
>>There is an opportunity for that.
>>Right now, currently , the program manual states that
you have no testing if it’s minimal. If you do anything to
test that unit that it becomes a modification. That includes everything. Somewhere
between modification and minimal maybe they could run
Explorer you excuse me exploratory test. We
had to run these test. That requires zero testing by
definition. Also, it will allow for some
kind of change to the software, a patch to Windows or to a
printer driver to our application software, that’s a
software change. I agree completely with Mr.
Cobb’s assessment. There needs to be something in between. I
was talking earlier about tears within this new tear that you
could create between the minimus and modification. You might want
to have tears is it well vetted by the operating system
provider? Is it something in the middle , a driver for an HP printer,
I’m continuing with that example and all system at least
something that we have altered. >>Do you think , is modular testing a piece of
that? Is that a good idea? >>I would say there is a role
for, as Jack was suggesting, risk based modular testing. If
we replace an upgraded version of an
operating system we should test whether that changes the ability of the
system to boot, be installed, to have basic functionality, would
that likely affect the logic of the tabulation noble
election, likely not. Having discretion for what are the most
risky parts of this change, that might be valuable.
>>So like we were saying, this is the pathway I was trying to
get at in my statement. Something that we can focus
toward without having a full-blown modification test
effort and we can do some research on the patch and have
some testing from them and still come up with a way that it does
not require us to sit there and do a full modification for
something as simple as an antivirus definition or adding
in certificates that have expired. A lot of the systems
are — they have longevity to them.
Some kind of path going in between full-blown modification
and minimal but might be a little bit more
than currently defined. >>Thank you. I want to make
sure to reserve the remaining time.
>>Thank you. >>You do state testing and
federal testing ? Is that correct?
>>That is correct. >>Does the state certification
process, are there differences for software updates?
>>It depends on the state. Some states require certification for
example and then that could prevent them from
adding patches or things that modify the actual certified
software. Other states kind of have stringent requirements but
don’t require that certification. It goes a
little bit in both directions. >>To add to that, we are working
on a project with the Commonwealth of Virginia where
they will decertify every system every four years. They want to
do that to make sure that everything is up-to-date and the
OS is no longer being supported and you make it re-certified and
they sign off on it. They want to
look at this exact issue, there are things that are not secure
and have vulnerabilities and they want to look at that every
four years. >>That leads me to my next
question. Do you rollup all the latest patches in the
recertification or re-modification?
>>For our part, yes. We roll up security patches applicable to
the situation and environment of the unit and any enhancements
that have to do with Dasha could be to factor authentication or
stronger access or ease-of-use or reporting . The long answer to your shirt
question is yes, we do. >>We only have a couple minutes
and this is a complicated question but, where do you build
your systems ? Where’d you get your
components from? Do you feel secure with that where you get
components from? You talked about having inventory and
businesses that you deal with. What are your thoughts on that?
>>There are sub components made all over the world. It is a
global business. Most, if not all of the final assembly and
testing is domestic. We are particularly sensitive to try to
use companies that are even geographically close to us . We do have some suppliers on
the East Coast and West Coast. Most of our suppliers are within
a 50 mile radius of us. We prefer that. That being said, earlier you mentioned that
elections happen on a particular day and there is a deadline and
when it happens, it happens. I have always been concerned from
a supply chain point we are target. We know when the
election will happen. To know where the president is
going to be two years from now on a particular day and time?
>>Guess where you will focus all your time and energy. When
it comes to supply chain it’s a good idea for system to roller
date forward to election day and have a mock election with the
system set to the date in the future. That’s one way of
helping to protect against unknown things that could be
buried deep inside of some subcomponent manufactured
somewhere.>>Two quick comments. It is a
global supply chain. I have been leveraging my experience with
DOD and health and human services to visit every primary
supplier that we have and conduct of risk assessment so
that we can attest to the end to end supply chain security of the
parts that we get. Bernie’s comment about preparing for the
next election . As you know, there are
elections almost every day. Last week, August 6 there were 115
elections across eight states. Every manufacturer and lab here
contributes to each and every election leading up to the next
general. We gather information from the field. We use tools the
EII and the Center for Internet security have given us and under the supervision of the
homeland security department we are watching these elections.
Talk to intelligence communities and make sure vulnerabilities
are being addressed now, not in November 2020.
>>On that note, we have to and our discussion. I have many
more questions. We have a hard stop at 3:30. I want to thank
each and everyone of you for being here and for providing the
information that you did. I look forward to looking forward to
dealing with you for future discussions.
>>Thank you very much. The form has ended.
>>[ Event concluded ]

Leave a Reply

Your email address will not be published. Required fields are marked *