 Thank everybody for coming today. We might be getting spring. So let's keep hoping. So tonight, what we're going to be talking about is cybersecurity and our election system. Specifically, our elections are the core of our democracy. The principle of one person, one vote. And the integrity behind that principle drive our democratic process. From our local towns and municipal elections, all the way up to the election of the US president. In this digital age, we have seen an ever-involving threat to our electoral process, an exponential increase in cyber attacks by foreign and domestic bad actors, and who are seeking to undermine the integrity of our elections and to sow fear and doubt. The news that 21 states had been targeted by the Russian cyber attacks in the 2016 election has thrown this important issue into the public spotlight. We're going to talk more in depth as we go through this presentation. But it's safe to say that these events have put an increased focus on cybersecurity and our election systems. Let me be clear. The entire United States intelligence community is unified on this issue. I can tell you that secretaries of state across this country, blue states and red states, are working hard every day to combat this emerging digital menace. Our cyber enemies are sophisticated and always innovating. In order to protect our elections and secure them, we must stay vigilant. Anybody who tells you that we are 100% protected today cannot say the same thing tomorrow. And in order to stay one step ahead of the bad actors, we must remain constantly in focus of what we're doing. I thought it was important to convene tonight's presentation to provide the public, the media, lawmakers, and public officials insight into the protections that we have in place surrounding our elections here in Vermont. And to highlight the work we're doing here in Vermont and nationally to innovate and keep this work moving forward. I'm joined tonight by members of my team, including my deputy secretary of state, Chris Winters, my director of elections, Will Senning. His team is here. And that includes Laurie Bjornlin, J.P. Isabel, Liz Harrington, and Lillani Oatway. In addition, my IT staff, I have, let's see, where's Brian Howard? Did he move? Oh, he moved. You were up there before. Brian Howard and John Welch, who head up our IT department. From the state, we have ADS secretary, where there he is. You moved, too. The agency of digital services, Secretary John Quinn. Lance Burnham from the Vermont State Police. Jessica Stoles from Homeland Security. And then we have our guests from our federal partners, Matt McCann, the regional director for Department of Homeland Security, Office of Infrastructure Protection, Ben Spear from Director of Elections Infrastructure, Information Sharing Analysis Center, Leslie Reynolds from the National Association of Secretaries of State. I think I got everybody I was going to go, oh, Sheila Reed is here from Bernie Sanders' office. And I'm not sure did anybody come from either Welch or Leahy. They were invited, but they're not here. So going forward, you're going to have a chance to hear from our guests tonight about the important work they're doing and how we are all across this country working together collaboratively. The integrity and cybersecurity of our elections is something that we all believe is a top priority. And with that, we're going to get into the presentation itself. There will be ample time for questions at the end. So I'd please would ask you to hold your questions until we get to the end. You got the lights? I don't know how this is going to do for you guys, but on the cameras. So elections are the, there we go. Why are we here? Elections are the core of our democracy. An attack on our election system is an attack on democracy itself. A breach undermines our confidence and so's doubt. I got to keep it over this way. Continuing on that theme, hacking is not necessarily to change results or steal information. Undermining democracy can be a dividing issue, making us stay at home and the threat knows no party lines. And just to kind of briefly say, there's been lots of news stories about social media revelations in the past few weeks with Facebook, Cambridge Analytica. And what we need to know is that the they that we're talking about are generally foreign and domestic bad actors. Their goal is to create chaos, divide us, and make us weaker. So continuing on, in the news, back in 2016, just before the election, there were Russian attempts to influence our elections. The Intel community is unified on this front and they know that it happened. We take it seriously and we've devoted significant time and resources to respond. Vermont was not one of the 21 states that were scanned or targeted. It is important to note there was only one state out of the 21 that was actually breached. And that state was Illinois. There was recently a 60 minute story about that I think two weekends ago. And they talked about it. No votes have been changed to anybody's knowledge. There's been no evidence of any change in votes. It was an attack that went into their voter registration database. They found it and they stopped it and then self-reported. Voter registration databases seem to be the target, at least recently. And that's what we expect, or election results databases. And since that time, since that 2016 election, it has consumed almost all of our time and our resources as we go forward. The majority activity were scans. And that's a very simple thing. What does people ask me all the time? What's a scan? What a scan is is a burglar walking up to your front door in the middle of the night, jiggling the doorknob to see if it'll open, looking through the windows to see if they can get in that way. They're looking for a vulnerable area that they can access your system. So part of our federal response, we've been working with the Department of Homeland Security. To be honest, I think even they would admit it was a bumpy start. We received a phone call in August of 2016. It was a conference call with all the states. And we were informed that they were expecting a tax to occur, that they thought that they had already seen some. But we didn't know what that all meant because it was just a strange phone call for most of the secretaries. And we took time to try to understand it better. We had several more phone calls that fall leading up to the election. And then in January of 2017, Secretary of the Actings, or the Secretary at that time actually designated elections infrastructure as a critical infrastructure for the United States. At that point, we still didn't know what that meant. And it wasn't until probably mid-summer before we finally, as a nation, did the secretaries understand what that meant. What the critical infrastructure meant. What it did mean is that there were additional resources available to us. Almost immediately back in 2016, when we got the notification, the state of Vermont did contract with Department of Homeland Security to do what we call weekly hygiene scans of our systems. And we continue that to this day. And we will continue it right up through to the election where they actually do a scan of our systems to see if there's anything that shows up on from the bad actors. We're working together, and I think that's the important part. Department of Homeland Security, we did, like I said, receive the critical infrastructure designation. We ramped up a governing council, the government coordinating council, the GCC. And from what I understand from Homeland Security, that was one of the fastest setups of a governing council. We did it within several months of actually having the designation where we have a council, I'm a member of it for the state of Vermont and for my national organization. And what this does is it offers us better communication. It offers us better attention to detail and to know what is occurring out in the field. So at this point, I'm going to actually introduce Matt McCann who's going to lead us through the Homeland Security slides. Thank you, Secretary Condos. Get up, I'll be okay. All right, thanks very much. So good afternoon all, and thank you for the opportunity to come and speak with you today. As Secretary Condos mentioned, this issue of election infrastructure security is one certainly near and dear to our heart, where we actively partner to keep our elections secure, as mentioned. So I just want to put in context what my office does and how we've partnered with the secretaries of state around the country. Our focus is countering terrorism and building the resiliency of the nation's critical infrastructure through both voluntary and regulatory programs. And you can just keep through that, please. And on to the next slide. Needless to say, our critical infrastructure in this country faces a variety of threats. The one near and dear to our hearts with election infrastructure has been referenced as cybersecurity, but there's certainly a number of challenges for critical infrastructure, not to discount things like pandemics, natural hazards, severe storms, of course, terrorist threats amongst others. As you can see here, please continue. So as Secretary Condos mentioned, in January of 2017, Secretary Jay Johnson of the Department of Homeland Security designated election infrastructure as a critical sub-sector. What this has enabled us to do is to organize for the collective good and it allows the states to receive prioritized assistance from the federal government to support those efforts. So how do we do this? Well, there's a variety of ways. We, first and foremost, it was mentioned by the secretary there's the ability to do cyber assessments and support. And with me today is our regional cybersecurity advisor, Ron Ford. Ron, could you say hello? Who is a subject matter expert and provides support to the states in this endeavor? We also do physical security assessment work with the states upon request. The secretary and key staff have been offered security clearances to enable them to receive classified briefings on topics such as nation-state actors that might may be seeking to impact our system. There's training available both online and in person. There's exercise support. We support task forces and working groups as those have been stood up. And of course we come and do speaking engagements like this. But I'm very pleased to say to note that Vermont has received $3 million this year under the Help America Vote Act election security funds to support these efforts to strengthen resiliency in the system. We value this partnership with secretary Kondos in the state of Vermont. And we're committed at DHS to working with election officials to provide the support necessary to ensure a smooth and secure election process. So that's all I have secretary. Great, thank you, thank you. So the next federal partner who is not here is the Elections Assistance Commission. This is an organization that actually handles a lot of the technologies. The provides certification of equipment, provides process, looking at our processes to make sure that we're doing it correctly. They provide advocacy and some resources. The $3 million that you referenced that's coming through them to us. And we just received actually notice this week that that money will be arriving shortly. And we're already planning on how we're gonna use it going forward. I do wanna be clear that the Vermont, Vermont uses a OptiScan scanner, a vote tabulator. We have about 135 towns out of 246 that use them. And those tabulators are EAC certified. So they are an approved certification. Some of our other partners in our next speaker is MSISAC, MSISAC stands for Multi-State Information Sharing Analysis Center. It's a division of the Center for Internet Security. They have provided the state of Vermont to our elections department at what's called an Albert Monitor which actually monitors all the traffic coming into our system. It's done on a real-time basis and we will receive back any information from them as we work through. They monitor it on a 24-7 basis. Ben Speer is the Director of Elections Infrastructure for ISAC and he's gonna now speak a few minutes. Secretary, thanks. So thanks for having us, Secretary. And let's talk a little bit about the ISAC, what we do, where we came from. So the MSISAC, as the Secretary mentioned, is an organization that's been around for about 15 years. It's been originated out of primarily the IT security offices in most states and we have all 56 states and territories as members and over 2,000 local governments that participate in an organization that is focused on sharing information, sharing technical data on cyber threats, cyber activities, and then also providing some technical services as well. When 26 was ongoing, 2016 was ongoing, we were very much involved in a lot of the discussions and the assistance in that kind of response. And so based on that and based on that experience and developing a whole-of-government approach and view of securing the state and local tribal and territorial sector, the GCC, which Secretary Kondo says on, approved the MSISAC to serve as the home for a ISAC specific for the elections infrastructure. We're calling the EI ISAC, or Elections Infrastructure ISAC. This ISAC officially launched in March of this year, although we've been servicing elections agencies for several months and in some cases years, depending on how they've been assigned to us. But this is a much more larger initiative that is not just focused on the technology staff in these organizations, but is also focused on helping the elections officials understand the cybersecurity risks and threats that are affecting their particular community. And so there's a lot of new products that are coming out from us, a lot of new tools that we're making available to elections agencies. As Secretary Kondo's mentioned, Vermont is one of the first states to obtain an Albert monitor. This is a sensor that we have, we have it deployed at the statewide level in 53 of the 56 states and territories, as well as several local governments. And we're now gonna be expanding that service to elections agencies at the state level to protect the voter registration database. And so Vermont has come on board and acquired one of these sensors. We're gonna be distributing many of these throughout the next month so that we can get them on board before the primary and the full 2018 election midterm cycle comes on board, comes through. This is a 24 by seven, 365 operation. We're based in East Greenbush, which is just outside of Albany, New York. And we have people there all the time that elections officials, that IT staff can call and say, hey, we have an incident, we have something going on, how can you help us? What do you have? What do you know? What can you share? And that sort of provides that great whole nation, situational awareness of what's happening in the elections community. As part of that, we're also providing a number of products that we're putting out for elections officials. So we have a lot of, for instance, weekly news alerts that address cybersecurity news, address election security news that are looking at the context of how does this affect elections? Why should I care about this? Why is it something that I need to be thinking about as I implement and consider the cybersecurity risks that are affecting my organization? We also have a lot of educational information materials that are trying to explain key cybersecurity terms, definitions, trends, so that there's a better understanding and appreciation for what it is that might be happening and so that elections officials can better communicate what it is that is ongoing. And that's been one of the big items that, what is the language? What is the messaging that we can use when we're talking about cybersecurity threats to the public? And that's a great tool that we're able to help provide through those types of products. And then lastly, because of all those sensors we have out there, we have the ability to put out products that give you a view into that whole threat landscape. In addition to that, we're also providing some other services such we have no cost instant response. So if any elections official agency has an incident, we're actually able to have a team that can help and conduct that response at no cost. And we do a lot of monitoring and kind of activity on Twitter and Facebook and the dark web looking for actors who might be calling out and naming, hey, something is happening in the state of Vermont. Well, we wanna be able to identify that so that we can see that and then notify the secretary and his staff in particular. And then we're promoting best practices. A lot of states and elections agencies are already doing a lot of the hard work, but our parent organization, the Center for Insecurity has put out a handbook on election infrastructure security on the key controls that you wanna be putting in place to ensure that your elections infrastructure is secure. And we're working with a lot of states to implement that handbook and to help them identify the risks in their organization and determine what are those risks, what are the costs, what are the sort of the give and take there to determine what is the best way to mitigate those risks. So we've got a great partnership with the state of Vermont. They've really been a key partner through the GCC. They've come visit us down in East Green Bush, met with our teams, learned a lot about what we're doing and we've, of course, have come here as well to help out to really help and secure the elections infrastructure and have a great understanding of how elections work here in Vermont and how we can help to mitigate those threats. Thank you, Ben. So at this point, I'm gonna ask, because I know he's short on time, John Quinn, I think you probably wanna say a few words about what the governor is proposing or doing at this point, so come on up, because I know you have to leave early, so. Governor Scott, when he came into office, recognized that not only in the elections area, but state government overall needed to worry about the data that we protect and the data that we hold before Vermont are so, through executive order, the governor created a cyber advisory team that's made up of people from the Agency of Digital Services, the Vermont State Police, the Vermont Emergency Management, Vermont National Guard, the Attorney General's Office, the Secretary of State's Office, along with UVM Medical Center, security professionals and Norwich University and Champlain College, who both have excellent cyber programs and Velco are one of the utilities in Vermont, so. Our mission is to advise the state of Vermont on cybersecurity and to promote and retain high-paying cyber workforce, raise citizen awareness, advise on strategic operational and budgetary needs for state government and for the state of Vermont in order to protect our data and to engage with state and federal partners to make sure that we're assessing and managing the risks associated with cybersecurity. We've been meeting monthly for several months now and we're working on a three to five year strategic plan for the state of Vermont that will include not only state government, but state of Vermont small business and protections that they may be able to take moving forward. So some of our other partners that we have in the National Association of Secretaries of State, Leslie Reynolds is here. She's our national organization, the Harvard Belfer Center. Chris, do you wanna talk about the Harvard Belfer Center? Thanks, Secretary Kondos. When I started as Deputy Secretary of State three years ago, I had no idea that elections would consume so much of our time. I was told after the presidential election there's this lull where you can get to other projects and do other things and it really hasn't stopped. We've been all consumed and we've had to divert resources and reprioritize to work on things like this. I did wanna mention the Harvard Belfer Center. It's directed by Eric Rosenbach and features former campaign managers for Hillary Clinton and Mitt Romney, both of whom had their campaign emails hacked. Candidate Clinton's email hack got a lot more attention, but Candidate Romney had a hack as well. So their campaign managers are part of this bipartisan effort with Harvard's Belfer Center for Science and International Affairs. They are also collaborating with the security and technology communities, including Facebook and Google. They have a defending digital democracy project which recommends some strategies, tools and technologies to protect our democratic processes and systems from these kind of cyber attacks and information attacks. And by creating that team of bipartisan folks comprised of top-notch political operatives and technology leaders, the defending digital democracy process offers all kinds of concrete solutions to some of these problems. We did myself and Will Senning, our director of elections, and John Welch, our IT manager, took a trip down to Cambridge just a few weeks ago to participate in a tabletop exercise down there, which is kind of like a war games planning for the worst election day ever. And it was really, really informative and I'll speak a little bit more to that a little bit later in the presentation, but just wanted to point them out as a very valued partner in addressing these issues. One of the things that they put out, they put out a lot of materials. They have handbooks for local and state elections, as well as cybersecurity communications, and they even do one of these for campaigns. So anyone running a campaign can get some valuable information there. One of the things that, one of the biggest lessons learned from that tabletop exercise was how important communication is. And I, along with others, do the communications for the Secretary of State's office, including social media, and good communication is really going to be key if anything happens with our elections in the upcoming elections or in between. And the media, we consider the media another one of our valuable partners in all this in disseminating really important information to voters. And we want to use them to help disseminate accurate information and sometimes to help us combat misinformation that gets out there. And we'll really rely on those relationships to get the word out, especially if we run into some sort of a hack or some sort of a disaster when it comes to elections. And we have fairly active Twitter and Facebook accounts that we'll also rely on to get information out to the media and to consumers. As a result of the critical infrastructure designation in the ISAC that we've set up, we also have a specific, what's it called, Will? Sector specific. Sector specific group that has ramped up and that includes our elections and cyber vendors that are out there. So they're part of this. We are constantly working with them. One of the things that we've done in Vermont as a best practice is we've included cyber security risk assessments in any IT solution that the Secretary of State's office is bringing up. It's part of our contract that we have when we put our contracts out. So we're very focused on this. We've included it, like I said, in our contracts and we want to continue that effort. The Vermont elections process, Will, were you going to take this or do you want me to go through it? You want to, come on over here. Will's going to walk us through the Vermont elections process, including the existing equipment and procedures. Hi, everybody. Thanks for being here. I was going to start, so I'm giving the very quick overview of the sort of basic administrative process for how elections are run in Vermont to give you all some background and our federal partners even more background than they already have. I was going to start with the basic fact and the sort of most important thing to acknowledge, which is that our town and city clerks are the primary administrators of elections in Vermont administrators and really consider them as we're using the kind of terminology that we're using today. They are the front lines in this fight against the potential bad actors looking to do our elections harm. So I always start there and acknowledge the hard work they do and we have at least two in the audience today. We have Sally from the town of Lincoln and Deb Beckett in the back from the town of Willis and so I really appreciate you two being here. Like I said, they really run the show. The role that our office plays with the Secretary of State's office is really an oversight one. We provide guidance training, guidance on a day-to-day basis, phone calls and emails from the town clerks all the time. I encourage them to contact us whenever they have questions. Jim introduced our small but very capable elections team which are all here. There's a total of four of us besides me, so five total. The state, we sort of, one of the basic functions that we have in the administration process is creating and providing the ballots to all of the towns and that necessarily sort of involves us in a lot of the pre-election process of processing candidates to make sure we create those ballots and get the right candidates on the right ballots for the right towns. Clerks handle voter registration on an ongoing basis throughout the year. Most of them handle candidate filings from our reps and senators. I also want to acknowledge and thank the reps and senators who have made it tonight. We really appreciate you being here. One of the other real primary pre-election responsibility for the clerks and for our office is absentee ballot administration. Vermont has a pretty wide open absentee ballot process. As soon as ballots are ready, 45 days before the election, people can start to request them, have them mailed to them and or come into the town clerk's office and vote in person at the town clerk's office. We send ballots out by mail to all civilian voters, domestic civilian voters. Our military and overseas voters can request them electronically. All ballots in Vermont are returned by paper via the mail. That's why it's important for us to comply with, besides that it's federal law, the 45 day requirement to make sure that our overseeing military voters have time to vote their ballots and return them on time via mail. On election day, the clerks are the presiding officer at the polling place. In towns where there are more than one, they'll appoint a second presiding officer, but they're really responsible for, like Jim said, about five or six a.m. in the morning until 10, 11 o'clock at night when the results are processed. Following that, we do election night reporting on the night of the election. I think actually that's an important theme we all wanted to raise here in general. That election night reporting is part of the sort of modern day demand for everything as fast as possible. So we want our results essentially by 705 after the polls closed at seven. While that's possible for the national media for Vermont for presidential elections, it's difficult for almost anything else. But I think that's, like I said, a theme that's important to keep in mind is that's really, to me, the underlying balance that's going on here all the time, which is to say that elections could be super secure and have almost no security related questions if we all could be patient and wait two months for the results while we hand count every paper ballot. There's some happy medium there where we have some speed to the result processing, but we also have an election and a result that we can all be confident in. As Jim's mentioned, I think sort of a fundamental best practice that we have here in Vermont and that we have always had is that we use paper ballots fed through these optical scan machines. So every vote in Vermont, there is a specific paper record for being your ballot, which are stored in the town vaults for no less than 22 months following federal elections. So any questions that may arise about the legitimacy of any election result can fundamentally always be checked using the paper ballots. A common theme that's come up since 2016 too as a lot of the states around the country that don't have paper ballots have been encouraged to and have started to revert back to the use of paper ballots is that you can have all the paper ballots you want. It does you no good if you don't do audits. Vermont also does audits. So we've done audits of our paper ballots after every election since 2006, I believe. I'll let Jim get into a little detail about those audits later, but you got a couple of the use of paper ballots with actually getting something out of their value of being there by using them to audit your electronic results. Take the time to mention now that our tabulators primarily came in 2008, Lori, through 2010, although some towns had them before and some towns have gotten them since. But generally it would be a fair comment to say that they are old. We hear that sometime. Well, aren't your tabulators getting fairly old? I'd say that's fair and we're thinking about the replacement coming up. At the same time, however, I always note to people that tabulator age should be measured in use and not time. So a tabulator that's been used for one election in New York City or Boston is significantly older than a tabulator that's been used for 10 years in Lincoln, Vermont. For obvious reasons, it's about the volume of ballots that have gone through the read head feeders on there and how soon they start to jam and not accurately read things. So I would say relatively to the rest of the country, our tabulators are pretty young at this point in terms of volume of use. Those tabulators have no internet connections at any time in their life cycle. They have no modems, which is another vulnerability that's been raised in some of the national press lately. Some of these tabulators, even optical scanners, will then communicate their results back to the central office via modem. And believe it or not, but the phone lines are as susceptible as the internet lines to hacking. Ours have no modems either. What they do is they read out a paper print out of the results at the end of the night, which is then entered by the clerks into our election management system. So in the same way you have those paper ballots, ultimately as really the true paper record of each individual vote, you also in the case of the tabulators have the tabulator tape that was run off the machines on the night of the election. Those tabulators are programmed and run the smarts. I say they're never internet connected, so how do they get their information is through what we call the memory card, which is provided by the tabulator vendor LHS. There is a strict chain of custody procedure that all of the clerks are trained on and well aware of and given the documentation for, for every movement that is made with either the tabulator or the memory card from the time they receive it from LHS is logged in their chain of custody log. The point there being that that is really the only place where there is a, would be the potential for the tabulator to be infected with any kind of malware or any kind of programming would be via the memory card and somebody would have to have physical access to that memory card in order to do it. You can't do it through any kind of software, remote software. So as long as we're protecting the physical access to those cards, those tabulators are secure and free from influence. Clerks do use a web-based online election management system to report their results after the election and to do their official result reporting in the days after the election. That's where all of the discussions that we have with John, our IT director and the folks at the MSISAC are most critically important because it's protection of that web-based election management system where those kind of firewalls, monitoring, logging, air-gapping become critically important. So all I can say from my very limited IT knowledge is that we've put in place all of the most up-to-date recent effective tools to protect that election management system. One quick note, just so again, my basic process always gets more detailed than it should be. The Clerks do participation reports after the election as well through that election management system which is taking your paper checklist where you checked in all the voters at the polls and entering that into our system and checking the voters off your checklist who showed up at that election. It's an important data gathering point for all kinds of reasons, of course. It also provides us the ability to audit for cases where the same voter from the statewide checklist may appear on more than one participation report. We have a statewide voter checklist, last thing I'll mention, that is also sort of the second most primary important part of that election management system. You have all your results processing, candidate processing, ballot creation that happens in there. It's also where we house our federally mandated statewide voter checklist which is a bottom up system which is to say that the Clerks have the primary responsibility for entering the voters for their town into that checklist. It's all kind of conglomerated at a statewide level for a statewide checklist. They have the ability to search and view the rest of the statewide checklist but only to edit and add to their portion. That's about it. I hope it gives you a basic understanding. Again, thanks to our town and city Clerks. Just came from a nice training of new Clerks this morning. Give you an example, it's ongoing all the time. Laurie and Leilani assisted me in the training this morning. And of course, when we complete our audits, we, following the audit, there is always a challenge and appeal process that the legislature has put in place as well. To get a little more detail on the best practices, obviously paper ballots are a key. It's a non-technological base but it's key to everything we do is to make sure we have a paper ballot. And I can tell you that the Clerks will tell you and our team will tell you that we have, for every vote that's cast in the state of Vermont, we have a paper ballot that matches it. The vote tabulators, what we use for vote tabulators are optical scans. They actually have two software systems. One operates the optical scan part of it. The other operates the machine itself. And all it does is read the ballot and record what was voted on. After the election, well, I think, and even Sally and Deb, the boards of civil authority, when the election process closed for the night, they actually go through all the ballots, looking for write-ins, looking to see if someone, instead of filling in the circle, they circled the name, that kind of thing on their ballots. So there's a process that they go through looking at the ballots to make sure because those would not be counted if they circled the name. It would not be counted by the optical scan machine. We have vote tabulators in approximately 54% of our towns that legislature a few years ago passed legislation that requires an optical scan machine if in any town of 1,000 voters or more, those 54% of the towns, 135 towns out of 246, actually represent 80% of the vote totals in Vermont. As I said before, the ballots are then sealed and stored securely for 22 months. And use, I can't say this enough, the use of the paper ballot is the single most important mechanism to protect against an attack on our vote tabulators or election results online. Additional best practices, random audits, Vermont has been completing post election audits since 2006, always confirming the accuracy. We've always confirmed the accuracy of our tabulators. We've never found a discrepancy. Approximately, currently the rule, it used to be only, it was about little less than 4% of the towns and they only did two races. We increased that to 5% and made it mandatory and we do 100% of the ballots in the towns that are audited and 100% of the races. So we do everything from the president right on down to justices of peace and confirm those numbers against the existing. And by the way, those numbers are on our website. So you can always find them and look at how we compared. Again, the tabulators are not connected to the internet. I can't say that enough. We say it often on a national basis. They are not connected by hard wire or Wi-Fi. They're right now are about, I think it's about 10 states that are still using touchscreen machines, DREs they're called, with no paper backup. However, the good news is that just recently, both Virginia and Pennsylvania by executive order of their governors have now required that going forward, they're gonna require paper ballots. And I believe New Jersey and their recent elections update are also doing the same. As far as the 2016 audit, I do want to point out that right there is Thomas Weiss who's sitting out here. He was probably sitting just about in the same place. But Thomas Weiss has actually in the last, probably what six, the last three elections at least, you've been there for every one of our audits from. Every audit you've ever done. Oh, okay. Well, some of them were before me. Some of them were before me. But no, and we appreciate that. It's good to have that public. When we do the audits, we do it as a public process. In fact, we've moved the audits to this room. So we are now doing them here. We don't use the current machines or the same machines that are used on election night. We actually use a completely different system to do the audit. And that system actually gives us, at the end of the day, we actually have, we'll have the actual printout. We have reports that are printed, but we also have printouts of the ballots themselves. This is what it looks like when we're looking at a race. It'll pick the least 100, but you can set the parameter 50 or 100 or 200, but it'll pick the least confident ballot markings. For instance, some of these you can see, the machines might not pick them up generally. When you click with this system, if you click on one of those ovals, it'll open up the entire ballot. So you can see, is this something that they do on a normal basis or is this something that was just individual to that one vote tally? It's really, it's state of the art and we're really pleased to be able to do that because it offers us a second look at the ballots and it offers us a real confidence that the totals are correct. As far as continued best practices, state and local autonomy over our elections is our greatest asset against cyber attacks. And the fact that we have our hardworking town clerks that are sitting and administering these elections for us makes it difficult for anybody that would want to try to attack us cyber on a cyber side. They'd have to have an army of people and really what are they gonna do? I mean, each town in Vermont or each district in Vermont is about 4,000 people in a house race. So it would take a lot of effort to try to change any of the vote counts. They are the front lines of our defense. We go through a biannual training every year and during the election year, we offer training sessions throughout the state for the town clerks. This year we are going to add by summertime we will have and prior to certainly prior to our primary in August, we will have two factor authentication implemented for the town clerks so it's password protected now but it will take it to the next step and we'll do something similar to what the banks do where they'll text you, you say I wanna get in, you put your initial password in, then it says check your email or your text message and you're gonna get a code and then you have to put that in in order to get through. The clerks are responsible for our chain of custody around the tabulators and memory cards and they also are required to secure and sort and the sorting of the ballots as well. Our voter registration database, we back it up every day and I think that's another key best practice but we back it up every day so even if worst case we had someone come in and hack into our system and destroy our voter registration database we would be able to go back and reset the system based on our backup. We have election day registration as well so even if it occurred on election day we would be able, anybody that comes to a polling place could fill out a application and register themselves to vote that day and vote so we have several different things that are in play that really protect the right to vote. We also, on a regular basis, John Welch will sit there and send out memos to, emails to our staff, leave your computers on rather than shut them off because he wants to make sure that he updates all of our security patches and I think that's important whether you have a phone or you're using a laptop or an iPad or a desktop at home, you should stay on top of your security patches from your operating system. Vermont also has added automatic voter registration. We did that in January of 2016, I'm sorry, January of 2017. We estimate that after the first full year, four year cycle of driver's license renewals that we will add somewhere between 30 and 40,000 new voters to our system. The beauty of automatic voter registration is it makes it far more accurate for our team who has to maintain that statewide voter database and people don't have, they forget to go to the, they don't forget to go to the driver, to get their driver's license changed when they move but they do forget to go to their town clerk and change their address. This provides us a way of making that change for them automatically and the good thing about that is it's not the system making the change, the town clerk's actually have to approve it so it shows up on their dashboards the next morning and they have to click to approve those changes. So moving into prevention, Vermont and our elections team, we actually did a cyber risk assessment of all of our systems in 2014 that included not just cyber but also physical assessments. We blacklist IP addresses known bad actors, known or suspected bad actors. We are cognizant of phishing attempts and we are constantly updating the use of complex passwords. We do on a regular basis penetration testing. As I said, the physical security we've also updated our physical security and the last one is training and frankly, I think the best thing I can say there is we need to secure the human and it's really about just education and training to our town clerks, to our staff, to anybody that uses the system to understand that we need to focus on cybersecurity. We monitor, we log, we back up, we monitor our traffic on our system on a daily basis. As you heard from Ben, we have an Albert monitor which actually tracks the traffic going through our system on real time and then they can get back to us if they see anything suspicious. Department of Homeland Security has provided on occasion alerts when we have, they have a suspicion of something that they'll give us an IP address. We've actually worked with Department of Homeland, I mean, the agency of digital services. I know one time we received the alert from the FBI on that. We did not find any of that IP address in any of our logs. We forwarded it to the state to make sure that they didn't have it on their logs because we operate on different systems. We have many firewalls, several layers of firewalls. I actually asked John to provide me a visual of what our security looks like and I said, so can I show this? And he said, no, he said you can't show, give him the roadmap on how to get in. So that got shredded. I do wanna talk, this is really constant vigilance. We have to stay on top of it. It's not something that we can just do one day and figure, okay, we're all set and going forward we're gonna just not have to worry about it. I can tell you that Chris and I think about this every day. John, Brian, they think about it every day. We are constantly trying to understand what's happening out there. When I went to the MSISAC in East Greenbush, there was a screen, I wasn't quite this big, but almost and it was a picture of the world. Can I say this? Yeah, no you can't. It was a picture of the world up there. And you had these red lines and yellow lines and green lines going across the page. And essentially what it was was the red lines, that was the bad guys. And they're targeting, they're watching these and they can see, and you can see how sophisticated the bad guys are getting, the bad actors. If something might start in Russia, go to Houston, Texas and then all of a sudden shoot up to New York City. So they're trying to find ways to get up there rather than go directly into New York City. It was really impressive to watch. They have a team of people sitting at computers that just watch this traffic all day long and they send out email alerts to the appropriate people as necessary. We do have a web-based system. It is protected with state of the art secure logins, firewalls, and we're constantly upgrading that. We do, as I said, the daily backups and monitoring for suspicious levels of activities. We notified MSISAC and Homeland Security and FBI at one point last year, because we all of a sudden had a couple of days where the traffic was, I mean, we're always getting scanned. We know that. But there was a couple of days where it was out of the ordinary levels of scans. So we contacted them to make sure that they were aware of it. And they could advise us as necessary. We blacklist IP addresses. We look for phishing attempts and try to ensure that everybody's using a complex password. We have upcoming trainings for local officials, including Secure the Human. It's easy to convince someone to give out your personal information or passwords. And we're gonna try to offer trainings on how they can prevent that from happening. So again, we have to stay focused, vigilant and diligent. These issues have to come out of the IT room and get to the boardroom. We have agencies and companies that must lead and make this priority for everyone. We need to stay at one step ahead of the bad actors. It's a constant battle. This is a picture of part of our executive team at the National Association of Secretaries of State. I am being sworn in in July. I am the current president-elect. I'll be sworn in in July as the president. And one of probably the biggest issue that I'm gonna be focusing on nationally is cybersecurity. This was a meeting that we attended. The executive committee attended with the secretary of Homeland Security, Kirsten Nielsen. And we had an opportunity to meet with her in a classified briefing. This was, this next picture was, this is the state election director's association, executive director, Jeanette Manfraaf from the deputy, or the deputy secretary of Homeland Security and Eric Rosenbach from the Belfer Center. When we were testifying before Congress, we were testifying before the Senate committee, the Senate Intel committee. That's kind of a summary. We are, you can go to the next page. We don't need to stay there. So this is a summary of what we're doing, the innovative security measures, improving our firewalls and system monitoring, two-factor authentication, cyber training, and tabletop exercises. We're pleased that we're able to participate in that Belfer Center. I sent, as Chris said, the deputy secretary elections director and IT manager down. This is a picture from it where, as they said, they had the worst case election day that they were working on. We will continue to talk, actually, Chris, I think this is where you were gonna talk about what we're doing planning-wise. Just wanted to say, very quickly, speak about what you see in this picture here, the Defending Digital Democracy Project, where they put us under time pressure, me and director of elections, Will Senning, and our IT manager, John Welch. We were all assigned roles in a mock election. I think every five minutes was a day moving up into the election cycle, and then election day, they had time pressure, they had big screens around the room where suddenly they'd flash a new scenario. And I think we had a fire at a polling place, a winter storm, blizzard blew in, someone hacked a state employee's Twitter account, someone showed up at a polling place with a gun shouting about illegal immigrants voting in elections. We had a power outage, a tabulator malfunction, all the phones went down. So again and again and again, just coming up with all these different worst case scenarios for elections and asking you to react to it. And we're gonna take this exercise and do it again within the office with our elections team, just to try to prepare. And one of the things that we found was most important was communication. Communication with the public communication, through the media communication, with our elections officials on the ground. And so that's why we're here tonight. That's part of why we're here tonight is to get the word out, to let people know how our elections work, to hopefully make sure that the public has some faith and trust in our elections. Yeah, I'll just turn it back over to Jim and this means we're almost done. So hang in there. Chris mentioned earlier that we use Twitter, Facebook and our website and I guess I'll just go to the next. Communication is the key. We know that, we understand that. We need to focus on prevention, detection, mitigation. It's not a question of will it happen. It's a question of when it's gonna happen and we need to be prepared for it. And that's the key message that we're trying to send out to people, that we are prepared for it, that we understand our role in protecting our systems. So to go on to the last slide, transparency is really the key to our confidence and it's important that everybody is able to get to the point that they will feel comfortable when they go to pass their ballot. I do wanna ask Lance, did you or Jessica want to say anything from your side? Come on up. I'm gonna put you on the spot. Thank you. I think. My name is Lance Burnham. I'm a lieutenant that oversees a newly formed, rather newly formed technology investigations unit within the Vermont State Police. A part of that is some task force liaisons that we actually have assigned to the Federal Bureau of Investigations through the FBI, but we work very, very closely with the FBI, Homeland Security and a lot of our federal partners in the state of Vermont. And I get to brag quite frankly about my unit, even though it's very new, we are very established. And I use this as an example. I have six computer analysis analysts. And I have four that are what we call IASIS certified. And whether you know what that means or not, but essentially there's 2000 people in the world that hold this accreditation in the state of Vermont has four. This is unprecedented. We are extremely lucky if I say that, but what my analysis will say is that we're prepared. So when this does happen, we are ready to go. And Jessica actually just, or not, excuse me, Miss Stolz just took out, but we have a Vermont Intelligence Center that we work with very heavily as well. We have partners with the FBI, HSI, Border Patrol, other federal agencies that are literally in the same room working together, monitoring these things on a daily basis. So as you said, as the Secretary said, when this happens, we will be ready, we hope, but it is happening. It's happening every day. We're being targeted. That big map that the Secretary spoke of, it's going on right now. It's going on in Vermont. It's going on in Montpelier. It's going on in Cambridge. Where I live, it's the next step. But we are actively training our detectives to be prepared. I hear it a lot, especially from our older detectives. I don't like technology. I don't like this internet stuff. And my answer is, then get out. Go back to the road, because this is here. The internet is not gonna go away. But thank you for allowing us to come and be part of this, because I think it's very important. And as you said, this is why we're here. Thank you. Jessica, did you want to say anything? Sure. Secretary? So my name is Jessica Stolls. I am the Deputy Homeland Security Advisor for the state. I work out of the Department of Public Safety. And one of my main responsibilities is overseeing the Homeland Security Grant program, the dollars that we get from DHS that come annually. And we're putting a renewed focus on both critical infrastructure, as well as cybersecurity specifically for the coming years grant programs, because we need to be spending more time working in this effort and putting more focus here. So that's really all I have. Thanks. Thank you. So, and earlier, I think Matt had mentioned or been about security clearances. I've already received my security clearance, and I know John and Will are in the process of getting theirs. It's really a long process. I filled out the first two pages that it was sent to me, and I thought, oh, this is easy. And then I remember Rick Hopkins saying to me, oh, that's just the beginning. And a week later, I get a 140-page document that I had to fill out. So it's a lengthy process. But we're doing everything we can to stay on top of this. So as I said in my testimony on Capitol Hill a few weeks ago, any machine is hackable, whether it's your cell phone, iPad, laptop, desktop, whatever it is. If it's connected in any way to the internet, it's hackable. So when I talk about cybersecurity, I'm never, I'm very careful to say never. I simply can't and won't promise we'll never be hacked. The bad actors are always evolving. They're always looking for new ways to hack into our information or undermine our confidence in elections. When I say this, I'm speaking, not just for Vermont, I'm speaking nationally as well. We all have to stay vigilant and focused to stay one step ahead. One state was breached. The good news is there were 20 states that were also attacked that were not. And that was a good sign that we are starting to face up to this issue. It's again, it's not a matter of if it's gonna happen, it will happen, the question is when. I will promise you that we are doing everything within our power to prevent, detect, and mitigate the problems before they occur. And hopefully you can now have some insight. I believe that part of being prepared is being open and transparent about what we are doing. That's the reason why we held this. I wanna thank you all for coming tonight and we'll accept any questions and feel free to ask anybody. If you could use the mic there, Representative Yantachka from Shilat. Yeah, thank you. Question is the town clerks and the Secretary of State's office have to communicate with each other in order to maintain accurate voter files, right? Voter file databases. What is the vulnerability of the town clerks of the town computer systems compared to the state computer systems? Is there a vulnerability there that can be hacked in a way that would then compromise the state's data? Well, we have several pieces of that that are in place. Is there a vulnerability? Yes, there is, but there is no matter where you are. But what I will say is that because of the monitoring that we do, that we can see the traffic as it's coming through, they have their password protected and we're adding the two factor authentication in the next few months. We think we're really shoring things up in pretty good stead. Also, keep in mind that one town clerk can only access their information. They can see the other information, but they can't access the other information to change anything. That's part of the way the system was locked down so they can make ads and deletes to their data, but they can't change data for anybody else. And I don't know, Will, do you want to add anything to that? No, except that that's where I was speaking to just like you did, that reflects the importance of all of the sort of behind the scenes web-based monitoring and protection so we can build at the state level. I think, to some extent, capable of identifying a threat that comes through from one of the towns. But like the Secretary said, that certainly is a vulnerable point. That's why we're upping our training with those local officials and implementing a better password protection. Sally, did you want to add anything from yours? I was going to make a comment, but I have a microphone. Sally's one of our town clerks from Lincoln. Yeah, my name is Sally over on Lincoln Town Clerk. And I first just wanted to say thank you so much for this day. I wondered about whether I was going to have motivation to drive over the mountain today and it depended on how much it was snowing on the top of the Aga when I decided to make it over the mountain and come here. And I'm so glad that I did. I, at home, my husband always chrisses me about what would happen if this happened in an election. And I want to thank the whole election staff. I feel very well prepared when I go into an election. I feel like I have the tools to deal with most anything that comes my way. And my husband quizzes me all the time, so he's always making my brain think about what if this happens, what if that happens? And I was interested to hear about your worst case scenario day. And some of those things you mentioned, my husband has thrown at me. And sometimes my answer is I'd call the Secretary of State's office if I couldn't figure out how to handle it. And so I'm so impressed with all that you're doing. And this was even more reassuring to hear that you are all together, everyone. I'm looking at all of you, not just Tim, but everyone. So thank you for all the efforts that you're doing and working together towards helping protect our elections. It is something that town clerks are worried about all the time they could swim with. And actually, in 2016 was the first time where I felt, I don't know, maybe I'm not prepared for this. And as Will mentioned, our elections start 45 days before voting day. So we're starting very early, processing out city ballots. And every day that I walk into the office, I am working on election. I have a list of absentee ballot requests that may have come in through email or through the mail or over the phone. And I walk in every morning before election and say, okay, who am I sending ballots to today? And what if I've been receiving back and logging on at it? And I remember in 2016, it was about 10 days or two weeks before the election. I turned my computer on and all of a sudden I started getting these weird suspicious emails. Every day, every morning, I'd face one and I go, what is this all about? So that was the first time that my confidence level in I'm prepared for anything kind of got tweaked. And so this is all a really good heads up. I appreciate your slides and say, communication is important, transparency is important, and preparation. And so I guess I would like to encourage the election staff for our spring elections trainings that are coming up to share some of the information that was in this PowerPoint. I saw, I'm personally not interested in the DHS slide about that preparation training that you had online. I would like to check that out. So please share that link with the town courts either through a bulletin or through our elections training. I think vigilance is a big part of it and certainly, again, in 2016, when I started feeling a little lack of confidence, like we always turn to our help here and everybody in the elections office helped us out and helped us figure out how to deal with some of these strange emails that were coming through. But it was a big heads up that, maybe just small town stuff isn't so easy and there are bigger things going on in our world that we have no power over. So being prepared is the best answer. Thank you very much for all that you've been doing. Thank you, Sally. Deb, did you want to say anything? Um, I'll just, you know, do it. I'll do it. Thank you. Thank you. And I do want to say that the thing that I've been most impressed with, especially after our Rocky start was how we all came together with DHS, with the Center for Internet Security, ADS, and Mon Homeland Security. We really are all working together as a team. It may not be directly, but indirectly we are working as a team. You know, we have constant contact with Homeland Security. You know, I have Matt's number in Boston. I have the secretary, the deputy secretary's number down in DC. So if I need to, I know that I can get a hold of someone to deal with an issue that we might be facing. And I know that John Welch, our IT manager, is, focuses every day and Brian on looking and monitoring our traffic. And if they see any anomalies at all, they will contact our federal partners to let them know so that they can be aware and perhaps take a look at it to see if it's something we should be worried about. So that is good. Is there, are there any other questions? Robin? My concern's all along the way. But I wanted to, a couple of questions. One is, you mentioned that you used the optical scanner, which is 80% of the both the other 46% of towns. Are they hand-count, hand-count, and floor votes? Well, no, I'm just speaking about the general, the November general election and primary. But the, you do have some floor votes that occur at town meeting day. No, some towns choose to, some don't. It's up to the town whether they use their tabulator for. But we don't use any touchscreen? Oh, we have no touchscreen at all. One of the things that I think is important to state is that our statutes actually state that we have to use the same machine throughout the state. Essentially, I make the decision, but the decision, we're actually finalizing some rulemaking around it. And that will include that it has to be certified, EAC certified, or some other certification, NIST, to the level of NIST certification, so that we know that the systems are in good place. Because we're getting this $3 million, part of what we're gonna do with that, we're obviously gonna increase our penetration testing. We're gonna put in the two-factor authentication for the town clerks, and there are other things that we're doing with our firewalls and whatever. But we're also, the original plan that the Secretary of State's office, and this goes back before I was even elected as Secretary, was to look at the 2022 as the next election system. But because of this influx of the $3 million, we're actually gonna step that up and look at new state-of-the-art machines in the 2020 presidential election. Early onset, that defending against foreign and domestic bad actors will elaborate on that. Well, I was trying to encompass everything. We don't know where it's all gonna come from. I mean, it could come from domestic. I would say that the election, or the intelligence community is unified on the fact that Russia did attempt to meddle in our elections in 2016, so we know that, so we know that we may face continued foreign intervention. But I didn't wanna exclude, I wanna be upfront, and I didn't wanna exclude the fact that it could be domestic as well. I don't, neither of you want us? I mean, when we look at for actors, certainly the big image on elections now is Russia and certainly people think about it, but on a day-to-day, on a regular basis, most common product is very common across all state and local governments and across all computers as a whole, and that is primarily financially motivated cybercrime. So in that sense, a lot of the activity that's likely to see the scans, all the lights that John has to see are gonna be cybercruel activity. There might be some politically motivated actor activity, we call hacktivists, who might have a particular motivation that they might message out and message across. They might do something like a website replacement or something like that when they put their message on the website, things like that. But there's no, I would say there's no particular actor that we are watching out for that specifically targets elections per se, certainly nation states in the sense that that goal of creating a reputation concern, a reputation concern, but a range of actors really that could be affecting that in a particular way. Thank you. Thank you. Any other questions? Sheila. Hi, I'm either. The law is doing really, really well. Can you comment on how you think other states are doing in this process? It's all across the board. I think that everybody is focused on this now. Trust me, everybody is focused on this. I can't speak to what levels they are at at this point. I know when I testified before Congress and I was describing some of the stuff that we were doing, including two factor authentication, Eric Rosenbach from the Belfer Center said, Vermont is one of the leaders on cybersecurity of elections and Senator Reed from Rhode Island blurted out, that's why he's at the table. So I think there's different levels out there, but I think everybody is focused on trying to do what they can. Some are using their national guard, their local national guard like West Virginia is working with their national guard cyber folks. We've got vendors that we're using, third party vendors that have Department of Defense security clearances. So I think that we're all doing it in different ways. Some are using the Department of Homeland Security services that are available and I wanna be clear, just because someone's not using Department of Homeland Security, doesn't mean that they're not doing anything. It just means that they probably have it covered in a different way, like for instance, we have our own penetration testing firm that we use instead of using Department of Homeland Security, but we still do weekly cyber hygiene scans through the Department of Homeland Security because we think it's a good idea to have another set of eyes on it, to have just someone else taking a look. And if I could add to that, I would just say and I'll speak more from New England than the nation, but we are interacting with multiple states in New England on this topic. Pleased to say there's been about $25 million security funding that has reached New England states and we did have one of the New England states that was on that list of 21 from 2016. With that said, as the secretary mentioned it, it's really that folks are picking from a menu and where they need that support and this is a collaborative effort and it's really a team sport to enhance and ensure the resilience of our systems and it's a marathon, not a sprint, right? We need to be doing this every day. You heard the secretary say that they're thinking about it every day. We are too and we're not alone, but it's a collaborative approach and it really can solve us wherever we fit into this puzzle of elections to be vigilant and to be engaged and to use the resources that are available to us as we need them. Any other questions? If not, have we kept you over? No, we're still on time. I think, I can't quite see it. So if there's no other questions, we're done. I thank you all for coming. This is an important topic for us. We felt it was important to make sure we got out to the public as well as the media so that people understand what it is that we're doing. Thank you.