 In starting, or kicking off this panel, one thing I want to make sure everybody knows is that we actually in advance, so a bunch of volunteer hackers, which is what we are, right? This is a volunteer operation, none of us make a dime off this, we actually lose money. So we raised our own money to pay some interns, these poor souls, to spend three months building a list of every election official in the country. Over almost 7,000 people we got contact information for. We then paid to do a snail mail, U.S. post office, mailing to every single election official in the country. We then followed that up with two emails and did 3,500 live phone calls to local election officials to invite them to come here and let their staff take part in the training, loan us equipment if they want research done on it, and so on. And because of that, our attendance from local election officials is up several hundred percent from last year. And what we're really excited about is that we have some people here today who are truly great Americans, who are deeply committed to protecting the votes of their constituents and citizens, and have been spending the last two years, and for many of you, even before that, really thinking deeply about how to better secure our elections. And by the way, showing up here, well, you know, we're not the answer to this problem, but we are hopefully a piece of it, and we are really appreciative to have the election officials in Homeland Security here to try and, you know, learn from what the hackers figure out and each other. So with that, let me just do some quick introductions, and then we'll turn it over to them, because I'm very interested in what you all have to say. So to start, Secretary Padilla is the Secretary of State of the largest state in the country. California is here today. I want to give him a round of applause for showing up. Thank you. He's been working on this issue for years, deeply committed to it, and has been involved in election security issues well before the Russians came at us. Amber McRenalds is from Denver, Colorado. She is actually working on a whole host of interesting things, including auditing and open source technology that we're really excited about. We know that this community loves open source. Jeanette Manfra is the Assistant Secretary at Homeland Security. We are incredibly appreciative to have Homeland Security here. We've got a bunch of Homeland Security guys in the room as well, so thank you guys for showing up. You know, as we've been saying for years, well, for two years, you know, this is, in no way, shape or form, some sort of like criticism on election officials. Frankly, it's not election officials' job to fight off existential threats to the United States. That is the national security industry's job. And the national security industry is represented here by Homeland Security. They're the ones who kind of have taken the mantle and been assigned the task to work with state and locals to help secure their elections. Noah Prietz from Cook County, Illinois. He put out, I believe, I think the first kind of revamped election security plan after 2016. He actually was one of our few RSVPs last year from local election officials and braved the DEF CON for the first time last year. And we're deeply thankful to him for coming. And then Neil from Orange County is here. He also, we were talking last night actually, has put out an incredibly impressive election security program for Orange County, California, which we're going to be highlighting this weekend at the village and then later when we release our report of all the vulnerabilities. So, with that, I will shut up and turn it to Assistant Secretary Manfred to say a few words. Great. I'll be really brief. I talked a lot this morning. So, I just, first of all, thank you for coming, for hearing us. And, you know, I just, I've learned a lot about our electoral process over the last couple of years, things that I didn't fully understand. We have worked for a long time with things that you might more traditionally think of critical infrastructure, whether that's our electric grid, our financial systems, emergency services, those sorts of things, which are just as complicated and tricky to defend as our election systems. But, you know, I guess I would say just a couple of things is it's, for DHS, we really see ourselves as sitting at the intersection between, you know, individuals and organizations that participate in things like DEFCON, the academia, the private sector, state and locals, and other federal agencies. And we sort of have this set of unique authorities that allows us to sit in this place and be a convener and drive progress on reducing risk across our countries, or across our country, and frankly, been working internationally. And, you know, the elections challenge has been, I think, fascinating and challenging. But what I would ask for you all is, a lot of the questions I get is, you know, well, just now the elections community is thinking about cybersecurity, and, you know, the Russians woke us up that we need to secure our elections. This is just not a fact. These folks, and many of those who are not represented here, have been thinking about this for a long time, and they do a lot with not a lot of resources. And now they're on the front lines trying to deal with a lot of these issues, and they can't do it alone. We all have to work together. And I think this is incredible that we can bring the different communities, sort of maybe a community of folks who aren't used to working with government like you all, and folks from federal, state and local working together to figure out how to address challenges collectively, because we're all in this together. So I challenge you all to listen and learn from them. They're here to also learn from you, but really try to understand a little bit more, it's a little bit more than just a voting machine. There's a lot more that goes on in an election process at the state and local level than just the individual voting machines. So challenge you to learn a little bit. And with that, I will pass it on to the secretary. So we actually are a fire hazard. So we have to like, they're just yelling at us. We actually have to take all the chairs out of here. So can we break for like five minutes? These chairs can stay. And then we got to move the chairs. Sorry. It's good news. Everybody cares about democracy, so our room is overcrowded. Okay, now we're back. So, Jeanette, here you go. I don't have to say my remarks again. No. So, no, I think we were just about to introduce Secretary Padilla. So, all right. Secretary Padilla, everyone. Well, thank you. Good afternoon, everybody. I am excited to be here. I really am. This is my first day of CON. I confess, but I am here to listen and I am here to learn. But I also understand that some of my colleagues signed off on some statement that went out yesterday, the National Association of Secretaries of States. That's the first question I got when I walked into the hotel. So let me just acknowledge that up front and then tell you just a couple of other thoughts that hopefully inform this panel and the conversation. Like, I kind of get where they're coming from. For as much attention and emphasis there is on cybersecurity and election integrity, a big piece of that for us as secretaries and elections officials, too, is making sure that voters and the public in general have the appropriate confidence in the systems when people go vote. Right? If it gets into the mind of anybody that maybe my vote is not going to matter, so why should I go vote? That in and of itself is a form of voter suppression if you look at it that way. So just trying to strike the right balance of cybersecurity and integrity with confidence in the system. Some of my colleagues and I'll admit I too sometimes are still a little traumatized from the headlines from last year's conference, right? Voting systems hacked, voting systems hacked, voting systems hacked. Well, my background is in engineering. I'm not a programmer, I'm not a coder, but I think I have a proficiency for technical stuff and like any good engineer, right? You always start with your knowns and your unknowns. You want to understand methodology. And if there's distinctions between what's happening downstairs and real world conditions, that doesn't mean that there's nothing to learn from a convening like this. But it does mean that to be informed about what the takeaways are. So that's where I think some of my colleagues are coming from. Now that being said, like I said, you know, I'm here to listen and to learn because like a good engineer, you want to gather all your information, get your knowns and your unknowns identified if you're seeking to problem solve. Another initial observation. This is sort of a good handoff, right? From the Department of Homeland Security to a Secretary of State. Because if you look at general dynamics from the last couple of years, the whole coordination and collaboration that we are now participating in is relatively new. I remember vividly when the buzz first came out and my first call from the Department of Homeland Security under the Obama Administration came out in the late summer of 2016. And the initial conversation about whether or not to declare our election systems as quote unquote critical infrastructure. What we have experienced since then is to kind of simplify it. The intelligence community, with all their expertise, having to take a crash course on how elections are administered in the United States of America. On the flip side, elections administrators at the state and at the local level, and you have some of the best from across the country here at the panel having to take a crash course on cybersecurity. Does it mean the intelligence community wasn't looking at the election space before? Does it mean that the elections administrators weren't thinking about cybersecurity before? But boy, there's never been such a spotlight and emphasis as there has been since 2016. Through today, through this November, onto 2020 and beyond. It's our new reality. So that being said, I do want to just offer a couple of points, maybe tee up some questions and conversations later. I mentioned I'm here to learn. I mentioned our comprehensive look at cybersecurity. It's not just replacing equipment, upgrading firewalls, and what's the latest encryption technology for us? It's also about professional development and training. You can have the best protections in place, but if you still have state or county employees clicking on a link sent by that long-lost uncle who just won the lottery, right? What's it all for? It all gets compromised, right? So training and cyber hygiene is an important part of our comprehensive strategy. How we not just secure our elections infrastructure in our processes, but counter misinformation and disinformation. This information, that's a big part of what we're grappling with in this comprehensive look. So much more than that, but just to give you a flavor of how it's a much more comprehensive approach and strategies that we're taking in California and I think across the country if I can speak for my counterparts for a second, and last but not least in my opening remarks. While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear, we need more resources, right? All the things that we know we have to do, all the things that I'm going to learn and observe, because I'm going down to the village after this panel, to implement and act on all these findings, recommendations and discoveries, we need additional resources. So the money that came to states by Congress last month is not new money. It's the remaining help America Vote Act dollars that were just appropriated last month but authorized 15 years ago in the wake of Florida 2000. I call that money, after I say thank you, that's butterfly ballot hanging Chad money, not cyber threats, 2016, 2018, 2020 money. We need more regular, more consistent support for constant increasing of our cyber defenses if we're going to be serious about this conversation. Cyber security and election integrity is not something that we should invest in only once every 15 years. And so again, a thank you for last month's appropriation, but we need more. And on that front, I do speak for all of my colleagues across the country, both Democrat and Republican and local county elections officials throughout the country as well. So we're going to need your support in that. We're going to have some enlightenment going on, some lessons learned going on today, but when we all leave this gathering, this convening and we go home, I need you all to be advocates for more investments in election systems and integrity at the county, at the state, and especially at the federal level. Thank you very much. Thank you, Secretary Padilla. And with that, we'll turn it over to you. No, I pray it's a good county. All right. Hey, good morning everybody. Good morning. So thanks for doing this. Our community is trying to figure out how best to engage. I was asked yesterday, why are we here? And sure we can learn some specific technical stuff, but I think more importantly, I think about four years ago when a couple of guys from here took over a jeep wirelessly. And then they went to work to help Chrysler make sure that those exploits aren't possible anymore. We cannot pay in our community for the expertise that you all bring. And so we're going to mature a strong relationship between the voting community and the security researchers. So we're in the beginning stages of that. I'm excited to see how far we've come in the last year, the folks that are here. And anyway, we're all committed to the same goal. So anyway, my name is Noah. I'm the director of elections in suburban Cook County. Like Secretary Padilla said, we've been securing votes, voter records for a long, long time. It's not our first rodeo, all right? Prior to, how many of you guys were around doing this stuff before 2000? Okay, so back then, I like to say we were logistics managers, mostly. It was a wedding planner era of election administration. We bring together a list of people, put them in a place on one day holding an election and it's done. Obviously 2000 exposed serious flaws with punch guard technology. There was a significant disparate impact in some communities. And the federal government got involved for the first time in elections, spending significant, something like three and a half billion dollars. And it ushered in a whole new era of technology, some of which is problematic now, touch screens without paper trails, certainly. But we all had to switch from logistics managers to become IT managers, legal compliance managers. 2016 was another sort of inflection point. Because now, given the probability of attack, we've got to become cybersecurity managers. So spurred by the need to defend our systems against foreign actors, the federal government and the states, and many of us locals have been sort of negotiating a relationship. Secretary Lawson likes to say it was an arranged marriage, and it's going as well as any arranged marriage could be. But the states have zealously guarded what has traditionally been their domain of managing elections. And they've been very helpful. Secretary Padilla is a great spokesperson. In the run-up to the 2016 election, my boss as a Democrat pointed a lot to Secretary Hew said from Ohio because he was out front saying these systems aren't rigged. It's important in elections that we're able to maintain a nonpartisan approach to what we're doing. So the secretaries of state, state election directors certainly deserve a lot of credit for their efforts. And at the risk of being a little overly broad, though, local election officials, like myself, there's 108 in Illinois, 8,800 around the country, we bear the brunt of running elections. We lock the warehouses, we program the machines, we review the tapes and the logs. We push the equipment out, program it, audit it, count the votes, and release them. And it's tough. Somebody said we're like, with a nation state actor coming out of small county, it's kind of like Andy and Mayberry being sent out, sent out to defend against a foreign attack. These are shadowy adversaries that we're facing and we're all coming to terms with how best to partner with the states and with DHS as sort of force multipliers for us to help us in our efforts. In Cook County, we've studied this a lot. As Jake said, we put out, after last year's DEF CON, a white paper, we focus our efforts around three things. It's defend, detect, and recover. It lines up pretty closely within this cybersecurity framework, but it's easier to remember. Three instead of five points. We partner with the Center for Internet Security when they published their election handbook. We worked with the Belfer Center. A lot of great contents being made. I sit on the Government Coordinating Council. It's a construct of the Homeland Security of the critical infrastructure. There are eight secretaries of state, eight state election directors, nine locals, the chair of the Election Assistance Commission. And we're working hard to sort of help DHS prioritize the investments that they're making, that they're making in our space. So what's become clear to me as we study this is that each election office needs somebody to own security. There are 8,800 of us. We're one of the biggest. We've got one and a half million voters, 100 employees, $20 million budget. And we're able to sort of specialize some resources. And even we decided that we needed to make another position and hire an InfoSec officer in our office. We partnered with the Chicago Board of Elections to do that as a shared resource. And we've been pitching this idea, been pitching it to the Secretary of State and the state election directors, that this money that was just given, the leftover butterfly ballot, hanging Chad money, it's not nearly enough to do a technology refresh. But what it can do is if it's employed right, is the states can hire staff to go partner with local election officials with this expertise. We're not yet cybersecurity managers. Most election officials have one or two people in their office. They outsource most of the work they do. And it's really difficult to conceive of the idea that we can absorb the 20 emails we get from the ISAC every week with listing every vulnerability. The idea that we can dig deeply into the Belford recommendations or the Center for Internet Security without a partner focused specifically on this. So it's interesting to see some of the states stepping up in Illinois. Our legislature required half of our HAVA funds. So about $7 million be spent on a, they call it a cyber navigator program. So we're putting 10 or 15 people on the street in the next few weeks partnering with like adopting five counties and going in there, helping them increase their defenses. Not by creating sort of new material, there's plenty of great material out there, CIS, Belford, specific DHS recommendations. But to help us defend our systems, helping sure we've got the best detection techniques so that when a successful breach occurs, we're able to find it and to make sure that we've got mature disaster recovery or business continuity plans. So that's, I think, a big focus in our industry right now. Obviously, defense is very difficult. I mean, you can ask Uber or Equifax, HBO, Sony, it's just a very, very difficult thing to do. So the key for us is elections administrators to make sure we're resilient that we can overcome any successful attack. Obviously, that's pretty easy in most of the country because there are paper ballots or VPATs. Increasingly, there are great auditing techniques which would indicate when something went wrong and establish the ability to put out results that are trusted and true. So anyway, y'all are on the floor. I'll pass this along to Amber, but I really appreciate your focus on this and appreciate the sort of maturing sense of nuance that there is in elections. It's not a binary question. We're wrestling with our ability to provide accessible ballots to everybody, and that isn't always lined up with the easiest systems to defend. So anyway, appreciate your time and Amber, McDonald's now. Hi, well, I'm super excited to be here. This is, again, my first DEF CON. I couldn't come last year. I have a five and a seven-year-old, so I need to ask somebody to get another one of these badges because I cannot go home with only one. It's very cool. I'm going to need to take one for both. So I've been director of elections in Denver for seven years. I've been in the office for 13. I started as an operations coordinator that oversaw the mail ballot process and then I moved to a management role. And then I was deputy director starting in 2008 and then director starting in 2011. So 13 years I've been administering elections and touched various points in the process. And the one thing that when I came into Denver, Denver was not known for running good elections. Most of the systems were completely outdated, pretty backwards in a lot of ways. And as a 26-year-old coming into the office at that time, now you know how old I am. I kept asking why to all of the people that had been there. And the answer was always we've done it this way for 15 years or we've done it this way for 20 years, so we're going to keep doing it this way. And I'd also come in kind of after Florida 2000 and the one thing that I always say is about elections is elections are about people and process, people and process throughout. Technology supports a lot of those things, but it's ultimately about people and process. And the problem that happened sort of after 2000 is nobody asked questions about how do voters want to vote, what should the voting model look like, what should we do to change policy to make it easier. It was just basically a money dump into various systems that now nobody's using anymore because there's various issues that were identified with that. So there was sort of this rush if you will to purchase equipment and deploy systems that actually do not have any benefit to the voter or respect voters in terms of what they want to do. So in asking all those questions and for many, many years every day I'd go home from work thinking how can we make this better for people. And so we've tried that's been our mission in Denver is to try to redesign the process and make it more effective for voters. So a couple things about Colorado, we deliver a ballot proactively to every voter that's on the rolls prior to the election. We have same day registrations. You can literally come in on election day to a vote center, any one of them and you can, if you're not registered to vote, you can get registered to vote right that day. So this, your name not being on the poll book or you not knowing where to go with your polling place or any of that is eliminated. So since we've done a lot of those reforms, that also means that more than 99% of our ballots in most cases are a paper ballot that the voter hand marked and then the remainder are marked at vote centers on a ballot marking device but still a paper ballot. So every ballot in Colorado is counted in a central place. We don't tally anything at vote centers. We don't tally anything at polling places. We don't have cartridges. We don't have USBs. We don't have equipment moving around in the field. We literally transport all the paper ballots that are cast in the field on ballot marking devices if it's at a vote center or if it's using the mail ballot we mail to the voter. Everything is a piece of paper. We had the fourth highest turnout in the country in 2016. We have the highest, we have the highest voter registration rate as a percentage of population as well. So Colorado has a lot of from a policy perspective doing things very well. The other policy that we just implemented and we were the first state to do this and I'm going to call out two people from Colorado that are in this room that had a lot to do with it. Dwight Schellman, I don't know where he were. Oh, there he is, see? He's way over here. Dwight Schellman is from the Secretary of State's office and the risk limiting audit that we deployed as a state would happen without Dwight Schellman. So Dwight Schellman is, if you want to know about a risk limiting audit process or anything with that, he's here and he's amazing. And then Jennifer Morrell, who was the director in Arapaho County and then now has gone to be a risk limiting audit senior advisor at Democracy Funds where she's now helping everyone else deploy audits across the country. Both of them are Coloradans, both of them were leaders in terms of getting this policy deployed for us. So we have all these great things that are happening in Colorado and a lot of it has been literally organically driven by voters. Voters started requesting their ballots by mail. They started asking us for that. And so we got to 2012 and we were 80% plus people requesting to get their ballot by mail and so then we decided okay, let's just deliver a ballot to everyone because the 20% are all calling us asking us why we didn't send them one because we didn't want to send them one. So we did that and it was all designed and centered around the voting process and making the process better. It wasn't a technology decision, but there's outcomes that have benefited technology but it was about people and process and making that better. In terms of cybersecurity and making sure the election is secure, cybersecurity is not our only vulnerability in the election process. That's bomb threats, all kinds of other things that election offices face. We have challenges that happen all the time whether it be fires at polling stations or vote centers and we have to move everybody or any of these sorts of disasters. This one is one that election officials and you heard this, there's 8,000 local election officials across the country. Cyber and technology is not a strength that most of them have. In Denver, and I don't either. That is not my graduate work. But in Denver, we're sitting in a county as a whole. We have a centralized technology services department with a security team. Four or five years ago, I went to them and I said, look, I want you to help us figure this out. We've been part of that jurisdictional security plan, the elections doing penetration testing, doing all this prior to the election but we've collaborated with our technology services department and the chief security officer for the city. And that collaboration and that commitment and that coordination are all keys to making this better. And then the final sort of C word that I'll throw out there in terms of ways to make this better is continuous improvement. When I came into Denver 13 years ago and I was asking why, it struck me that no one was curious or creative about solving problems. We were not at all in a model where we could continuously improve what we were doing. And that's exactly what we have to be doing as election officials to make this better over time because the threats we face today, as you all know, are going to be very different tomorrow and are going to be very different five years from now. So we have got to get to a place where the elections world is agile and get in this mindset of continually improving and having curiosity about how to make things better. And we've got a lot of good examples of that in Colorado and it's been an honor and a pleasure to be the director of elections there and election officials are committed to doing this. They work extremely hard to make sure that you get your vote delivered to you in some way that's at a polling place or mail ballots but they're not technologists and they need people in this room and there needs to be collaboration and coordination amongst everyone that's involved. It's a community effort and voting should be a community. Voting is the quintessential community effort and so it does take a broad community of people committed to make this better. So with that I'm going to turn it over to Neil Kelly. He's amazing from Orange County. He visited his website. He's got all kinds of data analytic tools and he's done a whole bunch of awesome things in Orange County to make it better. It does not look today like it did when he got there. So he's one of the premier election officials in the country and always happy to share a panel with him. Likewise Likewise, thank you Amber. First of all I'm going to sit here not because I'm very proud to be in California under Secretary Padilla's leadership which I am but the Venetian is a lot further away than it looks and I would advise not running here because the last headline I want is election official passes out at DEF CON so I'm going to sit right here. Yeah I know a little bit about Orange County 1.6 million registered voters I've been the election official there for 14 years. The average tenure I think of election officials in large counties is not generally 14 years so I'm glad to say I think we're doing some things right in Orange County. We're more diverse than I think a lot of people think. The stereotype of Orange County is that it's heavy Republican. We're actually kind of split between Dems and Republicans now in Orange County. So the Reagan era of what you thought about a long ago in the 70s and 80s it's much more diverse. We support seven languages in Orange County in the election office so definitely a diverse office and women by the way are registered at higher rates in Orange County than men and they turn out at higher rates in Orange County than men and I thought well maybe that's because men tend to not live as long as women but it's the opposite in some other counties so it's interesting to me. I think it was teed up very nicely by the way and I just do want to say thank you Secretary Padilla because under his leadership he really has been focused on elections in California and I'm very proud to be a part of that partnership. Like Secretary Padilla said I was contacted like he was in the spring summer of 2016 and everything changed for us as Amber said we were focused on security before that. We were hyper focused on security after that because things definitely changed and I kind of want to walk you through some nuts and bolts of what we're doing in Orange County related to the security side. So previously you would think of big events and incidents in elections would be acts of God and some other things but not necessarily the security side and that certainly changed overnight for us. Prior to 2016 you would think of fires and we're dealing with that in Orange County right now we've lost a polling place because of the fire that's going on right now so those things do happen but after that spring time of 2016 we saw a voter data theft, phishing attacks certainly were on the rise doxing of political campaigns and then scanning of systems. The scanning of systems as I'm preaching the choir here goes on all the time, thousands of times a day so that really wasn't news for us, what was news for us is where they were coming from and looking at those IP addresses very closely. I sit on the Government Coordinating Council with NOAA and I'm proud of the work that DHS has been doing in this space and looking forward to continuing that effort. So specifically for us on the physical side we've changed a lot of our physical security can't talk completely about that but you think of the building and how ballots are transported and the chain of custody side of this, we have really enhanced that. On the cyber side we essentially have a three layer approach to that security in the county and Orange County I think as a whole does very well at that but there's no finish line to this process, it's ongoing and we're going to continue to work on that and the one that I'm concerned most about is the social aspect because the phishing campaigns are a big concern and like Secretary PD said you can have one individual in one office can click on something and can cause problems so the training side has increased tremendously for our employees and yet we still see on the social side employees doing things that we need to continually train against because this is going to be an ongoing struggle for us. We have added and I know many of you are aware of these sensors, Albert Center to our system because I believe the voting systems definitely are tremendous vulnerabilities there and we need to keep plugging those but also the voter registration systems are a concern because that's one of the things I lose sleep about is what can we do to continue to protect the voter registration system so that our sensor is something that we have put in place recently and that end user training and awareness I think just has to continue because that's going to be a problem. The second is third party review and I want to talk about auditing in just a second but third party review I think is also very important because I can't sit up here and say I think our date is great and take my word for it we need that third party auditing and review and they're going to have a yearlong partnership with us to scrutinize our data and to look at what we're doing and to have a third party review that I'm not afraid to be transparent I think we need to open it up. I think all election officials need to open it up to be more transparent and as Jake said earlier we recently released a cyber well no it's not cyber it's election security playbook and that election security playbook is on our website I put it out there for the public to the things that we can talk about publicly here's what we are doing to protect your vote because I will tell you one of the biggest questions that I get is what are you doing to protect our votes and I want to be forthcoming and transparent in that process so just real quick the auditing I think is the biggest piece to this can I use this analogy on you just for a second so the commercial aviation industry the systems are both people and technical if the system fails God forbid you can have a disaster but there's auditing in that component which is the flight data recorder and you can go back and figure out what happened what did occur same thing on the auditing side there is a bill in California right now I'm sorry I don't remember the bill number but that bill thank you very much that bill is moving forward I suspect continuing to move forward I think it's going to be I think scheduled for a senate vote pretty soon to allow risk-limbing audits in California not mandated but to allow it in lieu of the 1% audit that we currently do which is 1% of the precincts that we audit by hand I still think that's helpful because you're physically auditing those ballots but risk-limbing audits like they were doing in Colorado they are doing I hope to have that in California we just did a pilot in June which is one of the most important tools that we can do because at the end of the day if we do all the things that we're supposed to be doing on physical and cybersecurity enhancements and we still have a problem how do you detect it we need to be able to detect that and so I am an advocate for auditing I'm an advocate for transparency we need to continue this process and finally paper is very important so we in California maybe there's two counties still left in California that are running electronic systems in the polling places and we have paper backup on that system which I think is absolutely critical and we have about a million vote-by-mail voters that are using paper there are debates in the industry about whether paper vote-by-mail is the right way to go from a security standpoint I happen to believe it is but still you have that paper backup and that audit trail so I just want to share with you again I'm here to learn and I appreciate the invite Jake very much and I believe in transparency and I think we need to continue to improve that process thank you very much alright thank you very much and thank all of you for coming here like Woody Allen says half of life is showing up and so the fact that you guys showed up and then also these talks were very informative and shows I think that people are taking that many election officials are taking this stuff incredibly seriously so with that I want to open it up to questions anybody yes sir does anybody want to take that so the question was it was noted that the vendors that are not up here and not present and do we think that the vendors are taking this seriously I can speak to one vendor that I know my observation and sort of the way that I've approached things in Denver is we rely very little on the vendor so we don't have them program any of our any of our files we don't have them involved in anything we've purchased software and we use their system and it's all cots it's a ballot marking device and we constantly give them feedback and they actually listen to us and make changes and so we've had a very good kind of relationship in that way I am not easy on them which is one of the things that I think is important for election officials like we you have got to hold vendors accountable for your needs our vendor that we use came to me five years ago and kind of showed me what they were thinking in terms of their next generation of their system and I told them that I wouldn't buy most of it and so they actually went and worked with us and redesigned some things to be cots so the vendor community is critical to this not every local election office like Orange County or like Cook County or like Denver because we all program our own stuff we probably rely very little on vendors to do anything but that is not the case for most of the local election offices across the country and they rely on vendors and the one thing that has been sad for me to see especially in small counties they don't most rural counties if you have a thousand people in your county or you have even 10,000 people often don't have full time county attorneys to help them with contracts they don't have full time technology staff so I believe the vendors some vendors have probably unfairly targeted many of those election officials and sort of gotten them into very expensive contracts or very expensive services it's hard for those local election officials to get accountability so that's really where local election officials are the ones actually doing all the process of the election but this is really where the states can really help the local election officials especially in California especially in Colorado and other places but that's really where the state can get involved with certification or how testing happens to make sure that those kinds of things don't happen to local election officials so vendors key Jake mentioned this we've started to look at some different open source types of systems not necessarily different from other things that we're doing the RLA tool the riskal main audit tool that Colorado now has is open source so I think that is something that we as a community need to continue to engage on and figure out what the best path is forward one thing real quick so I wanted to just add one piece we've talked a lot about some folks mentioned the government coordinating council the department uses to bring everybody together on the state and local side we've also established a sector coordinating council which is our term for bringing industry together so we have these these authorities that allow us to have non-public conversations with industry our focus was the priority is state and local but it is also important to bring the vendors together we they are all now together they've signed their charter which is I know that sounds like bureaucratic but that's actually really important to be able to bring a bunch of different companies together that are competitors and being able to say look we're all committed to working with each other and working with our federal state and local partners it's very important so yes they take it seriously and I know many of them are here but yes there is a lot more work to do and similar to the work that we do with other industries whether they're in the electric sector or the medical device sector we need to continue to work with them we need to make sure that they have information that the government might have to better protect their systems but we also we need to continually challenge our critical infrastructure community to improve the security of their products so we're continuing to build it they're at the table so that to me shows me that they're committed but that's just the first step just to add briefly I agree they can be helpful and should be helpful there's a lot of expertise and experience to tap there but it's clear in my mind that it's contingent upon states of what security standards are, what they need to be including in there by the way paper boughs, paper boughs and at a minimum a voter verified paper audit trail so I just hope that the vendor community hears that loudly and clearly and comes forward with products that reflects what we are sharing as best practices and standards that's the point of all this collaboration on a related note I will call attention to a new law in California I don't know if we're the only still or for the first in addition to all the measures we take to help protect our voter registration database which is different by the way than the online voter registration availability in California many states have online voter registration separate apart from that for, there's been a big misperception when there was this brief commission that the administration set up to look into massive voter fraud which does not exist whether or not the voter database is public information the voter database is not public information some voter information is made available for certain uses like campaigns for their outreach, journalistic uses research, academia, etc we now have in place in California a requirement upon third parties if they have access to some of this voter information and their systems are breached or they're compromised somehow to notify us, that wasn't the case before and they're not required not just to notify us but to cooperate with us in any sort of investigation or audit to figure out what happened if there's any exposure there so I know that's not vendor specific but I think pointing to an example of the third party responsibility here which we have quickly gained an appreciation for okay anybody else yeah go ahead I'm concerned about allowing wireless connectivity allowing modems allowing barcodes and it has concerned me that I haven't seen more of the presidents from DHS or from election officials in that process because those voluntary voting system guidelines are going to shake all the initiatives that we have like for the next 10 years and we want to be nipping those security problems in the bud not after the machine takes certified and my question is to DHS and election officials are you on other calls that I'm not aware of like involved in the shaping of those voluntary voting system guidelines or can you be more involved letting them know what you might be concerned about thank you okay and if we can be quick with our answers because the fire marshal is mad at us again and I'll take one more question after this but whoever wants to yeah ditto but I I'm going to go to miss for years now we have not we were not previously involved in the voluntary voting standard guidelines but yes we're very involved in providing security expertise the concept is to like much of the standards development process where you're looking for expertise the working group is trying to understand different perspectives but then there will be a review process and sort of coming together and we will work very closely regarding EAC and NIST and we have folks a lot of whom are here will actively be involved in that review process just real quickly I came in on the tail end of the approval of VBSG 2.0 on the committee for EAC and so not only am I involved but where the rubber is really going to meet the road and I think you've touched on it really well is the requirements right you have that framework now with VBSG 2.0 but you've got to make sure the requirements are adequately established and so I am very involved in that and I think your points will meet well we'll go with the guy by the door since we all need to leave after this sir here you can use the mic given that we know that Russia's interfered in some elections recently probably we'll do again do you think that the Trump administration should declare it as active war to meddle in elections and then immediately put Russia on notice as a representative of the Trump administration I will say I active war I think it is no I don't think it's an active war I think again remember this is not new other nations have been trying to undermine our democracy for decades and this is just a new way of doing it and and then I would say I believe we have we have issued many sanctions and you know we continue to look for all the tools that we've got in our deterrence toolbox but sort of what I talked about earlier is I'm still a believer that you know defense a stronger defense can be the strongest deterrence and it's not easy to continue to use the tools that are unique to the government and we'll continue to do that but that's why we're here because we've got to make it harder for them and we have to do that together so hopefully that answers your question okay so with that how much time we got so look I appreciate the question and while you know cyber warfare is different than traditional physical warfare I think a threat if not an outright attack on our democracy needs to be recognized for what it is respectfully we're working together but I am not a representative of the Trump administration right one of the things that you and all of your colleagues will say it takes what we face in 2016 and our continue to face now requires a whole of government response right that's not classified you've been saying it publicly requires a whole of government response last I checked the person who sits in the Oval Office is a part of our government and as great as we're working together we still need the right words to come out of the mouth of the sitting president of the United States of America and it has not and when he comes close he always equivocates and that sends the wrong message we're working behind the scenes to buttress our defenses I leave it to those with the appropriate clearances to figure out what we're doing in response or proactively etc but I think from an election official's perspective we need three things unequivocal recognition by the president on what happened in 2016 we need ongoing resources and commitment to constantly invest in election systems and it would go a long way to hire to designate a well-respected coordinator out of the White House on cyber security because that position is currently vacant and that vacancy speaks volumes alright with that thank you to everybody who came we really appreciate your participation thank you for everybody who has questions and now we have to get out of here because the fire marshal is pissed off at us