 Hello. It's nice to be here. Thank you for joining this session. I'd like to talk today about a policy approach to resolving cybersecurity problems in the election process. One thing's for sure. After the coronavirus is no longer dominating the news, election security will come back to center stage big time. It's not a complicated subject that few, it is a complicated subject that few people really understand, even election officials. So today I want to talk about the role that private sector companies play in the voting system, the vulnerabilities associated with their role and discuss a path forward from the legal and policy perspective. So election security. It's really a private sector problem. Election security, there, there, it is so many aspects of it are performed by private sector companies. There are many avenues for tampering with an election, including changing votes, causing machines to malfunction, altering voter registration records and disrupting equipment to be used that's used to check in voters. The private sector companies play a large role in these activities, which we call the election process, the voter registration, the checking in the voting, the polling, the tabulating of the votes, all that is called the election process. And the private sector companies sell the voting machines and program them for most elections. Yes, they program them for each individual election in most jurisdictions. They register voters, they tally votes, and they report votes. And there are vulnerabilities associated with their role that most people don't understand. But I think that this is all something controlled by state and local election officials, and it is not. So today I want to talk about that path forward and how to solve this huge complicated problem. There are many avenues and for tampering with an election, including changing votes, causing machines to malfunction, altering voter registration records and disrupting equipment used to check in voters. Let's look at the vulnerabilities in the voting equipment. In 2005, Hari Hirstie performed the famous Hirstie hack and successfully altered votes in a one step hack that changed both central tabulator results and the voting machine results tape. It was the digital equipment of stuffing the ballot box. The election official who invited Hirstie to check the D bold AccuVote optical scan voting machines said he wouldn't have been able to detect the change and would have certified the election. The bold is now owned by Dominion voting systems. None of the vulnerabilities found by Hirstie were ever fixed. These same machines are planned for use in 20 states in the 2020 election. Think about that. It's 2020 and he discovered this in 2005. 15 years later, that's crazy. A later model of the same voting machines with the same vulnerabilities was used in a hotly contested and disputed 2016 election between Stacey Abrams and Brian Kemp and Georgia. So many of these systems that are using these machines are using machines with these vulnerabilities. In recent elections, 99% of votes in the US were cast or counted on computers. And many of the core election systems, voter registration databases, election management systems, voting machines and vote counting systems are using aged computer equipment. The systems employ software that can no longer be updated or patched. They include databases that have known vulnerabilities and they're managed by third party vendors where supply chain risks exist. This is a big problem. Let's look at the cyber attacks on these private vendors. In 2016, Russia's military intelligence service penetrated VR systems. These systems is the vendor that manages and handles all of the programming for the majority of the counties of Florida. And it handles all absentee ballots and early voting. We know of this penetration. Because an NSA contractor reality winner released a top secret report about it. And we later found out the FBI briefed election officials in Florida on a very secret basis. It was a year later that election officials around the country realized that Russia's military intelligence service had been penetrating VR systems and that perhaps their systems might also be vulnerable. In the 2016 elections, electronic voter ID systems in several states went down in certain precincts. Now these are the systems that help identify a voter when they come into vote. And these technical glitches they called them in the machines called hours long waits for people who had come to the polls to vote. Those hours long waits, some voters were unable to wait and others could not vote before the polls closed. On election day in 2019, federal officials from law enforcement, Homeland Security and the intelligence community issued a joint statement, declaring that our adversaries want to undermine our democratic institutions influence public sentiment and affect government policies. Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions. Wow. And it's true. We have a serious problem. We have governments from outside the US trying to influence our democratic processes. And we have voting machines and voter ID systems and private sector companies that have not presented any level of security and assurance that their processes and systems have integrity and are confidential. So we have a US Election Assistance Commission. And this commission is supposed to, you know, help the election officials around the country. But it's perhaps the weakest link in the nation's voting system. The EAC is a bipartisan commission established by Congress in 2002. It maintains a national mail voter registration form. It accredits testing laboratories and certifies voting systems. And it serves as a national clearinghouse of information on election administration. In December 2016, Recorded Future reported that a Russian speaking hacker named Rasputin was selling access to the EAC systems on the internet. Rasputin had full admin access to the database and could upload any file he wanted. He had lists of voting machinery, test reports of their software, and knew where they were deployed. An EAC employee whose credentials had been compromised said if Rasputin had access to the database, he could access the server where the proprietary information is kept. The EAC keeps information about vulnerabilities in voting systems. Thus, a hacker who gets into the EAC could find out where the weak links are in the voting systems all around the country. So let's look at the voting machine companies and what role they have played in this. They have been recalcitrant and arrogant. Researchers and cyber experts have found multiple vulnerabilities in the most used voting machines that would enable an attacker to gain full access to a system, change configurations, and install a modified operating system without election officials knowing. These vulnerabilities can enable hackers to change an election, shut the system down, enable remote execution of code, and offline ballot tampering. There are three primary vendors for voting machines. Electronic systems and software known as ESNS, Dominion voting systems, and Hart Intracevig. We know there are vulnerabilities in most of the voting machines, but very little is known about the security of these companies own IT systems. The companies that produce these voting machines that are supposed to maintain them and produce them, and they are the underpinning of the core in our election process. Very little is known about the security of the companies that even manufacture these machines. Some voting machines are optical scanners, some have touchscreen voting, some use QR codes or barcodes, and others send votes in clear text back to vendors to be tallied. They can all be hacked or compromised. If almost all the voting precincts in our clunky system use equipment from these vendors, an attacker only needs to hack the equipment to reach all of the voters. Unlike major technology companies such as Apple and Microsoft, these vendors do not allow researchers to test their equipment and review their code to find vulnerabilities and bugs. The symbiotic relationship between tech software and hardware vendors and researchers helps them improve their products and keep them secure, but this is not happening. When it comes to voting machine manufacturers, they will not let the researchers have access to their equipment. The voting equipment companies have been highly resistant to any review by the research community, claiming their systems are safe and secure, yet they have failed to fix identified vulnerabilities in the voting equipment. They repeatedly claim everything is fine, we're all secure, this is a priority, we take this seriously, America's voting is just our basic concern. We don't fix vulnerabilities that researchers have found for 15 years. They let their voting machines be out front and used for voting, knowing they have vulnerabilities in them. I guess they think no one's going to exploit them. But really, to cover that up and try to say they're all safe and sound, that's just wrong. So during the three years of the voting villages existence, I think most of you are familiar with voting village, none of the vendors have supported the effort, nor have they been willing to donate or offer equipment. While the researchers behind in the voting village, they're dedicated to this because one, they want to help develop a community of cybersecurity experts and election security. There are not very many experts out there who know how to deal with election voting machines and cybersecurity problems and how to solve those vulnerabilities. And they also want to make the voting machines more equipment and equipment more secure by letting these vulnerabilities be known. The problem is the vendors are doing nothing about it. And apparently the election officials also are not requiring them to fix these vulnerabilities before they have another election. So that's a big problem. So I want to put forth a proposal to address this problem and achieve results. Certain actions can be taken at the federal level that will push a standardized approach out to state and local election officials. And will require certain actions to be taken by private sector companies. Article one section for the US Constitution grants Congress the power to regulate the times, places and manner of holding federal elections. Federal elections deal with elections of senators representatives and the president. Now state and local election officials are responsible for conducting all elections, but they depend on infusions of federal funding to supplement their state and local funding. So state and local officials can't really afford to have separate equipment and systems one for state elections and one for federal elections. So when federal election officials or federal election Congress mandates certain requirements for federal elections, they pretty much have to go along with those because they only have one system for voting. So therefore, if Congress sets requirements for federal elections and restricts the funding that these state and local election officials need. To only those election agencies that adhere to federal requirements, we will begin to see consistent actions taken across the US that will tighten cybersecurity in the election process. So this proposal that I approve that I want to go over with you today is such a proposal to have federal requirements set by Congress. The first would be to direct NIST, the National Institute of Standards and Technology to establish federal standards for cybersecurity. NIST is the entity in the government that has established all the federal information processing standards. It's established all of the cybersecurity best practices and standards that have been put forth by NIST that federal agencies have to adhere to and certain federal contractors. So they have a deep bench of expertise and not only standards and cybersecurity but in secure engineering practices, and it would be appropriate to direct them to develop federal standards for cybersecurity of our election system software, the infrastructure and the hardware. All three levels that are used in voter registration, vote tallying, voter polling, and in the manufacturing, servicing or writing of election parameters of voting machines and equipment. The first covers the systems, the infrastructure, the hardware, the software, the hardware, the network that they're using. What are the standards for that? Because that is used in registration in tallying and voter polling. Again, this isn't just one thing of one machine and go to the poll and vote. This is registering to vote. It's signing in and being IDed. It is voting. It's tallying the votes. It's polling the votes, the voters, and it's reporting the votes. All of these actions are largely performed by private sector companies who we don't have any idea how their cybersecurity program is, whether it's mature or not. We suspect it's not very mature, but that's just a suspicion. But we should have a standard for saying it must meet these standards. Our democracy depends on it. That's worth a standard. And then we have in the manufacturing, the servicing of voting machines and equipment. Absolutely. We want these vulnerabilities fixed. They need to be serviced and maintained and have integrity. The writing of election parameters means the programming of these machines. In most of the jurisdictions, the private sector companies program these machines for every single election. We need standards to govern how that's done. Second is we should directness to establish a certification process for the security and integrity of election systems, software infrastructure and hardware and associated components and modules of the election process. So there should be a certification process to make sure they're meeting the standards. Next, we should directness to analyze the private sector's role in the election process and recommend any roles or functions that should be changed or restricted to public sector election officials. There are some roles being undertaken by private sector companies that perhaps should not be a private sector activity. Perhaps that role should be strictly a governmental function. But let's next analyze that in all of their work in establishing the federal standards and the certification process and recommend to Congress roles that should be perhaps reserved to the public sector. Next, we want Congress to pass a law restricting federal funding to those two election jurisdictions to only those jurisdictions that one use such funding in a manner consistent with the NIST federal election standards. And those jurisdictions that require annual cybersecurity assessments by an independent third party of all the systems in the election process in accordance with the standards that require annual cybersecurity assessments by a third party of all private sector companies involved in the election process in accordance with the NIST standards and to make these assessments available to election officials contracting with them. A company may get a cybersecurity assessment but it may not share it. We want them, we want these vendors to have to get third party assessments every year and share those assessments with the election election officials contracting with them. And we want the election officials to get third party assessments of their systems in accordance with the NIST standards. This is what private businesses do every day. That's what's required of them. This is not asking too much of election officials or private sector vendors that support the democracy that this country has been built on. We also want federal funding restricted to those jurisdictions that establish requirements for post election auditing of votes, at least on the level of risk limiting audits and to make the findings public. So, restricting federal funding to only those jurisdictions that comply with the NIST standards that conduct the risk assessments themselves that make their vendors get the assessments and that have post election auditing. There's a precedent for this. Congress has passed laws in the past to restrict highway funds to only those jurisdictions that lower the speed limit to 55 miles an hour. Congress has restricted funds to only go to those school districts that would adjust their cafeteria menus to comply with the new recommended federal menu. There are numerous other examples, but the Congress has in the past in several instances, tied its federal funding to meeting certain requirements. There's nothing more important than having our federal funding tied to meeting the requirements that our vote counts that every vote should be counted and it should be counted as cast. The American Bar Association, which represents over 400,000 attorneys recently adopted Resolution 118, which calls for these exact measures. Cybersecurity best practices and standards can help because election security is not going to get solved overnight. We're setting up a cybersecurity program for election assistance that's in compliance with cybersecurity best practices and standards will be a first big step. Congress may not pass a law right away, but election officials should already be doing this. They should already be saying we have NIST standards for cybersecurity programs. There are ISO standards. There's multiple standards out there for cybersecurity programs and every single vendor should be adhering to those. They're not only using equipment with vulnerabilities, their own networks and systems are vulnerable as well. So it's time election officials step up and take action, even before Congress does. They require election officials should require election vendors to meet cybersecurity standards and best practices, conduct annual risk assessments of their programs maturity, and do whatever the business would do, manage its risk. In addition, they need to follow the lead of California and other jurisdictions and higher experts to test the security of their voting machines and equipment and then demand that vendors close any vulnerabilities found. So why are these officials letting machines with vulnerabilities that have been known for 15 years be used in their jurisdictions? That's crazy. They need to demand these vulnerabilities be fixed. And they need to join with each other nationally and ensure that those machines are not used in elections. So legislation and other reforms are needed, but election officials can achieve these things through their own direction and in legal agreements with their election vendors, and they should begin now and do as much as possible before November. Thank you very much.