 Alright thank you everybody. So our next speakers are from NIST, which is the National Institute of Standards and Technology. These are the folks who help set national standards for a whole host of things, in this case elections. And so we've got both Mary Brady, who's the voting program manager, and works on voting specific standards and things like that. And Josh Franklin, who is a security engineer at NIST and works on security related things, including voting. And with that, I'll turn it over to you guys. Thank you everybody. I'm also, I like to roam, so I can't actually speak in front of a podium. But I just want to say thanks to the organizing committee for inviting us to give this presentation. I'm really not going to say much other than I'm really excited to be here. I'm looking for meaningful ways to engage with the cybersecurity experts here. Josh will talk a little bit about some public working groups that we've established at NIST, one of them on cybersecurity. Some of you I know are already members of that group who we sure could use a lot more help. I'd be interested in some of your thoughts about meaningful ways in which we can engage with the community. And we're here to tell you a little bit about the work that we're doing, get some feedback from you, and look for ways to learn from the community. With that, let me hand it all over to Josh. I guess I'll roam. Yeah, born to roam. Howdy everyone. My name is Joshua Franklin. Welcome to Hacker Summer Camp. It's been fun so far. Today I'm going to talk a little bit about my experiences in the election community for the past 10, 12 years. A little bit about how we got here, where we are going. First off, I'm going to start with this slide. There was a man named Dr. Joseph Harris back in 1934. And he was basically looking at how elections are run in the U.S. back then. And he actually found these various election fraud types, as he called them. And it's really interesting looking at this list because we're still really, really worried about many of these issues today. We have since 1934 learned a little bit about how computers work and we've introduced e-voting. And what we've really seen is that now we have these same issues, but also modern electronic analogs to some of these same things. And so keep these in the back of your mind as we go through some of this. So who am I? Josh Franklin, IT security engineer at NIST. I typically do enterprise mobility LTE security. I also do electronic voting. I've been in this area since probably 2004 working in voting off and on. I currently co-chair the NIST EAC election cybersecurity working group. Prior to NIST, I was working at the U.S. election assistance commission helping to test and certify voting systems. I got to travel the U.S. and really understand what the elections landscape looks like there. Previous to that, I was working at KSU's center for election systems in Georgia. Learned a lot of things there. Helped install and maintain probably 22,000 voting systems there. I have been a poll worker in more states than anyone I think has. And I will keep saying that until someone proves me otherwise. So yeah. And I have an AM master's in infosec from Mason. So, you know, get to know an agency. What, you know, what big federal agencies are out there? Believe it or not, the federal election commission has little to no role to play here. They are primarily focused on campaign finance law. The election assistance commission is what you really want to be looking at here. They are charged with providing assistance to local election officials, adopting the voluntary voting system guidelines, and running a testing and certification program for U.S. voting machines. NIST is in this space. We provide the scientific and engineering backing for the voluntary voting system guidelines. DHS is a brand new entrant into this area. They are, you know, basically helping local and state election officials with, you know, cyber related issues. And then, of course, the good old FBI, they essentially prosecute domestic election crimes. At the state level, you have the Secretary of State's Office. They are primarily the lead election officer, first and foremost, deciding how elections are run in their given state or territory. They are typically third in line in a session in a state, so it's a fairly powerful elected position. And then, at the local level, this is where basically elections are actually run. You have counties, cities, townships, parishes, hamlets, all these different really small geographical entities that, you know, really, you know, actually know how elections operate because they actually do them. So, a little bit blurry. That wasn't just my pencil. On the right side, we actually have, you know, the voting machines that we all know and love. DREs, Opscans, ballot marking devices. These are the voting systems that are actually in the voting hacking village. I was planning on pointing at them right now, but they're not here. So, we have, in the top right, we have DREs. These are, you know, basically voting systems that store ballot selections electronically. We have optical scan systems, which, you know, read paper ballot selections, typically scantron machines, but, you know, modern ones are actually using computer vision algorithms to, you know, figure out what's a, you know, what's a vote. And then we have ballot marking devices. These are a nice hybrid between the two systems. They actually have a touch screen interface, extremely usable, but they also have nice security properties of, you know, actually printing out a paper ballot. On the left side are basically all these other supporting election systems. These are things that there are not really best practices and guidelines and standards about, but they're actually, you know, they're very, very instrumental in the election process. You have, you know, local and online voter registration systems, electronic poll books. These are the things that you'll, you know, check in with at your polling place. You have candidate filing systems. If you're going to, you know, run for governor, you have to file your information with your state at these candidate filing systems. There's, you know, also ballot tracking. There's poll worker tracking. There's just a whole slew of other supporting election systems. Here you also have, you know, campaign voter information databases. These are, you know, fairly large scale, you know, information and data collection, you know, efforts. And they're actually holding a lot of really interesting information about all of us. And so when we're, you know, thinking about securing the election ecosystem, we actually need to have a larger pallet there. This is just for people reading these slides later. Cool. So, map plays is right. We, you know, our whole threat model has changed since the, you know, 2016 general. Previously, we had a threat, a threat model that would, you know, well, at least election officials did. There was a threat, a threat model about, you know, physically proximate attackers. In terms of intelligent adversaries, they're extremely worried about poll workers. Poll workers are the, are, you know, one of the, the nation's largest temporary workforces. And, you know, poll workers aren't necessarily vetted. They, you know, to the, to the degree that, that you would want. They often have privileged system access passwords, and they have time to actually play around with these systems. Election officials are also extremely worried about accidental errors and, you know, events such as that. These are the things that more often than not will actually lead to an election, sorry, to an incorrect election outcome. So, elections officials are extremely worried about accidental errors. Natural disasters such as the 2012 Hurricane Sandy, I think it was 2012, that happened on the, you know, east coast. Definitely affected elections there. And just, you know, any real event that would, that would impact public confidence and trust in the election system. But since 2016, we, you know, we got the intelligence community report about, you know, meddling in our, in our elections. And what we're, you know, what we actually have evidence of now is basically nation state attackers, you know, hitting our election systems. We haven't yet seen attacks against vote capture and tab, tab, and tabulation systems. At least, you know, documented by the IC. But, yeah, we also saw issues of fishing of both election officials and voting system vendors. And the new threat model is really everything in the old threat model plus cyber, right? Yeah, so what are these voting systems actually look like? They are, you know, embedded legacy systems. That's how I would, you know, talk to someone about them today. They are typically running some UNIX or Linux variant. They might have a, a custom kernel for some reason. Some of them are, you know, running Windows CE 3.0. That's what was run in Georgia when I was there. Some of them have really old, you know, and pro, pro proprietary physical media. I am 30. I should not, like, I should not know what a PCM CIA card is, but I do. You know, that, you know, that could be a, a problem there. You know, so net, net, networking, wireless is a fairly common phenomenon. Infrared, Bluetooth, Wi-Fi, cellular. Those are definitely things deployed in US voting systems. And these, and these things are basically needed to last for a long time. Many states are still using systems purchased in 2002, and there's not really a clear upgrade path there. And these, and these systems really receive one to five updates over that whole lifetime. And these, you know, these updates are extremely expensive when they have to update. I, like, for my first real, you know, job when I wasn't a student assistant anymore at KSU, I was, you know, basically made to go and physically insert a, a PCM CIA card into 6,000 touch screen units across the state of Georgia to update an expired X.509 cert. Yeah, and it was, it was really interesting. I got some, I got some stories from that. I'll just, I'll just, I'll just say that. So, you know, now that we've talked about what these, you know, well, what these systems actually look like, what sort of issues have we seen previously? You can, you can look at some of the sources for our results at the very back of this. I will, I will tweet out these slides after this, after this presentation. But, you know, Barbara and David were, you know, talking about these independent reviews that we saw of these, you know, of U.S. voting systems. And it's really 15 to 20 independent reviews since probably 2004. So it's actually not a lot of outside scrutiny. And what, what NIST did recently is that we went through all these different papers, did a, you know, a literature review and looked at some of the, the, the, the various issues there and we then mapped them to common weakness enumeration types which are basically a standard for software bug types, go figure NIST like standards, right? And so these were the, these were the top five software bug types that we saw. These were fairly common issues, I would say very, very common issues in the, in the, in the papers that we re-viewed. And then just to, you know, up-level them a little bit, we basically saw a lot of input validation issues, you know, crypto and authentication. So it's, you know, everything's not on fire, right? There are, you know, good things happening in the, the voting arena. Risk limiting audits. These have been really, I would, you know, go as far to say that this is the, you know, single best innovation we've had in election security since the year 2000. These are really meaningful, statistical audits that are fairly efficient. They can be very, very practical and they don't have to be extremely expensive. And so they can give an election official pretty good confidence in the election outcome without spending tons of money and time. Software independence. This is a concept championed in 2007, 2008, basically meaning that a, a bug in the software can't affect the election outcome. There's a, there's a better way to say it. But in practically right now, this means paper, you know, paper, paper voting systems. But this is the up-level concept that's, you know, more, more what desirable characteristics do we actually need in voting, in voting systems? There are pro-posals for come, come a completely software independent, fully electronic voting systems. These are called ETE verifiable cryptographic protocols. These are really cool systems that have not really been used on large scales yet, but they, they essentially give a voter a receipt that guarantees them that their, that their vote was included in the final, in the final tally, but they can't sell their vote with that receipt. So it's really cool. Essentially domains be civic crypto. These things have been, they've been used in Cuma Park, Maryland and a couple of other places. There's definitely arguing about what, you know, what constitutes this type of system. But it's definitely a, a, you know, really interesting research area and a potential path forward. And then finally, recognition of usability as a security issue is a big, big problem. Well, it, it, it's sort of a new thing in that, you know, the community finally said, well, you know what, if it's not, you know, if it's not usable, availability drops to zero. And that can definitely affect the outcome, well, at least the, the security of the voting system. And so NIST really likes software end of, end the, uh, pendants. We are including it in our, you know, recommendations for, uh, you know, principles and guidelines for voting systems. Um, but, you know, paper itself is not a panacea in elections. Um, there are a, a number of, uh, physical security oriented issues that can really affect the election outcome. Um, you know, paper primarily gives you tamper detection and, and auditability, which is awesome. That's super, super great. Uh, but, you know, paper can be modified. Uh, it's, uh, it's, you know, it was a very common thing for a long time for whoever is counting ballots to, you know, put a little piece of, you know, lead underneath their, their, uh, fingernail. And if there's not a, a filled in, you know, bubble fill in that, uh, you know, fill in that bubble real, real fast. Um, there are just, you know, non, you know, non-cyber security related issues. Um, seals and chain of custody need to be, uh, verified. If you're not going to actually look at the paper trail, why have it? Um, there's, there's routine, you know, meaningful audits need to be per, per formed. You can't just have paper. You have to actually do something with it. Um, then, you know, just generally, we need to, you know, up the, the, uh, the, uh, level of, of cyber hygiene in this area. Looks like I'm doing pretty good on time. Okay. Um, testing and cert, certification. What does this process look like? Um, basically the election assistance commission runs a, uh, a, uh, testing and certification program for voting systems. There are, uh, there are multiple layers of testing and certification. Uh, the, the EAC performs a, uh, a federal cert, certification and then states do their own testing for, you know, their own needs. Uh, some states have rules that are, that are, you know, that are like, you should be able to click straight ticket the whole system then selects all D or all R. Uh, but then you should, you know, be able to choose one other person and, and, and the other, uh, area. It's like the, uh, the, uh, Pennsylvania cross vote is what people call it. And there's just, you know, tons of state specific voting logic issues that states are testing for. Um, what does this actually look like? Um, this is, you know, at a, at, at a, at a high level, uh, you know, vendors submit an application to be tested. Uh, the EAC, a, a third party lab and then the menu factures sit down. They figure out, uh, they essentially a testing contract. That's a test plan. Testing occurs. Uh, if there are issues, which, you know, I've never seen a testing campaign that, you know, doesn't have at least one issue. Uh, the, you know, vendor goes back, makes a change and then it gets tested again. Uh, ad, you know, ad nauseam. Um, at, at the end of the testing process, there's a test report. The EAC then says, yes, I would like to, um, you know, certify or no, I don't want to certify. If they do certify, uh, then you know, then a, a voting system goes into their quality monitoring program where states and labs and menu factures and everyone gives EAC information about how that per, per performance, uh, uh, how that system is performing in the, the, uh, field. Um, yeah, I'm gonna go back a slide for a second and say, uh, if you're really interested in, you know, knowing more technical information about voting systems, EAC.gov is literally the best place. They have a, a test plan and test reports section, uh, and they have, uh, information on new voting systems that aren't really out there yet. A lot of the systems that, you know, EAC has, has certified, uh, at least to the, to the newer standards, um, aren't necessarily deployed in the, uh, field yet or if they are there, you know, it's only in limited, limited areas. Um, but this is an excellent, excellent resource that they're, you know, doing a serious boon for this community. Um, in terms of voting standards, uh, the voluntary voting system guidelines, it's an awesome name for a standard, right? VVSG, um, uh, these, uh, standards are pri, are, are primarily for vote capture and tab, uh, and, uh, and, uh, tabulation systems. So nothing about voter registration, nothing about electronic poll books, election night reporting. Um, there is no federal law mandating that every system, uh, come, come, uh, apply with these standards. They're just, they're just isn't. Uh, the way elections work in the US is that it's, you know, typically, uh, the, you know, time and manner of choosing is left open to states. And so that's the same here in that, uh, you know, states can use, uh, come completely federally certified systems, uh, systems that are only, you know, partially certified. Uh, there are, you know, there's tons of variations out there. Um, in terms of security, um, well, just in, in general, uh, these are the, you know, various voting standards as I, as I see them. Uh, the 1990 VSS in 2002 voting system standards, these, these things were made, uh, not necessarily by the federal government. Um, uh, and, uh, it wasn't until the, um, the election assistance commission was created in 02, I think, that, um, that, you know, we actually got the modern VVSG. The modern VVSG has a whole section on, uh, security. Um, didn't really even have that previously that much. Um, uh, and there's been large changes in security as, uh, as new, uh, standards have been made. But, uh, most systems in, in, in the U.S. are still certified to the 2002 VSS or 2005 VVSG and it's mostly 2002 VSS. Um, but yeah, uh, in, in 2007, NIST made some recommendations for, uh, you know, for, uh, next generation voting systems. There was, uh, like a really robust, uh, security architecture that was recommended because of some various issues such as software independence pen, pen, pen, pen, uh, penetration testing. Those were not, uh, eventually, uh, adopted. Um, and so what, uh, what folks did is they took parts out of the 2007 and parts out of the 2005, smushed them together. They got the 2015. Um, and so yeah, that's the most recently adopted standard. Um, NIST and EAC right, right now are actually working on a complete, uh, you know, it's basically a completely different way of looking at, um, election standards and we're, you know, basically having, uh, you know, it's, you know, it's basically driven by, you know, outside input, uh, by, you know, voters and concerned citizens. Uh, and we're, you know, putting together these next generation re, uh, requirements. Um, this, you know, this new, uh, structure is gonna have principles, guidelines, requirements and test assertions. Principles and, and guidelines are ultimately gonna be what's, what's adopted by the federal government and then re, the requirements and test assertions are going to be, um, a little more malleable, uh, because what we've really, uh, what we've really seen is that, um, you know, there's just been a lot of changes and sometimes folks get really, uh, locked into certain requirements and it doesn't really help to be locked into requirements from five or ten years ago. Um, from a security perspective, I am, you know, I'm co-chairing this, uh, this working group on, uh, you know, in this, in this area. Um, these are the seven high level principles that we have, um, listed. Each of these has a number of, you know, sub guidelines. They're all available at the, uh, at the NIST and EAC voting, Twickey. Um, uh, uh, a couple of things I'll sort of, uh, point out under audit, you know, under auditability, which is the single most important principle that the whole group felt really, really strongly about. Uh, software independence is included under, under, uh, uh, under that. Um, under access control. We have things like, you know, two factor authentication for privileged election operations, uh, for data protection. We have, um, you know, using well, uh, well vetted publicly available, you know, in standardized crypto, which is really, really nice. Um, for software integrity, which we're changing to system integrity, uh, we have, you know, things like only digitally signed code can actually run on a, uh, on a voting system. If you want to talk about these later, I'll be, I'll be, I'll be around. Um, so just to, you know, before we get to questions and stuff, um, these are some of the big things that I think really need to be addressed. Um, we need routine meaningful audits. Uh, I think that is a really important, uh, concept that needs to be enshrined here. Um, we need regular external scrutiny of voting systems. Uh, it is absolutely key. Uh, you know, the more folks who can, uh, take a look at these, I am of the opinion, the better. Um, but when folks do find issues, uh, that needs to be responsible vulnerability disclosure, um, do not release as freaking zero day a week before the, the election. Uh, just don't, don't, you know, um, there are, uh, you know, there are well-known, well, I mean, essentially if you have issues, uh, if you find an issue, uh, talk to the EAC, talk to, to DHS. And yes, if you want to make my, you know, Monday morning bad, you can send it to me too. Um, that's perfectly fine. Um, so I think that we need to augment how we, you know, really manage elections, uh, security. Um, I think risk assessment, threat, modeling, contingency planning need to be common terms for, for elections officials. And I think that, you know, they need to be, uh, pretty, uh, you know, pretty knowledgeable on these, you know, in these concepts. Um, voting systems need regular software updates just like, just like anything. Um, we need to figure out how to get voting systems regular software updates. Uh, I think it is untenable to have voting, uh, voting systems with, you know, CVSS, uh, score 10, right? With, uh, you know, you know, 50 of those on a voting system that is just, uh, that's just un, un, you know, unacceptable. We need to, to find a way how to fix that. Um, and then election officials need actionable guidance. You can't just go yell at them and say, do this, do this. Um, that's not really going to help any, you know, any, any, uh, body. Um, they need to, uh, you know, like, they need guidance in the language that they speak. Um, and so you have to help speak their, their, uh, their language. Uh, they are typically not, uh, cyber security experts. Uh, uh, election officials are, you know, basically low logistics champions. They do really complex operation and everything's all happening at one, at one time. Um, then to finally, you know, I'll, I'll basically stop here. Um, so help make a, a, uh, difference. Many of you came, uh, means that you seem to at least care a little bit. Um, go, like, register and actually vote. Uh, don't let apathy hurt the overall system. Uh, be a poll worker. Um, this is extremely important. Um, uh, it will really change how you look at elections. Uh, and this is how you can affect change in your local area. And local elections are the elections that will actually have an impact in your, in your, in your life in a fairly large way, fairly quickly. Um, work with your election official, not against them. Don't antagonize them. Help out. Be a force for good. Uh, and then just completely in a self-serving manner, join these public working groups. Uh, we're fairly nice people. Um, yeah. So, uh, uh, thanks everyone. Uh, Mary and I are here for questions. Yeah, definitely. Uh, yeah. So the, uh, the question was, uh, you mentioned joining public working groups to help local election officials. If you could tell us how to access those. So are you, are you bringing up the reference? So the, um, there's a set of seven, um, working groups. There's three election groups. It's for pre-election election, post-election. And there's four, uh, we call them constituency groups because they're just sort of help support the elections. But they're, uh, you in fact are so usability, accessibility, cybersecurity, interoperability, where a lot of, uh, a lot of the common data format work is being played out and testing. So you can, uh, follow a length that maybe is not coming up or the easy way. The easy way would be to go, go to vote.ness.gov. And there's a link off of that page to, to the working groups, uh, to the, the Twiki itself. And on there there's information about how to set up an account and how to, uh, to actually, uh, uh, join the mailing lists. And there's a bunch of, you know, pretty simple videos that you can follow. And if you have any questions, just ask us. Yeah, definitely. I'll, uh, tweak them out in a moment. Yeah, I was gonna say, on the Twitter. Cool. Yeah. So how are you addressing resiliency in terms of just, uh, maintainability and, and, and continued function as a security threat, uh, in how you're setting up the standards or how you're looking at these things? Because it seems like there's a bigger threat from DDoS by device failure in elections than there is from actual tampering with machines. Uh, we encountered a lot of that in the last election in Maryland where many of the optical scanners died during the election and there were, and votes were left piled up and in some cases unattended while voting machines were on, were the scanners weren't working. So how do we address the actual, uh, ease of operation and continued use, uh, as part of the security model and putting these standards together? Yeah, that's a great question. Um, so, uh, we do have a maintainability-oriented principle that is, you know, going to be in, you know, it, uh, like, we only saw seven of the actual principles. There's a whole list of other principles as, as, uh, as well. Um, a lot of, you know, the answers there are, you know, uh, you know, going to be about build quality, uh, quality assurance. Um, there are, uh, you know, programs that the EAC has, you know, looking into quality assurance areas. But some of that is going to be on the election official themselves, um, to make sure that they're taking, uh, you know, good care of their, of, of their election system. Um, I definitely think that, you know, manufacturers play a role there as well, uh, in, you know, not, you know, not using, you know, bottom of the, uh, barrel components. Um, uh, I, you know, personally think I'm a, you know, I'm a big fan of COTS and voting systems, commercial off the, the, uh, the, uh, shelf. Um, you know, that would be pretty, uh, I would be a pretty big fan of like a non-networked voting system, you know, running on like a, a, uh, you know, tablet or raspberry pi that just prints a ballot right there. Um, uh, and you know, it, you know, that way if the actual voting system breaks down, you can just go, you know, buy another one, um, at staples or something. Um, yeah, it, that's a, you know, resiliency and maintain a, you know, maintain ability are really important questions. Um, I, somehow these systems are still working for the most part, uh, since 2002. Always kind of, yeah, it is kind of amazing. I hope that helps. Uh, thank you very much. Two very quick questions. Number one, are any of the efforts to update the VVSG going to take into account not just voting systems, but also non-voting systems? Uh, no. Okay. Um, is EAC planning to address that issue as well? So the databases and the election management systems and, is NIST? And then, um, uh, to the extent that a lot of people, a lot of counties just aren't going to be able to replace their machines, is the problem that we cannot technically update these software systems or is the problem that we just don't do it? Yeah, I mean, yeah, there's there, yeah, updating voting system software. I mean, it is, so we, it costs sometimes over a million dollars to get a voting system certified. Yes. And so if even one software update occurs, um, then there needs to be, uh, a new cert, cert, certification process. Now the, you know, second layer cert, certification process, that second order process doesn't have to be a full million dollar process. Typically it can be really, really small. I think that the, that the EAC has gotten those done in like two or three months, uh, in my, in my experience. Um, but then a local election officials would have to pay for those software updates, typically. Um, you know, folks want you to, you know, buy the, you know, latest version of, you know, of an app sometimes, right? I mean, uh, that's a very common thing and just elections aren't the most well funded, uh, operations. Let me just add a little bit to that. Um, I, the EAC, uh, prior to embarking on this effort to update the voluntary voting system standards, uh, led a group of, uh, led a group of folks that came up with some principles moving forward, not to be confused with the principles and guidelines. And, you know, one, one of the areas that, uh, they really do want to figure out, you know, what to do about is, how can we, you know, update this software? So, so it's in our minds. Uh, we, we don't yet have a solution because it's, you know, we really sort of have to look at the testing process and, and how it would feed into the testing process and how much it would cost and you know, like, how can this all work? So, if you have ideas, we're, we're certainly, you know. The voting is the, is the, um, domain of the states by constitution. Um, um, so the best that NIST can do is to set standards, correct? Is to set a standard and then the federal government can provide to the states money to assist the voting, um, system, correct? Um, am I talking into the mic? Okay. Okay. Okay. Okay. I just wanted to ask though, um, you may not want to be speaking for on behalf of NIST, but could you sort of share with us what your ideal voting system would be given the constitution, the way that the state, the voting works in this country, and also, um, part two of that may be not speaking for NIST again. Do you think that there has been widespread, uh, voter fraud, register, voter registration fraud? Okay. Uh, so for my ideal voting system, I might have to say I'll see you after class, uh, because that hasn't been approved by NIST management. Um, happy to talk to you out there, right? Okay. So, it was a multi-part question. Now, you're absolutely right. I mean, it's up to the states to determine whether or not they want to adopt the VVSG, and this is normally handled, uh, within the legislation, within the state legislature. So, some states, you know, require certification to, uh, require the use of certified systems. Some require, uh, the use of, uh, systems that are certified by a lab, but not necessarily by EAC, that are tested by a lab and certified, but not necessarily by the EAC. Some require you to, um, the certification to the VVSG, and they might grind their own state-sponsored programs, uh, to do that. So, you're absolutely right. We can set the standards, you know, but, you know, but we can't necessarily impose them, uh, you know, on the states. Uh, I'm not really sure what to say about my ideal voting system, because nothing's been approved by my management either, and I don't, I, I can't really comment on, on voter fraud. I mean, it's not, we're sort of kind of outside our, our area of expertise and what the things that we look at. The states are not required to use them. If the states don't have to do anything, why does it matter at all, and how can we force them to have some model of the time, so it's at least the baseline? So, let me just say that although the states are not required to use, uh, there, there was some, uh, recent study done by, uh, NCSL, the, and I always forget what that stands for in the National Council, Conference, Conference of State Legislatures, that, uh, indicates that 47 out of the 50 states do actually, um, that adhere to one of those areas, either, you know, use either certified systems, certified by lab, or, you know, to the VVSG, or, or somewhere, you know, even if they don't use those words, they use other words that, you know, that imply it. So, I, I do think that, uh, the majority of the states do actually want help. They're looking for help. They're looking for advice. Certainly there, there were quite a number of them that, uh, that voluntarily signed up for, uh, for some of the cyber hygiene services that were, uh, that were available via DHS. So, I, I, I think they're listening. They, they, you know, they're, I mean, the election officials don't want to be hacked. They, they want to, the elections to be secure. They, they, they, they want to be assured that the integrity of, of the election is, is, you know, is, is certainly, uh, withheld, you know. Can you yell as well? Yeah. Yeah. What exactly are you trying to square there? I mean, like, uh, I don't think we've, have we said that? Okay. No, that's fine. No, no, no. Yeah. I mean, so we can be, I mean, so, you know, an air gap is definitely a, you know, powerful mid, you know, mitigation, right, for preventing remote attacks. Yeah. I mean, uh, states are, you know, going to have to make that sort of choice them, themselves. Then, you know, if they actually want to have wireless or, you know, wired, you know, networking at all, that's going to be a choice up to them. I mean, yeah. I, I, I'm not really sure what you're looking for us to say. I, I mean, I guess what you're saying is on the one hand, there, there are public comments saying that we're not connected and we're standing here in front of you saying, you know, you got all of this, you know. It, uh, uh, yes, I, I mean, all, all of these, uh, you know, it, it's Josh is absolutely right. It depends on the state. It depends on, you know, it is the state, you know, looking for a certified system or they not, uh, you know, it's, you know, the way, the manner in which they, they can conduct elections or it is really up to the state. We don't have any control over what's said in public. You know, you know, the only thing we can do is do our research and make it, uh, you know, make it available. So, uh, we, we don't actually do the certification at NIST, the, the, uh, the voting system test laboratories go through, um, the, uh, the actual, uh, voting systems and there's a series of tests that they run. The tests are developed by the voting system test laboratories, although we provide, uh, guidance into what they should be. And one of the, the things that the voting system test laboratories do have is access to source code. And you know, they, all of the systems that, you know, that undergo that testing undergo a source code review. Oh, thank you. That's, uh, that's interesting. It's, uh, well, we'll wait and see what Congress does. No, I, I didn't. I can reach her. Okay. So since January, the department of homeland securities decision to, um, decide that election, voting systems, sorry, are critical infrastructure. Right. So January, they decided, okay, voting systems are now critical infrastructure. How is it that their critical infrastructure, yet the EAC, the federal entity that oversees voting systems has no teeth in essence. And that some states still do not have to abide by the voluntary voting system guidelines. When will the voluntary, the first V in that VVSG be dropped, since we now know that they are critical infrastructure, Wisconsin is one of your three states that in its statutes says it does not have to and will not only use certified machines. So it's a big issue in Wisconsin's a swing state and they're not interested in changing their voting systems. They like having that control. So what's your opinion of when we'll drop that first V? I think, yeah, I think Candice is right. Talk to your congressman or woman. We have no control over over dropping that first V. I haven't really heard serious pro-posals about about doing that either. I just haven't heard them discussed at all. I'm an activist and I've been doing it for many years and I thank you for your presentation. But I take exception with a few things. Okay. I take exception with the EAC when they certify something like virtual private networks and I go into a court case and the head guy of Wisconsin says, gee, I said, how could you let these virtual private networks be set up because we know most fraud is done by insiders. Okay. One person and he says, I wasn't me, was certified by the EAC. Okay. And when you look at those guidelines, okay, you know, when they pass the Help America Vote Act, there was no security standards until 2005. Two billion dollars that's been on these crap machines is what they really were. Okay. You know, I get very frustrated when an elections administrator says to me, we know it's working really well. We did a logic inaccuracy test before and after. Well, I know when that test was done, it probably worked right. All you got to remember is Volkswagen, my God, they passed 600,000 tests. The machine was rigged to pass. You buy a flat screen TV, says it's high energy efficient. Okay. You plug in the tester, the screen goes dim. It cheated. We need systems that are transparent, trackable, publicly verified. You know, the stuff that comes out of the EAC just blows my mind of how inept and you know, I don't think they even had a chair of that committee for what, six years or something like that. I mean, what a way to do the voters to know that we live in a country that makes believe that we're that other country. We know how fraction magic works. We know how the systems are set up. And then to be insulted with these virtual private networks being set up and have somebody like I said, in court standups says, well, gee, we didn't certify it. The EAC did. Thank you. So I think everything you just you know, talked about is you know, sort of really shows the need for you know, outside external scrutiny. You know, regularly. I think that is a powerful force. This is in, you know, this is a large collection of examples of basically outside of scrutiny. You know, it you know, definitely provides a a check against the the certification process. Yeah. Good question. Yeah, yeah. Um, so the actual standards that we're going to be, you know, making are basically, you know, going to be vendor agnostic. And so any number of vendors can, you know, submit their, their systems for certification. And so, you know, we would still have that, you know, you know, you know, that, that nice diversity. It's diversity, a vendor. Yeah, yeah. Not a different. Yeah, yeah. I mean, I do like the, you know, you know, voting system diversity. I do think it is a, a serious boon, but I mean, if you look on the internet, I mean, you're going to be able to find operating system versions and patch, and patch levels on a lot of places. And so I just don't want to put too much emphasis on that. I think, I think things like software independence and regular meaningful audits are a much more stronger security mechanism to make our, you know, overall system more secure, to be honest with you. Yeah, yeah. So one more thing, after these guys wrap up, I do want to give them a round of applause, but so we've already had our first two successful breaches in the voting village. A win vote was wirelessly hacked with the remote access already. And a me poll book, internal data structure was already hacked and that was about 20 minutes ago. So an hour and 40 minutes in, and we've already got our first two successful hacks. So. All right.