 Because we have so many speakers, I'm not going to be introducing them the same way. I'm going to leave that to the moderator, Eric Geller. But I will be introducing the name of the talk. So this is state and local preparations on election security in the aftermath of the Mueller report. And it will be moderated by Eric Geller, a cyber security reporter for Politico. Okay, well, thank you. Thanks everybody for being here. So I'm just going to let everybody introduce themselves. But if you don't know me, I'm Eric Geller, cyber security reporter at Politico. And I do just want to mention very briefly, if you were not here for the journalist panel, you didn't hear me say this. We did just launch a page on our site that tracks every state and county using paperless voting machines. That's very relevant to what we're going to be talking about today. So if you do want to see that, that's politico.com slash election security. And with that, I'm going to turn it over to Amber to make an introduction. Well, hi, everyone. It's great to be back. I was here last year for the first time. So just really excited to be back in this room again. I am the former director of elections for the city and county of Denver. So I ran elections in Denver, Colorado for over 13 years was director for the past seven. And in that time, I left in August of 2018 to head up the National Vote Home Institute, which is a non-partisan nonprofit organization that's really trying to improve the voting process around absentee balloting and vote by mail and all those sorts of systems. And also expand it so that voters have more options to vote. But in the time that I served as director, we reformed Colorado's election system. It's probably one of the biggest reforms in the country at that time. Now, California has superseded us because they followed and did another reform that Secretary Padilla will talk about. But at the time, about seven years ago now, it was the biggest reform in the country. We instituted same day registration, vote centers. We send a ballot automatically to every voter in the mail before every single election. So you don't have any question as to whether or not it's going to show up, what deadlines you need to meet. We've basically just simplified our entire process, which I would argue has actually mitigated a significant amount of risks that are associated with the election process. And now I'm trying to work on the national level and help other states do that. So we're just happy to be here again, and thanks for having me. I'm going to pause for Eric and for Amber, everybody. And for the California Secretary of State, Alex Padilla, let's hear it. I want to make sure we're avoiding the after lunch lull, you know? If we need more coffee in here to say the word. My name is Alex Padilla, I served as California Secretary of State. Last year, when I attended, I'm told I had the distinct honor of being the first Secretary of State to attend DEF CON. And so as I said then, I'll come back next year if you invite me. And so here we are. And for anybody that was here last year, do you remember that session or we got mostly first time, first time? So those who were here last year remember the room was a little bit smaller, but the interest was so great that at some point we had like time out, take the chairs out, right? We need to squeeze more people in here. So those people sprawled on the floor, people standing in the back. This bigger room is actually a good sign, right? More and more people are engaged in paying attention to what we need to be doing here. For those of you, most of you who weren't here last year, I gave a sort of a big overview of what we do in California. See, my interest in coming last year was to listen and to learn. And I realized it was to listen, to learn, but also to share. Because for those of you interested in helping us buttress election security, not just cybersecurity, it helps to know what the starting point is in different jurisdictions. Every county is a little bit different. Every state may be a little bit different, but in California, you know, we've been referred to as the model to strive for between high standards for security and other things, required testing and certification on the front end, logic and accuracy testing before every election, paper ballots and a voter verified paper trail, we prohibit connectivity, post-election audits, like the whole gamut, right? That's been in place in California for a long, long time, and it has served us very, very well. Now, with the title of today's session is, What Have We Learned Post-Muller Report? I'm going to kind of take us back a little bit because it's still part of the Mueller exercise. Right, 2016 was what woke everybody up, yet again, to paying attention to elections. Oh, how we wish our most difficult challenges were butterfly ballots and hanging chats. Right, 2016 showed us it's come a long way, and we have to up our game. Even before the Mueller report, there was a couple of indictments that were issued, the first of which dealt not with sort of election systems or election vendors, but election misinformation or disinformation. So, the first indictment was actually very, very informative, and we have an initiative in California, I won't go into detail now, but we'll wait for the substantive part of the discussion to get into and how we try to counter some of that wrong information by being proactive, creating mechanisms for the public to report, working with some of the social media companies to maintain to the best of their ability, the credibility of their platforms. The second of the Mueller reports actually did get into various strategies that agents of the Russian government participate in trying to undermine our election's infrastructure directly and indirectly. And so, that too has informed what we've done in California by agency audits, upgrading servers and firewalls and practices and policies and all the quote-unquote best practices that you can imagine. I think what I was wrapping up last year here at DEF CON, I said, look, we embrace cooperation, if there's something to be learned here, I'd rather learn it here than on election day. But the biggest challenge we have collectively is not what else states can and should be doing, but the resources to implement those recommendations, right? And even as you sit here today, the last significant investment in elections administration or modernization was 17 years ago, right? After the Florida 2000 election, the $380 million appropriated by Congress last year was not new money, it was the last of the butterfly ballot hanging Chad money. So the state of California has stepped, we put state funding on the table and I exercise my authority as Secretary to decertify all the older systems in use in California that had not been tested, certified to more recent higher standards. So we're now on track for all counties to have state-of-the-art equipment that exceeds the DVSG standards by the EAC in place for next year's election. So between that improved partnerships and communication, collaboration, I think we're ahead of the game, the challenge is to stay ahead of the game for 2020. So I'll leave it at that and look forward to the discussion. Thank you. Thank you, Mr. Secretary. My name is Barb Byram. I'm the Ingham County Clerk in the state of Michigan where we have paper ballots and for as long as I'm concerned, we will always have paper ballots. Prior to, thank you, thank you. So I've been the county clerk for seven years. Prior to that, I served with the Michigan Legislature for seven years. I was one of the few county clerks to conduct a full hand recount of the presidential election. We did a hand recount. Ingham County was one of the few. And in the state of Michigan, although statute does permit a retabulation for a recount, we were always led to believe that statute doesn't permit that. So we all have always talked about hand recounts if a recount. So we conducted the hand recount. I look forward to, this is my second year here at DEF CON. My first was terrifying. I still have nightmares. I look forward to learning so much. It has really helped bridge the communication with my IT staff. And when we get further into the discussion, I hope we can talk about IT staff and how many county clerks, thankfully not in my county, but many county clerks are the IT. And in Michigan, we have a very decentralized situation. So the county clerk programs the election, but the local, the 1,500 city and township clerks test the election programming and conduct the election on election day. That decentralization really works. However, county clerks have limited resources. Local clerks have limited resources, especially when it comes to battling Russian grew. Thanks, Barb. Barb, everyone. All right. So look, my name's Noah Prates. For 19 years, I ran elections in suburban Chicago, so Cook County, Illinois. So 2016 was the epicenter. Illinois was the epicenter. What became a pretty significant inflection point in our business. So I started prior to 2000. Those were the old days where we were logistics managers. I like to call it the wedding plenary era of elections, where we just had to bring punch cards together with voters on one day and the thing was done. That technology and the ballot layouts didn't bring the requisite precision to make Americans confident that the results that were ultimately certified reflected the will of the voters. Congress reacted quickly through 3.5 billion dollars at a set of problems, which happened to usher in another set of problems. And for 17 years or 16 years after that, election officials had to transition from logistics managers primarily to also IT managers and legal compliance managers. And that was a significant shift. But then 2016 happened, and we all had to wrestle with the idea that now we need to be cybersecurity managers. That certainly doesn't mean that anybody who holds the title of an election official is going to have the expertise that you guys do. But it does mean that election officials need to be cognizant of the risks that you're able to point out, go to our funders and our stakeholders armed with the information that you and others are able to provide and then advocate for funding that can buy down those risks. So last year I left Cook County and I went to support the federal government's efforts so the cybersecurity and infrastructure security agencies have support to local election officials. I'm not here talking on their behalf. I'm talking in my old role. We've got some other folks that are willing to talk about the services that the federal government was providing. But I think it's important that we recognize there are a number of consensus points in the election security sort of discussion these days. And while there's a lot to think about medium term and long term, about supply chain, about sort of ballot marking device, about misinformation and disinformation, the truth is right now we have some opportunities to make some significant differences for 2020. And I think advocates, security researchers, the entire community can coalesce around three priorities. In my mind, they're these. Sort of buy out and get rid of the paperless voting systems that are still in use in some portions of this country, okay? That enables us to do significant verification audits to prove that the results of the software tell us are the results are actually true. So by those out, that's priority one. Two is incentivize states adoption of significant and meaningful ballot counting audits, things like risk limiting audits. Done properly, what they allow you to do is suss out discrepancies with vote counting software and correct them prior to certification, such that no matter what happens, no matter the cause of a software or hardware failure, you can deliver election results that are trusted and true, which is our primary responsibility. And then third, given that there are 8,800 local election officials around the country who maintain, protect, defend all the software and hardware in this country, some states do a significant bit more and they certainly protect the voter registration system, but the bulk of the risk to elections lie with 8,800 local election officials. The overwhelming majority of whom don't have an election security officer on staff, don't have IT on staff. They rely on county IT who are also protecting help, fire, security. So there's a big huge gap in human expertise, which is why I like the match.com that DEF CON is trying to put together today with you folks and election officials. But so the third priority would be to resource the state so they could set up programs to reinforce local election officials. And I'll just highlight what we were able to do in Illinois. We took our HAVA funds, hired nine what they call cyber navigators. These are people with serious technical chops who each got to adopt basically 10 counties. And they go in there and they first sort of help them assess where they're at, establish a baseline. Then they go and help develop improvement plans. The third, they sign up and make sure that we're sharing information both within the state and with our federal partners. And they're doing the basic blocking and tackling for the election officials in Illinois. So while there's a lot of talk about hardware and software and vulnerabilities, there's a tremendous amount of low-hanging fruit that remains in the election's infrastructure. And I think the best way to get to that is to resource local election officials with partners that are willing to move the ball forward on that front. Anyway, excited to be here with you all today. This is my third year at DEF CON. Because we're in Illinois, I got a call in early 2017 and said, hey, we're going to throw this voting village from one of the funders. You want to participate? You got any equipment? I said, you can't have any equipment? I had to keep them out of our warehouse as well. Well, we were willing to partner. We had serious conversations about what a back office network would look like. We wanted to provide security researchers such as yourselves with a real-world operating environment so that when you're kicking the tires on things, they're real tires. They're not old tires off a jalopy. You'll see last year that the cyber range, we were happy to be able to help consult on that. Anyway, looking forward to the rest of the conversation. All right. Thanks, everyone. So we're going to jump right into some hot button election security topics because you folks are here. So here are these experts who either are currently involved in the policy process, the administrative process, or formerly involved. You want to hear them talk about these issues. We obviously have to start with paper ballots. This is one of the biggest conversations anytime you go to an election security conference and in DC right now. Virtually every expert agrees that with current technology, you need some kind of independent paper record to verify that the audit has been conducted successfully, that the election was accurate. But in Washington and I think in a lot of state capitals, there is this sense that even though the security issues don't vary by locality, locality should be able to choose the arrangement that they like the best. And I think it's important to note that it's always described as the arrangement that works best for the locality, even though as we know, paper ballots are no more or less secure when you cross state lines. That is always sort of the technical recommendation. Because my question is, what should take precedence in your view, the technical consensus that we have right now, or this idea of the local prerogative, which has been paramount in this area, and of course in many others, for a long time? Which of those two things is more important when we talk about the technology we have in our voting machines? Okay, I think my first elected office was Los Angeles City Council. So I've heard a local control argument for a long, long time. I've been a state official for a little bit more than a decade now. And so on both sides of the equation, I've heard the state's rights arguments. And yes, it's clearly in the constitution states run elections. Now, that being said, to me, it's a no brainer, paper ballots, paper ballots, and a voter verified paper trail. I think it's malpractice for folks to hide behind some of the other arguments when they resist what is more than just a proven best practice. But it's not a magic wand single solution, but an integral part of a comprehensive strategy to strengthen the security of our elections. So I went before I got involved in elections. I remember talking to the then elections director and telling him, you know, I can do everything on my phone. There's no reason why I can't vote on my phone. He took me to lunch. Literally, he bought me lunch. And then he let me know the error in my ways. And now that I run elections, I will stand firm that elections need to be paper ballots. And it's not just paper ballots, though, it's paper, electronic poll books. In Michigan, we have a qualified voter file maintained by the state. If something happens with the electronic poll book, the precinct has the paper poll book. There is a paper trail for everything. There's, there's everything that happens. If, if there's a fight that breaks out at the polling location, it is notated in the poll book and the paper poll book, the receipts paper, we split everything else up at the end of the night. Paper, again, some comes to the county clerk, some comes, goes to the probate judge. So always paper right. That's the way to do it. Just because we have technology that has all sorts of capabilities doesn't mean we should rely on it. Election officials and vendors should never claim that our election systems are unhackable. If they make those claims, then we should not be contracting with them because everything is possible. There are brilliant people in this room. There are brilliant people that are much younger than all of us in this room that have the capabilities and have just the know-how to hack into systems. So we need to make sure that we have paper and that paper is secured. There needs to be a chain of custody. So I'm a firm believer in paper ballots, paper trails. I'm firm believer in audits, not just RLAs, but hand recount of all ballots for certain races. Thank you. We just, we have to audit and we have to involve the public in knowing what's going on and showing them how we are mitigating our risks because we can never block all risk, but how we're mitigating the risk and how we are relying on paper because that is the most secure. Yeah, so I'll just say I like to frame election security not as election defense because ultimately the defense is bound to fail somewhere at some point. Look at the companies that are able to spend billions of dollars in this industry, HBO, Sony, Equipax, Uber, others, and then governments, you know, OPM, State of Illinois, maybe even some other counties around like the country. This is all public, face failure. So rather election security is about building your defenses as high as you can. But more importantly, my mind is building resiliency or rather, so your ability to detect a breach and recover from it so that you can deliver trusted and true election results. And so those are the two primary virtues in elections to me are trust and truth. And you may get to a day and there may be technology out there right now that could deliver true results, you know, online, but trust, especially in elections. I can't foresee a day where we're not going to want, where we're not going to have stakeholders that we need to prove that the software and hardware worked properly. But if that day comes, I mean, I look forward to it because there's a promise of high access and there may be parts of the population that you can serve in ways. But today, you know, trust and truth and the way you get there is being able to verify the results and you can only, I think, do that with paper and with good audits. Paper without audits are worthless. Well, I just wanted to answer, I guess I'm going to answer the question a little bit differently and add in who I believe is actually the top priority in this discussion, local control versus kind of what's happening at the federal. And I guess what I would say is that the top priority constituency is voters. And that's been the problem really with our entire election system going back 100 years to women's suffrage. It's been designed to focus on who wins and not who votes. And it's also been designed generally to leave people out. So I think until we sort of frame the discussion around putting the voter first, figuring out what are their needs in the voting process? Because while I'm from a state and I've helped pass and write a bill that essentially 99.5% of Coloradans, I mean, every ballot has a piece of paper in Colorado, but literally most are handmarked paper ballots. But the reality is, not every voter can vote on a paper ballot. And we have to be we have to be upfront and honest about that discussion. And so therefore, how do we create systems that serve all voters that are secure, that are verifiable, and that provide equal opportunity to that process, not dividing people based on what their accessible challenge may be, but really, really truly engaging and addressing their needs as voters, whatever those needs might be, what is their confidence level in the process? Do they have enough transparency? I'm from, you know, in Denver, we were Facebooking live our entire counting and tabulation process. I'm pretty sure you probably won't find that in a lot of places around the country. But what do the voters need? How do we make their experience better? And the final thing I'll say about that is, you know, you go, I'll throw New York City out there, if you're from New York City, and you waited in line last year for five hours, they have all paper ballots. And their problem was they had machines malfunctioning at the precinct level across the city, people were literally had gotten their ballot and voted, but we're waiting in line to simply put the ballot, the paper ballot into the scanner. That is not a functional system, right? And so that's where I say we have to think about the voter, we have to think about their needs, and we have to design policies, processes, and technology to effectively serve everyone in a secure and transparent way. Continuing our journey around the hot button topics of election security, I want to also talk a little bit about the responsibility of the vendors and the relationship that local and state authorities have with those vendors. Everyone on this stage either currently or formerly responsible for interacting with these companies. Amber, I, there was a recent Brennan Center report about election security. And one of the things you said in there was every locality should sign a contract with their vendor that goes beyond the sort of typical purchasing requirements and actually lays out security and communications plans so that everybody is clear about what the expectations are. But you know, right now that's ad hoc. You in Denver could say I expect you to report cyber incidents if you have them. That is not a nationwide requirement. And there is no state that currently has rigorous expectations for what the vendors have to report and what they have to let independent researchers do. I'm sure there are people in this room who have wanted to test voting machines, but have been told, you've got to sign this NDA, you can't tell the world what you found, or you can only do so in limited circumstances. So, for my panelists here, what responsibilities ought the vendors to have either at the state or national level, things like cyber incident reporting, independent testing? What is the role of people in your shoes setting those expectations? Because I think we can all pretty much predict that Congress is not going to be setting any specific regulations there anytime soon. Okay. Well, so I'll speak to this because I think what I would first say, and this relates to what was in that report, is it's the responsibility of the election officials, the secretaries, and the local election officials to set the expectations. Like that is the reality. It's like any service that, whether it's the post office that we use, or it's the, you know, staffing vendor that we use, or the logistics operator that we use to deliver our equipment, it is our responsibility to set those expectations at a high level. And I think the secretaries of state, and California is the best example of this, setting that standard to be high for certification, for requirements, for what that's going to look like, and also setting transparency standards. I think on the vendor part, I have always, and I've said this many, many times, and I experienced it. In Denver, I transitioned Denver from a paperless Sequoia system way back in 2005. We then went to mostly paper with just one touchscreen DRE with a VPAT associated with it. Then we went to the model that Colorado has now where we mail out a ballot to everyone, but we still have vote centers. And we have ballot marking devices that produce a paper ballot, has barcode, but also shows all the display, and we'll have the full face ballot. But that transition happened over time. And honestly, I think it was back in 2013, 2014, after we passed our reform law, I sat down with our vendor, the one that we were using at the time, and they showed me what they had coming down the pipeline. And I said, we're not going to buy any of that. And they were like, what? And I said, well, we don't want to buy any more proprietary hardware. That doesn't, voters don't understand what that equipment looks like when they come in. They're not used to interacting with that. We're going to the system where we're mailing out a ballot. We want to make sure we can efficiently centrally count everything. And we want to figure out a better way to provide better accessibility for voters. And so our senior voting system and technologists in the office literally worked with the vendor. The vendor sent out their designers, they worked with voters, very similar to what's happened in LA. But we tried to bring them in as a partner and it was very effective at getting a much better product than we had ever had before. And I think that that also has driven some of the other advancements that we've seen. And so there, it goes to the local election official and the secretaries of state setting the standard and setting the expectations to say, we want this, this is what our future looks like. And then working with vendors that want to be your partner. Not every vendor will be your partner. They'll be your vendor, but they won't be your partner. And there's a very big distinction there. I agree. I think Amber put it very, very well. Just a couple of nuggets to sort of add on to that. You know, because there isn't, if you look at it from a national perspective, consistent, significant investments in the election space, election administration, infrastructure, and modernization, you know, you end up with the business model for the vendors that there is, right? They'll do the minimal that they can in terms of innovation, because where's the return on investment, right? That's, that's bad for our democracy. And it's played out. And then you'll start coming around there's significant amounts of money on the table, state by state, which is more the exception than the rule. Or when there's chatter that there may be another wave of money coming out of the federal government, but look at our current congressional landscape, I don't think anybody's holding their breath. Uh, it's for those reasons when I was in the Senate that I authored legislation that opened the door in California for a publicly, that's the publicly owned system, a publicly designed system. And for open source to be an option, if either as a way forward for a local jurisdiction, or at a minimum to serve as leverage in negotiations with the vendors, right? I mean, I think if, if we take election security seriously, both in the more broadly, not just as election administrators, but as a society, and you know what the sort of best practices are that are evolved over time, then it is not practiced to shoot for lower than that. Right? But then I think that begs the question, where's the pressure points or where's the leverage to hold the vendors accountable to a higher standard? And unfortunately, you know, it's probably, you know, probably not anytime soon going to come out of Congress to one, to set one high national standard. The closest thing we have today is the Election Assistance Commission, right? That's part of their role. They're the fact-finding, they're the researchers, they're the set some, uh, suggestive standards, but they're not federal requirements per se, right? So most states will look at those standards established by the EAC as the bar and choose to aim for it or to exceed it. You have a couple of states, California is one of them, we'll set our own standards and we can move a little bit more nimbly. Believe it or not, as a state, we can move a little bit more nimbly and we have that higher standard that the vendors should or required to meet or exceed. Fortunately, we're the most popular state in the nation and so just the size of the California marketplace allows us to be that mover of the market, if you will. So if there's product that was designed and innovative to meet the California standard all of a sudden, that's now an option for the other four United States plus the territories, right? So I think that's us trying to influence in a positive way. What Congress could and should be able to do is not take over elections, but when they get around to putting more resources out to states for whether it's just modernization or security or training or anything else, yes, you can couple those dollars with conditions that states implement X, Y, and Z. Now I know that just complicates negotiations in Congress, right? Last year, there was chatter about potential legislation moving forward and part of it got caught up in, well, do you require post-election audits or not? Is it a flat percent manual tally or are you opening the door to risk limiting audits? And what's the methodology or is it an audit of paper ballots or is an audit of images of votes cast? And now all of a sudden you have computers auditing computers, which makes no sense to me, but that's just a snapshot into the sausage making in Washington, D.C. So in Michigan, I think the Secretary of State should be responsible for holding the vendors accountable because they have the resources to do so. However, we're talking about the election equipment. We haven't really discussed the security of the election official and their records and how they're conducting the election. So in Michigan, I know we received some Hava funds just recently and we're doing assessments, then we upgraded our qualified voter file or list of voters. That's all maintained by the state and they're doing some more security assessments in regards to unofficial election night result reporting. The locals need resources. The locals need help. We need fingers on the keyboard, boots on the ground, a set. We need our stuff assessed. We need our websites assessed. We need suggestions. We definitely need people to swoop in when there's an emergency. My county doesn't have those kind of resources. We have an IT department. We don't have the resources that I expect the state to have. And so we really need to see those actual humans come down and help us and mitigate any concerns that we have thus far and start doing trainings as well. We have my ISAC, MSISAC, sorry, acronyms, and we receive emails from them what feels like daily and they're very helpful. In the beginning, I didn't understand most of the words contained in those emails. I now at least understand most of them and if nothing else is bridged the relationship to have a conversation with my IT department like, hey, you hear about this? This looks kind of bad. Yes, that is bad. Yep, we're on it. Or we're lagging behind. We need help. And that's when I would call the state myself and ask the state to come help. So I think the secretary state, at least in Michigan, is best equipped to hold the vendors accountable. But it is incumbent upon the local election official and the county election officials to reach out to the national organizations, the state organizations for IT support and for cybersecurity support because I believe it's severely lacking. So I talked about 2016 as an inflection point for election administrators. Well, the same is true for the vendors and service providers. And the truth is some of us in bigger places were able to be market movers and shapers and start to sort of demand different things from vendors, but 8800 local election officials, also with no staff, they rely entirely on their vendors, you know, they're deeply embedded. So when we talk about the vendor versus partner dichotomy, it's important to recognize that they are deeply embedded partners for most election officials around the country. They're the first call. And then like any other business, they are meeting their customers where their customers want to be. I never thought I'd be in the position of sort of defending them. But the secretary talked about market problems. You know, if this were a market that was highly profitable, you'd see a lot of sort of new folks entering. What we've got are folks working hard to meet demands in a challenging environment at a low profit level. And so while they're maturing, and they certainly are, you know, they've coalesced, they've created what's called the sector coordinating council. They work together regularly to try to create a set of norms that will meet government where government wants to be. But they face the same challenges as the rest of us. But unlike most places, they are deeply embedded partners. They are the IT staff. And so I think they're wrestling with the same set of changes election officials are as well. So we haven't really talked yet about DHS and kind of the federal partnership. And if anyone read the Senate Intelligence Committee report recently, there was some praise in there for the way that that relationship has changed since 2016. But continuing with the theme of putting you on the hot seat, I would like you each to identify one area where there hasn't been as much improvement as you would like, or where you think DHS, other federal partners, haven't yet stepped up in a way that you think is necessary, or something that you would improve about a system that they're already doing, a process they're already offering, that kind of thing. Beyond replicating Noah and Matt Masterson. Yeah, I mean, I think that certainly what DHS has done since 2016 in coordinating the various efforts that they've done is truly monumental. And I don't say that lightly. When Denver, we actually sort of had to focus on cybersecurity as a city because we had an incident back in 2013 as a city. And the city was brought to their knees, basically. And they rebuilt all of their infrastructure and they made a huge investment as a reaction to that event in cybersecurity. And so at that time, I said, well, please include us. I want to make sure that the election's office and the entity is included in this strategy that you're putting forward. And so we built a really great model in the city and county of Denver, and we're lucky because we're a home role municipality. And so city and county government is all one. So it's one entity that essentially secures the borders of the city and county of Denver and all of our cyberspace. But we had to do that. And it also, for me at least, brought attention to the resources and the additional needs we had in our particular staff to build that up. So we did that. What I think DHS has done a great job of doing is really bringing all the partners to the table. And by the way, that is a significant effort, right? There's 50 different elected secretaries of state. Governors' offices are involved. And then as Noah said, over 8,000 local election offices. So this constituency they have is like no other, really. And the only thing I would say that they could possibly, or I guess that I continue to be concerned about, and I know there's a lot of efforts going on around this, is the misinformation. Because when you look at the Mueller report and you look at the things that happened in 2016, there is still no documented evidence of someone's, of your vote changing. But what there is evidence of is that you were, your mind was basically hacked and you made a choice in a certain way. Maybe nobody in this room. But there were people presented with misinformation that they marked the ballot. So, you know, we could have a paper ballot and we can have audits. It still doesn't give us an ability to assess the impact of that misinformation. So I think the misinformation front is still the biggest challenge that we face. And I really think that the federal level and the partnerships and everything there can really play a major role in that. And I'm sure Secretary Bidio will now talk about all the great things that California is doing. Because to me, misinformation is like the biggest sort of thing that we really haven't gotten to yet. So, I'll try to quickly summarize it, but then come back to the question about DHS. So, I guess if you read the first of the indictments, obviously before the Mueller report was released redacted, it talked about the disinformation campaigns that we were subject to in 2016. So it was, but by no means a final polished product. But thanks to the support of the governor and the legislature, we did get monies months before the 2018 election to tilt up not just our Office of Enterprise Risk Management, but we labeled the Office of Election Cybersecurity, which is frankly much more of a communications effort than a technology effort. If this disinformation was damaging people's confidence in elections, what could we do about it? So we did a couple things, some that were responsive, some that were proactive. On the proactive front, how could we get good information or at least sources of official information in front of the eyes of voters before they are going to be pummeled with the bad information? And it's not just, but it's especially on social media. So we were able to do graphics and quick videos, fund an advertising campaign to do exactly that. We established, this is revolutionary now, the established the ability to email every voter in California that we had an email for with basic official information of registration, when we're had a vote, if you have any questions, call your county, call us, those sorts of things, right? But we felt it was very beneficial from the feedback that we got. We propped up a specific website, boatshore.sos.ca.gov, where we did a couple of things, find your polling place, verify your registration status, those sorts of things, but a specific email address with the general public can report to us if they saw wrong information in their feeds somewhere. Now within the office, we had both eyeballs and monitoring systems to try to find some of that bad information in the days alone. So not even for the whole cycle, just the last four days, up to an including election day, there was about 300 erroneous post tweets, etc, that we were able to report to those social media companies, pre-established their relationship and the protocols, 98% of which were probably taken down for violating their statements, right? And that's an important clarification because I'm not in this, I'm not a censorship police officer, right? So people want to know all your censoring speech and you're just just reporting what we know to be inaccurate information, intentional or otherwise, and let that be appropriately handled. So that's just a little bit of a snapshot of what we did on the disinformation side coming back to the DHS question. So good news and bad news, the good news, because I do believe give credit where credit is due, the relationship has come a long way in the last couple of years from the, you know, chatters and rumors before the 2016 election to close to a year later when I got a call from DHS official saying, we can definitively tell you that the Russians were scanning your network. Like a year later, really? And what do you mean the network? Do you mean our network or just the state of California's network? Because by design, we're not on the state's general network. Well, that's secondary. It was the state's network, not like, no, no, that's like important information, right? Words matter. And when it comes to public accountability and transparency, words matter when it comes to these threats or actual incidents, we can't over embellish and we can't, you know, play it down either. We got to be straight. We got to be honest for the credibility and integrity of what we do. That's how the relationship started, right? When the chatter first started about, you know, Russian interference, the first calls from DHS was to the National Governors Association. Not knowing that governors don't administer elections. States do, but it's secretary of the state and local government. So DHS was on a very quick learning curve. Just like elections officials were on a very quick learning curve when it came to a lot of these security issues. Flash forward to today. Never would have imagined, but yes, I have my key DHS contacts on speed dial. And I'm on theirs, right? And we can communicate and share information on a very, very regular basis. It's come a long way. I heard Noah mentioned we need more master sins or maybe Amber did. It's been a very, very good resource. So I'll transition to the bad news by saying this. The rank and file at DHS and FBI and other agencies that we work with are very good. Our partnerships are strong, they're responsive, they're constructive and productive, just like you would want them to be. Where it gets undermined is when you go up the food chain, right? Lack of consistent or strong leadership on this at the secretary level, right? Is there even a permanent secretary right now? That does not help. When it all gets undermined by lies and misinformation via Twitter, by the current occupant of the Oval Office, that does not make our job any easier, both on our policy efforts, our advocacy for resources, let alone communicating to the general public. And if agents of the Russian government realize there's no repercussions for what they did in 2016, not only are they going to continue to try in 2018 and 2020, but so is everybody else, so is every adversary around the world. And so if I have a critique, a complaint, an act to grind, it's that. You know, they're the first to tell us that the protecting the integrity of our elections is a matter of national security and it requires an all of government response. I take them at their word and it starts at the top. I have no desire to follow the secretary. Somebody's got it, right? I will abstain from answering the DHS question because I do work for them primarily right now. And we've got other people wrapping them. That's right. But I will say the misinformation and disinformation campaigns are important. So we're in a hybrid threat environment. We've got threat story infrastructure, which we saw successfully sort of done in places in Florida and in Illinois for certain. We see the disinformation campaign, which was probably the most disruptive of 2016. And so it's important for the federal government to lead an awareness campaign and they've done that through a pineapple pizza product. And I imagine there'll be other ones coming that talks about how disinformation proliferates through the ecosystem. And states have a good role in amplifying that they've got a direct line to the social media companies. But when I go down to the local election official level, especially when they're so challenged with respect to resources and capacity, I think there's a tremendous opportunity cost for focusing a lot on disinformation and misinformation. Because the marginal value that they can add to sort of change what's a sort of global problem is minimal. But on the infrastructure front, they've got plenary control of defending that portion of the line. And so while the most disruptive and the guaranteed attacks of the future are envisioned to be in the misinformation and disinformation campaigns, the most destructive, successful attacks would be ones on the infrastructure. And I think local election officials got to spend as much of their time as possible focusing on their section of the line. So we have about 10 minutes left. I'd be happy to take some questions here. Anybody has questions for our current former state and local officials? Anything? Yes, ma'am, right there. So just to repeat the question for anybody who didn't hear it, how can vendors in Silicon Valley or elsewhere do a better job of helping combat election cyber threats? So let's chat. I mean, it sounds simple, but it's true, whether it's at the EAC level, that's what they do. They gather information, recommendations, suggestions, they do research, etc., California being one of the states that establishes our own security standards. If there's something that we can learn to up our game, whether it's in our practices or policies or actual requirements that our systems need to be tested and certified to, it's Secretary Simon from Minnesota puts it best, election security is like running a race without a finish line. There's no end game. It's never over. Even when election days pass, we're going up for the next election. So we always got to be improving and building. So that can be informative for what we mandate of either the voting system vendors, the election management system vendors, even how we architecture our own IT in-house and how it all interfaces with each other. We're always in the business of trying to learn more. So do you know how to reach me? I'll expect a call. Maurice, how do we convince Congress to give the state's money now, like yesterday? We're one, we're another cyber attack away from seeing a lot of investment. So I mean, that's why we're here. I mean, that's why I started coming to DEF CON, because we need help. And most of my members of Congress are reasonable from my state. We need help. And I think if you reach out to your electeds and share your experiences and share what you believe our risks are, because they are valid risks, right? Hopefully through educating our members of Congress, they will come around. I'm not going to hold my breath on one, but it's imperative that we actually start investing in our infrastructure. It's just we're one major devastation away. And I don't really want to go through that. Look, bottom line, where there's a will, there's a way. And I think there's a lot of will. I know there's a will on the House of Representatives. I know there's bipartisan will in the United States Senate. There's not will thoroughly from the majority leader in the United States Senate. And God only knows what kind of will there may be, maybe be in the Oval Office, right? But that's our government for you, both Houses of Congress and a signature by the President of the United States. But this, this, I think it's a pretext to say, well, it takes so long to, for the money by the time it goes from the federal government to the state and then you have an RFP process and blah, blah, blah, bullshit. We've figured out a way like if we know the money's going to be coming, we can front load the money. We've, the way we've spent a couple rounds of half a dollars now is we give counties a green like go make your investments now, you know, submit the paperwork and you will be reimbursed as long as you know, here's, here's the rules of what it's eligible for and what it's not eligible for. So you can do it in a way where there is no hold up for states and counties to make the investments that they know they need while the accountants figure out the paperwork piece. I'm going to take one really quick question. Does anybody have like put your hand down if your question is not going to be like more than like a 30 second answer. Gentlemen in the blue shirt, yes. So what is your election security wish list, the number one thing you would spend on? Can we, can we do like go down the line? Like if you were still there, what would it be for you? Well, and I think on the, on the federal funding really quick, I think it's, it's important to also think about where do some of these resources already exist in the federal structure. So like one of the things that almost every state is doing right now is they're engaged with their national guard cyber and security teams and they're bringing them in on election day. So I'm of the mindset, well if Congress won't pass a bill, is there a better way to go through national guard funding that, that could support these efforts, right? So I kind of always try to figure out if they, if they're saying no and it won't work this way because of politics, how else can we kind of shift the conversation? I think as the last round of when it came through EAC it was defined sort of not too narrow, but narrowly here's categories that it can and should be used for. Depending on the county, right, California has 58 counties. One county may need new servers. That's probably the best use for them. Another county may not be, it could be, you know, firewalls. Another could be security training for their staff. For another it could be, you know, so I think you have a short list of what's eligible and strategic and then you just work within that. For me some money could go to the state but the rest of it should go to counties. The counties need to hire humans on the keyboard that have the capabilities and the state, they use the money but we're not seeing it yet at the county level. But we need humans. We need humans much smarter than us that can put up a defense and mitigate our arrests and that's where my wish list would be. Paperless buyout, incentivize hand counted audits and a brigade of digital defenders supporting local election officials across the country. All right well that's all the time we have. Let's thank my panelists for a really great discussion and thank you all for coming.