Hearings
Hearing Type:
Open
Date & Time:
Wednesday, March 21, 2018 - 9:30am
Location:
Hart 216
Witnesses
Assistant Secretary
Jeanette
Manfra
National Protection and Programs Directorate (NPPD), Office of Cyber Security and Communications
U.S. Department of Homeland Security (DHS)
Co-Director
Eric
Rosenbach
Belfer Center for Science and International Affairs
Harvard Kennedy School
Executive Director
Amy
Cohen
National Association of State Election Directors (NASED)
Full Transcript
[Senate Hearing 115-347]
[From the U.S. Government Publishing Office]
S. Hrg. 115-347
OPEN HEARING: ELECTION SECURITY
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
WEDNESDAY, MARCH 21, 2018
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
29-480 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong., 2d Sess.]
RICHARD BURR, North Carolina, Chairman
MARK R. WARNER, Virginia, Vice Chairman
JAMES E. RISCH, Idaho DIANNE FEINSTEIN, California
MARCO RUBIO, Florida RON WYDEN, Oregon
SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri ANGUS KING, Maine
JAMES LANKFORD, Oklahoma JOE MANCHIN, West Virginia
TOM COTTON, Arkansas KAMALA HARRIS, California
JOHN CORNYN, Texas
MITCH McCONNELL, Kentucky, Ex Officio
CHUCK SCHUMER, New York, Ex Officio
JOHN McCAIN, Arizona, Ex Officio
JACK REED, Rhode Island, Ex Officio
----------
Chris Joyner, Staff Director
Michael Casey, Minority Staff Director
Kelsey Stroud Bailey, Chief Clerk
CONTENTS
----------
MARCH 21, 2018
OPENING STATEMENTS
Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1
Warner, Mark R., Vice Chairman, a U.S. Senator from Virginia..... 2
WITNESSES
Panel 1
Nielsen, Kirstjen, Secretary, Department of Homeland Security.... 4
Prepared statement........................................... 7
Johnson, Jeh Charles, former Secretary, Department of Homeland
Security....................................................... 14
Prepared statement........................................... 15
Panel 2
Manfra, Jeanette, Assistant Secretary, National Protection and
Programs Directorate, Office of Cyber Security and
Communications, Department of Homeland Security................ 48
Condos, Jim, Secretary of State, State of Vermont................ 50
Prepared statement........................................... 52
Cohen, Amy, Executive Director, National Association of State
Election Directors............................................. 57
Prepared statement........................................... 61
Rosenbach, Eric, Co-Director, Belfer Center for Science and
International Affairs, Harvard Kennedy School.................. 66
Prepared statement........................................... 69
SUPPLEMENTAL MATERIAL
Prepared Statement of Thomas Hicks, Chairman, U.S. Election
Assistance Commission.......................................... 98
OPEN HEARING: ELECTION SECURITY
----------
WEDNESDAY, MARCH 21, 2018
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 9:34 a.m. in Room
SH-216, Hart Senate Office Building, Hon. Richard Burr
(Chairman of the Committee) presiding.
Present: Burr, Warner, Risch, Rubio, Collins, Blunt,
Lankford, Cotton, Cornyn, Feinstein, Wyden, Heinrich, King,
Manchin, Harris, and Reed.
OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S.
SENATOR FROM NORTH CAROLINA
Chairman Burr. I'd like to call this hearing to order, and
at the beginning of this hearing I would like to thank all the
members, the witnesses, the press, and those visitors that we
have today, with the inclement weather that was predicted and
some has fallen. We thought it was important to continue this
hearing, so I'm grateful to each of our witnesses. And to those
that couldn't make it because of flights today, we have tried
to adjust so we've got the appropriate witnesses for the second
panel as well.
Today the committee convenes the first open hearing to
reflect the progress and preliminary recommendations and
findings of our investigation into Russia's attempt to
interfere in the 2016 U.S. elections. I'd like to welcome our
two distinguished witnesses: Secretary of Homeland Security
Kirstjen Nielsen; and former Secretary of Homeland Security Jeh
Johnson. Jeh, I am grateful for the service that you provided
to your country in a number of places. And, Secretary Nielsen,
I have enjoyed very much the time that you have been there and
look forward to what we can accomplish between this committee
and the Department of Homeland Security in the future.
I want to thank both of you for being here--for being here
together, which I think is unprecedented, and I am grateful to
the Administration for agreeing. It speaks to the importance of
the issue and sends a message that transcends partisanship.
The Vice Chairman and I asked the two of you to appear
together to tell the story of what happened in 2016, how the
Department reacted then and how it has evolved and what it is
doing today. I think your collective remarks will show the
remarkable evolution of an agency that is playing an
increasingly important role to support the states.
When this cyber threat surfaced in 2016, many struggled to
understand the attack, the intentions behind it, and how to
respond. By the beginning of 2018, however, DHS has made great
strides towards better understanding elections, better
understanding the states, and providing assistance that makes a
difference to the security of our elections.
But there's more to do. There's a long wait time for DHS
premier services. States are still not getting all the
information they feel they need to secure their systems. The
Department's ability to collect all the information needed to
fully understand the problem is an open question, and
attributing cyber attacks quickly and authoritatively is a
continuing challenge.
Secretary Nielsen, as you appropriately note in your
statement, the administration of elections is the
responsibility of the State and local officials. And the
support your agency provides is on a voluntary basis. What
we've learned is that states will only engage with the
Department if they feel there's value. And I'm confident that
the customer service, if you can call it that, and the value
you're providing to your State partners is improving every
single day.
Securing our elections requires immediate action and the
urgency is reflected in the committee's recommendations
released yesterday. We've convened today's hearing, in the
midst of a snowstorm of sorts, to speak to the American people
publicly about the threat posed by Russia and the efforts by
our Federal, State, and local governments to protect against
it.
This issue is urgent. If we start to fix these problems
tomorrow, we still might not be in time to save the system for
2016 and 2020.
I understand, Secretary Nielsen, you have a hard stop,
something about a Cabinet meeting, and we respect those Cabinet
meetings when the President calls it. So in the interest of
time, I will end there and I will turn to the Vice Chairman for
any remarks he might have.
OPENING STATEMENT OF HON. MARK R. WARNER, VICE CHAIRMAN, A U.S.
SENATOR FROM VIRGINIA
Vice Chairman Warner. Thank you, Mr. Chairman. I'd like to
welcome the witnesses as well.
Today's hearing comes at a critical time. The committee
remains in the midst of our bipartisan investigation into the
Russian attacks during the 2016 election, and we still have
more work to do. However, we as a committee felt it was
important to move out our initial findings and recommendations
on securing our election infrastructure, given the upcoming
elections in November.
Our main question today is, how do we protect 2018
elections? And the threat is real and growing. During the 2016
campaign, we saw unprecedented targeting of election
infrastructure by Russian actors. Russian hackers were able to
penetrate Illinois' voter registration database and access
90,000 voter registration records. They also attempted to
target the election systems of at least 20 other states. The
intelligence community's assessment last January concluded that
Russia secured and maintained access to multiple elements of
U.S. State and local election boards.
The truth is clear that 2016 will not be the last of their
attempts. Just weeks ago, we heard from all our top
intelligence officials testifying before this committee that
the Russians will continue to attack our elections.
Unfortunately, there are signs that the Kremlin is becoming
more brazen. As we saw recently, the Putin regime was behind an
assassination attempt on European soil with a prohibited
military-grade nerve agent. This is obviously not the action of
a regime that will be easily deterred.
So how are we prepared to come against this threat that we
know is coming again? Elections at all levels are central to
our democracy, to our institutions, and to our government's
legitimacy, and I remain concerned that we're still not fully
prepared.
Candidly--and I've shared this with both of you--I was
disappointed on how the Department of Homeland Security, the
primary U.S. government agency responsible for election
security, approached this issue early on. During the 2016
election, officials at both the Federal and State level were
caught flat-footed, and the follow-up from the new
Administration was not much better.
Last June we heard from DHS, FBI, and State election
officials about the threat to our election systems, which,
based upon Secretary Johnson's earlier actions, DHS considers
part of our Nation's critical infrastructure. Despite evidence
of interference, the Federal Government and the states had
barely communicated about strengthening our defenses. It was
not until the fall of 2017 that DHS even fully notified the
states that they had been potential targets. And unfortunately,
that was an issue that members of this committee, bipartisan,
stressed in our hearing last June. Candidly, we have to improve
those communications.
But clearly, more must be done, from hardening our election
registration and voting systems, to ensuring that voting
machines have backup paper ballots, to instituting audits and
providing additional Federal assistance to those states that
request it. One area I know that we're not going to talk about
today, but I think does need additional investigation, is how
we make sure that the ultimate startups, campaigns, have to
practice basic cyber security.
The threat is real and the need to act is urgent. We need
the Administration to accelerate its efforts. Perhaps most of
all, we need a President who will acknowledge the gravity of
this threat and lead a whole-of-society effort to harden our
defenses and inoculate our society against Russia's malicious
interference. The fact that the President did not even bring up
the topic of our election security when he called Vladimir
Putin to congratulate him on his victory in a precooked
election I believe is extremely troubling.
The good news is this problem is not a Democratic or
Republican one, and I personally want to thank all the members
of the committee on both sides of the aisle for the good work
that they've done. We're going to hear from some of them who've
been working on a set of recommendations, and Senator Rubio has
also been working on a set of recommendations. We all have to
get this done and we have to act quickly.
Again, I am pleased to have both of the secretaries here. I
know it's a little bit unprecedented. I thank them both for
being here and thank them for getting through the storm.
With that, Mr. Chairman, I look forward to our hearing.
Chairman Burr. I thank the Vice Chairman.
This morning we'll hear from Secretary Nielsen and
Secretary Johnson. Their testimony will be followed up by
questions of up to five minutes from members, recognizing first
Senator Collins, followed by Heinrich, Lankford, Harris, the
Chair, the Vice Chair, and then members based upon seniority
after that.
Having covered that, Secretary Nielsen, the floor is yours.
STATEMENT OF KIRSTJEN NIELSEN, SECRETARY, DEPARTMENT OF
HOMELAND SECURITY
Secretary Nielsen. Well, good morning. Thank you for having
me here. I want to thank Chairman Burr, Vice Chairman Warner,
and all the members of the committee for not only the
opportunity to testify, but I really do want to thank you for
your leadership. Your bipartisan efforts here to assess what we
did, what we didn't do, what we can do better, what we can do
better in partnership, really can't be overstated in terms of
its importance, so I thank you for that.
Before we begin, I just wanted to extend my thanks to the
first responders who've been working around the clock in Texas
on the package bombing case. At DHS we've been in close contact
with those on the ground and, although the situation appears to
be over, we urge the public to remain alert and report any
suspicious activity or packages or devices.
Over the course of nearly three weeks, at least seven
explosive devices were encountered in and around the Austin
area, with five of them unfortunately detonating. Our thoughts
go out to the victims and their families, and our gratitude is
extended to the front-line defenders who helped locate the
alleged perpetrator.
The suspect is now deceased, but the case is yet another
stark reminder of the importance of both public vigilance and
also how important it is for close Federal, State, and local
coordination. That coordination is also relevant, clearly, to
the issue we have before us today.
In a democracy, citizens must have faith that their vote
counts and is counted correctly. Recently, in the United States
and around the globe, we have seen malicious foreign actors
attempt to subvert democracy by taking action to influence
voters and by exploiting vulnerabilities in cyber space to
attack election systems.
In 2016, we know that Russian actors targeted State
election systems. We have no evidence that votes were changed
as a result of their efforts. However, the threat of
interference remains and we recognize that the 2018 midterm and
future elections are clearly potential targets for Russian
hacking attempts.
Today we have a whole-of-government effort to improve the
resilience and security of those systems, which is led by DHS
with assistance from the Departments of Justice, the FBI, and
the Office of the Director of National Intelligence. We are
working with the vendor community and, most importantly, we are
working in voluntary partnership with our State and local
election partners.
There is also a separate initiative to address efforts by
foreign nationals to influence our elections through messaging,
propaganda, and manipulation. I think this is also a very
important topic. That effort is being led by the Department of
Justice, the FBI, and the Department of State.
While DHS will, of course, support this effort, I will let
my colleagues discuss their work in that area, and instead
today I look forward to discussing the work that the Department
is doing to assist State and local officials to harden our
election systems.
Under our Constitution and laws, as has been mentioned by
the Chairman and the Vice, the administration of elections is
the responsibility of State and local officials. The
Department's mission is to provide assistance and support to
those officials in the form of advice, intelligence, technical
support, incident response planning, with the ultimate goal of
building a more resilient, redundant, and secure election
enterprise.
Our services are voluntary and not all election officials
accept our offer of support. We continue to offer it; we
continue to demonstrate its value. But in many cases, State and
local officials have their own resources and simply don't
require the assistance that we're offering.
DHS typically offers a range of technical services. We'll
go into some detail today about those. More than half of the
states have signed up for our cyber hygiene scanning service,
which is an automated remote scan that gives State and local
officials a report identifying vulnerabilities and offering
recommendations to mitigate them.
We also provide, as I believe you all have noted, on-risk
site--excuse me--on-site risk and vulnerability assessments.
The assessments are more thorough. We do pen testing. It's a
full report of vulnerability and recommendations, and over the
past year we've increased the availability of these assessments
and prioritized them.
Information sharing is also critical. We share information
directly with election officials through trusted third parties
such as the Multi-State Information Sharing and Analysis
Center, or MS-ISAC, and we look forward to the creation of the
Election ISAC. The National Cybersecurity and Communications
Integration Center, or the NCCIC, is the Department's hub for
information-sharing activity.
Actionable and timely information empowers election
officials to make more risk-informed decisions. We must rapidly
share information about potential compromises with the broader
community so that everyone can defend their systems. This
collective defense approach makes all election systems more
secure.
We're also working with State election officials to share
classified information on specific threats, including
sponsoring up to three officials per State with security
clearances and providing one-day read-ins as needed when
needed, as we did in mid-February for the secretaries of state
and election directors. We are also working with the
intelligence community to rapidly declassify information to
share with our stakeholders.
To be clear, there has been a learning curve on the sharing
of information. The election systems in states are often owned
and operated by different systems: the secretary of state, the
State CIO, in some cases the State CSO, the governor's office,
or even counties. While appropriate technical information and
notifications were shared with system owners, we have taken
steps to share information much more broadly and rapidly.
Beyond sharing information, we also share best practices
for risk management, such as paper ballot backups and risk-
limiting audits. The ultimate goal, of course, is enhancing
network protection, but we must be prepared for any
eventuality, including unauthorized access to systems.
The NCCIC is, again, the center of these efforts. Every day
our protective security advisors and cyber security advisors
located nationwide are working with election officials on
incident response planning and crisis communications. Just
yesterday, we had both our head of NPPD as well as our cyber
security advisor in Cook County, real-time helping in case
there was any issue with the election.
DHS is committed to working collaboratively with those
administrating our elections. We have formalized and better
coordinated these efforts through the establishment of
government and sector coordinating councils. And today I can
say with confidence that we know whom to contact in every State
to share threat information. That capability did not exist in
2016.
DHS is leading Federal efforts to support and enhance the
security of election systems across the country. Yet, we do
face a technology deficit that exists not just in election
infrastructure, but across State and local government systems.
It will require a significant investment over time and will
require a whole-of-government solution to ensure continued
confidence in our elections.
Personally, I'm looking across my existing authorities as
Secretary of the Department and looking at our available grant
programs for opportunities to help State and locals in this
area. I look forward to working with Congress. I read with
great interest the recommendations that were released yesterday
from your study and certainly look forward to working with you
on implementing them.
Thank you for the opportunity to appear and I look forward
to your questions.
[The prepared statement of Secretary Nielsen follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Secretary Nielsen, thank you very much.
Secretary Johnson, you are recognized. The floor is yours.
STATEMENT OF JEH CHARLES JOHNSON, FORMER SECRETARY, DEPARTMENT
OF HOMELAND SECURITY
Mr. Johnson. Chairman Burr, Vice Chairman Warner, other
members of this committee: I am pleased to be here alongside
the Secretary of Homeland Security as a witness and a concerned
private citizen. I had the privilege of testifying before
Congress 26 times in 37 months as Secretary, and if I'm not
called back once in a while I begin to feel left out.
I'm also pleased that this committee has undertaken this
hearing on this important topic of election cyber security. You
have my prepared statement; I won't read it in detail. It sets
forth the efforts we made in the Department of Homeland
Security in 2016 to assist states in securing their election
infrastructure prior to the election and the five written
public statements I made warning the public and the states
about the cyber threat to the election.
Beyond that, I'd like to say this: As each member of this
committee knows, in 2016 the Russian government, at the
direction of Vladimir Putin himself, orchestrated cyber attacks
on our Nation for the purpose of influencing the election that
year, plain and simple. The experience was a wakeup call for
our Nation as it highlighted cyber vulnerabilities in our
political process and in our election infrastructure itself.
Now, with the experience fresh in our minds and clear in
our rearview mirror, the key question for our leaders at the
national and State level is, what are we going to do about it?
The matter is all the more urgent given the public testimony
our Nation's intelligence chiefs gave before this very
committee last month that the Russian effort to interfere in
our democracy has not ended.
I have seen this committee's draft recommendations for the
future and I agree with them. The reality is that, given our
Electoral College and our current politics, national elections
are decided in this country in a few precincts in a few key
swing states. The outcome therefore may dance on the head of a
pin. The writers of the TV show ``House of Cards'' have figured
that out. So can others.
I am pleased by reports that State election officials to
various degrees are now taking serious steps to fortify cyber
security of their election infrastructure and that the
Department of Homeland Security is currently taking serious
steps to work with them in that effort. As a Nation we must
resolve to strengthen our cyber security generally and the
cyber security around election infrastructure specifically.
Nothing less than the health and strength of our democracy
depends on this.
I look forward to your questions.
[The prepared statement of Mr. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Thank you, Secretary Johnson.
It seems more than normal issues recently coming before
this committee are not the jurisdiction of the committee. And
were it not for the investigation, elections would not be the
jurisdiction of this committee. But given the nature of our
investigation, we have developed a committee of somewhat
experts now on elections and election relationships between the
Federal Government and the State. And that's why we asked
Senator Collins, Senator Lankford, Senator Harris, and Senator
Heinrich to take the lead as it related to election security.
At this time, I would like to recognize Senator Collins for
questions, followed by Heinrich, Lankford, and Harris.
Senator Collins.
Senator Collins. Thank you, Mr. Chairman and again, let me
thank you and the Vice Chairman for your strong bipartisan
leadership of this investigation.
Secretary Johnson, let me begin by thanking you for your
extensive public service, and I very much appreciate your being
here.
In the summer and fall of 2016, DHS and the FBI issued
several technical warnings about possible activities against
State election systems. These warnings took the form of a flash
report or a similarly technical bulletin, and generally, the
warnings went to the IT staff of states and not to the chief
election officials. I've read one of the FBI flash bulletins.
It is extremely complex and it just refers to unknown actors
scanning systems.
In retrospect, do you think that it would have been better
had the FBI and DHS issued a more comprehensive warning that a
nation-state was attempting hostile action against State
election systems?
Mr. Johnson. Senator, let me respectfully disagree somewhat
with your premise. I, in the fall, in August, September,
October, issued five written statements to the public
encouraging State election officials to come in and seek our
cyber security assistance, over and above the technical
messages that you cited, in mid-August, mid-September, October
1, October 7, October 10.
On October 1st specifically, I said: ``In recent months
malicious cyber actors have been scanning a large number of
State systems, which could be a preamble to attempted
intrusions. In a few cases we have determined that malicious
actors gained access to State voting-related systems.''
That's a pretty blunt statement, in my view. We weren't
then in a position in our intelligence community to attribute
it to the Russian government, nor were we on October 7th. We
said it was coming from a Russian business, but we weren't then
in a position to say it was the Russian government. We later
said that, however.
But I can tell you that, in addition to these public
statements, and in addition to the work of our people, we were
beating the drum pretty hard, beginning with a conference call
I had with every State secretary of state on August 15th. The
good news is that by Election Day 33 states actually came in
and sought our cyber security assistance, and 36 cities and
counties came in and sought our cyber security assistance in
the time permitted.
Very definitely, Senator, as we look back on the experience
two years later and we have a much clearer picture of the full
extent of what the Russian government was doing, there could
have been additional efforts made. But I'm satisfied that at
the time this was a front-burner item for me and I was
repeatedly making public statements warning State election
officials about the threat we were facing as it was evolving.
Senator Collins. Secretary Nielsen, at this point, we know
for certain that the Russians were relentless in their efforts
and also that those efforts are ongoing. And yet, when I listen
to your testimony I hear no sense of urgency to really get on
top of this issue.
When we held our last hearing in June, I was dismayed to
learn that not a single chief State election official had
received a security clearance nearly eight months after the
2016 election. We already are in an election year. We've had
the by-elections in Virginia and New Jersey; we've had special
elections in Pennsylvania and Alabama; our Maine primary is in
June.
What specifically is DHS doing to accommodate what you said
was sponsoring three officials per State for clearances? That's
150 officials. How many have actually received the clearances,
and what specific actions did you take in the elections that
have already occurred?
Secretary Nielsen. Yes, ma'am. Thank you for the question.
Let me just first start by saying not only is this of extreme
urgency to the Department, but, as you know, we're expending
not only extraordinary resources to provide any support at the
request of states, but we are prioritizing election efforts and
risk and vulnerability assessments for our partners in State
and locals over all other critical infrastructure sectors.
With respect to the security clearances, we've done two
things. We've worked out a process with the inter-agency such
that if we have intel we will read in the appropriate State
election officials that day, so we're not waiting for
clearances. If we have something to share, we will read them in
and share it that day.
With respect to the clearances, we are doing our best to
speed up the process. We've prioritized them, as I said, over
other clearances for other sectors. We have about 20 that have
received the full clearance. We're granting interim secret
clearances as quickly as we can.
Senator Collins. Twenty out of 150?
Secretary Nielsen. Yes, ma'am. And so we look--I've spoken
with the Chairman and the Vice Chair just before. We certainly
look forward to working with this committee government-wide on
how we can speed up the security clearances.
But the good news, again, is if we have something to share
we will share that day. With or without a clearance, we'll read
them in and share it. So it won't limit our ability to get the
information to them any longer.
Chairman Burr. Senator Heinrich.
Senator Heinrich. Thank you, Chairman.
Secretary Nielsen, Secretary Johnson said in his testimony
just now that he agreed with the committee's recommendations.
Do you share that view?
Secretary Nielsen. I do, yes. And as I said in my opening
remarks, I look forward to working with you on implementing
them. As you know, some of them aren't DHS, so I will be happy
to advocate and support efforts throughout government.
Senator Heinrich. Thank you.
Secretary Johnson, I know hindsight is obviously 20/20, but
looking back, knowing what you know now, what might have you
done different or advocated differently in the run-up to the
2016 election?
Mr. Johnson. Well, the thing that I advocated for most
strongly and that others, obviously including the President,
agreed with was prior to the election we needed to inform the
American people about what we saw. Some people say we should
have done so sooner, but it was not an easy decision.
With the benefit of two years' hindsight, it does seem
plain, given the testimony in this room last month, that the
Russian effort has not been contained; it has not been
deterred. In my experience, superpowers respond to sufficient
deterrence and will not engage in behavior that is cost
prohibitive. Plainly, that has not occurred and more needs to
be done.
With the benefit of hindsight, the sanctions we issued in
late December have not worked as an effective deterrent and
it's now on the current Administration to add to those and
follow through on those.
Senator Heinrich. So do you think, for example, having a
very clear, articulated cyber doctrine would be an important
part of sending that message of deterrence?
Mr. Johnson. Yes, I agree with that. Yes.
Senator Heinrich. Secretary Nielsen, are you concerned that
over a year into this Administration and despite the urging of
people on both sides of the aisle on multiple committees, that
we still don't have a clear administrative doctrine that draws
some--that says to the Russians or others that there will be
consequences if you cross this line into our elections?
Secretary Nielsen. I agree with your comments yesterday at
the press conference, sir. As you know, we have an Executive
Order 13800 that requires us to develop just that. Working with
the intel community, I look forward to supporting their
efforts.
It does need to be whole-of-government. As the Secretary is
saying, we have sanctions, but we need to continue to look at
diplomats, we need to look at indictments, we need to look at
what we can do under OFAC. It needs to be very clear that there
are consequences when countries meddle in our affairs.
Senator Heinrich. I don't disagree that it needs to be
whole-of-government, but one of my concerns is that no one's
saying, ``The buck stops here.'' We keep hearing ``whole-of-
government''; we heard it in our worldwide threats hearing
recently. But, someone has to take the responsibility to make
this happen.
How many Cabinet meetings have been focused on the whole-
of-government strategy to make sure that in 2018 this doesn't
happen again?
Secretary Nielsen. We have had a number of them. We
actually have a number coming up. But I take your point. I am a
very strong advocate of making it very clear who has the lead
within the Federal Government for this particular issue.
Senator Heinrich. How important is it--you know, one of my
concerns is that we won't be able to get State and local
officials to take the Russian cyber threat or other cyber
threats seriously unless they consistently hear from the
highest levels of government that this is real, that their
systems are truly at risk, that they need to prepare.
Director Nielsen, do you have the support you need from the
White House to persuade those officials to take this seriously?
Secretary Nielsen. I do, yes. And I think one of the
lessons we've learned is to make sure that those messages go
far and wide. So I've briefed the homeland security advisors;
I've briefed governors, in addition to the State election
officials and secretaries of state.
But to your point, within the states, because of our
decentralized system, it's very important that everyone at
senior levels understands the threat and is briefed in.
Senator Heinrich. Would it help if the President were to
simply acknowledge that this happened in 2016?
Secretary Nielsen. Yes, sir. I think he has said that it's
happened. What he's--the line that he's drawing is that no
votes were changed. That doesn't mean there's not a threat. It
doesn't mean we need to do more to prepare.
Senator Heinrich. Secretary Johnson, in your view, how
important is it for the President to articulate and acknowledge
that this happened so that people take it seriously?
Mr. Johnson. Very. The President of the United States is
the most visible American, maybe the most visible person on the
planet, and the things he says and does are watched very, very
closely, so I would agree with that.
Senator Heinrich. Thank you, Chairman.
Chairman Burr. Senator Lankford.
Senator Lankford. Thank you both for the work that you have
done to be able to support the Nation. I appreciate you both
being here and both being on this panel together. I appreciate
that very much.
The decentralization of our election systems is
exceptionally important, and one of the key aspects that we've
tried to work through on recommendations is maintaining the
states' control of elections. Both of you have affirmed that.
Both of you have also affirmed the recommendations that we
have put in place. I appreciate that.
We've worked with DHS; we've worked with secretaries of
state around the country, to try to be able to pull these
recommendations together to be able to do it, including
streamlining the communications between DHS and each of the
states, updating to voting equipment that can be, and voting
systems that can be, audited after the fact to just get
verifiable information in that system. So, we think that's
exceptionally important.
Secretary Nielsen, can you affirm to me that there is no
effort from the Federal Government right now to be able to
federalize our elections, and that the focus is still on
working with states to be able to support them and the work
that they're doing to be able to run their elections?
Secretary Nielsen. Absolutely.
Senator Lankford. Talk to me a little bit about, Secretary
Nielsen, about the classifications and getting classified
information to individual secretaries of state. This was a
struggle in previous times, during that election time period,
getting information out. What would make a difference now,
having clearances for individuals in the states and being able
to communicate with them? What can you give to them with
clearance that you couldn't give to them without?
Secretary Nielsen. It's a good question. We've done a lot
of work on three related processes over the last year. One is
to work with the intel community to declassify information. As
you know, some of the information does not originate within
DHS, so we need to work with our partners to be able to share
it.
The second one is on victim notification. We have a role
there, but so does FBI and so does MS-ISAC, which in this case
the Multi-State Information Sharing and Analysis Center was in
some cases the first organization to identify some of the
targeting. So, we have to work with whomever originates the
information. We all have different roles. So we've worked to
pull it all together so that we can quickly notify victims of
what has occurred.
With respect to your specific question, as I mentioned to
Senator Collins, what we've done is we're widely using day
read-ins now, so we're not going to let security clearances
hold us up. If we have information State and locals need, we
will provide it.
Senator Lankford. So, Secretary Johnson, you had some
states give you push-back when you talked about things like
making states critical infrastructure in their election systems
and trying to be able to get that communication. You talked
about an August 15th phone call that you had with secretaries
of state to be able to talk to them.
Talk me through what happened in that August 15th phone
call? Is that a normally scheduled phone call? Was there
consistent communication? And the things that Secretary
Nielsen's dealing with now and that two-way communication
that's much needed and that trust relationship, some of the
things that you faced as well trying to be able to maintain
trust with State election officials?
Mr. Johnson. Incidentally, Senator, last year, last summer,
I had the occasion to drive across country and return to
Oklahoma City, to the memorial there.
Senator Lankford. And thanks for being there, again.
Mr. Johnson. So August 15th I was considering designating
election infrastructure critical infrastructure, which the
Secretary of Homeland Security has the authority to do. But I
wanted to talk to State election officials about it first. I
was, frankly, surprised and disappointed that there seemed to
be a lot of misapprehension about what that would mean. I said
to them a number of times that what it means is that we
prioritize providing assistance to you if you ask. This is
voluntary. It's not a Federal takeover; it's not a binding
operational directive of any sort.
And the reaction I got was largely neutral to negative; and
so the priority had to be getting the states to come to us to
seek our cyber security assistance. So rather than just simply
make that designation, which I saw was going to be
controversial at the time, we put it aside and encouraged them
to come in. And most states actually did by Election Day.
After the election, I came back to this issue. A lot of
them were still opposed, but I did it anyway so that DHS would
prioritize providing cyber security assistance to the states.
And when we talk about cyber doctrine, one international
cyber norm is that nation-states will not attack critical
infrastructure, and so by making election infrastructure part
of critical infrastructure they get the protection of the
international cyber norm.
Senator Lankford. Thank you.
Chairman Burr. Senator Harris.
Senator Harris. Thank you.
Secretary Nielsen, at a roundtable 42 days ago at the
Homeland Security Committee meeting I asked Deputy Secretary
Duke and Undersecretary Krebs whether DHS is prioritizing risk
and vulnerability assessments for the states. I didn't get a
clear commitment that you are.
I'd also like to know, have you received the request that
we made for a timetable for those assessments? Because we've
not received a response to that request.
Secretary Nielsen. Yes, ma'am. We are prioritizing. We have
19 that are State and localities that have either been
completed or are in process. We continue to offer the
assistance, but we have made the commitment and prioritized the
resources that any State or locality that requests that, we
will have it completed before the midterm election.
Senator Harris. Do you have a date for completion?
Secretary Nielsen. Well, of the 19 I can get back to you,
but those are the only ones who have requested so far.
Senator Harris. Can you commit to completing all these
assessments by June 1st, which would be five months before the
election?
Secretary Nielsen. Depending on who requests. But I'm happy
to work with you on timelines as soon as we get a request.
Senator Harris. And of the number you mentioned you said
have been completed or in the process.
Secretary Nielsen. Yes, that's correct.
Senator Harris. How many have been completed?
Secretary Nielsen. To my knowledge, 15. If that's not
correct, I'll ask Jeanette Manfra to correct me when she
speaks.
Senator Harris. Okay, because you earlier said in the
process of or have been completed.
Secretary Nielsen. That's right. So I believe 15 have been
completed. But again, she'll verify if I have that number
wrong.
Senator Harris. Okay. Well, we heard from her yesterday and
she said that 14 are in the process.
Secretary Nielsen. Okay. That's 19 total.
Senator Harris. Can you follow up with how many have
actually been completed?
Secretary Nielsen. Sure. Sure.
It's also a little confusing because, of course, they're
states and localities. So 19 is states and localities.
Senator Harris. Okay. My question concerns states. Thank
you.
Secretary Nielsen. Perfect.
Senator Harris. Is there a protocol for following up to
ensure that the reforms that you recommend have actually been
completed?
Secretary Nielsen. We do continue to work with them through
hygiene scanning and others.
Senator Harris. Is there a protocol to do that?
Secretary Nielsen. That is the protocol that we offer. But
again, it's all voluntary, so it's not a mandatory check.
Senator Harris. Okay. In the intelligence community there
is a concept called ``duty to warn.'' And, Secretary Johnson,
I'd like to ask you--and essentially the concept is that, if a
Federal agency learns that a person is at a risk of imminent
harm or an entity is at risk, that they should be informed, and
obviously without giving up critical information that we have
in terms of sources and methods.
Do you believe in the future that the Department should
have a duty to warn states if the Department of Homeland
Security is informed that there are imminent cyber security
threats to their election systems?
Mr. Johnson. Yes, absolutely.
Senator Harris. Secretary Nielsen, do you agree with that?
Secretary Nielsen. Yes.
Senator Harris. Will you commit, then, to this committee
that you will in fact warn those states when you become aware
of imminent threat to their cyber security systems for
elections?
Secretary Nielsen. With the inter-agency, yes, ma'am.
Senator Harris. Okay. And when you learn of these threats,
will you also commit to informing immediately congressional
committees, and particularly the Intelligence Committee?
Secretary Nielsen. As you know, we--we will work with you
on that. As you know, the entire process is voluntary. What we
find is when we notify others of who the victims are,
unfortunately it has a chilling effect and we no longer get the
information from those who have been attacked. So we'll
continue to work with you on how to do that.
Senator Harris. So my question is will you commit to
specifically informing the Senate Intelligence Committee when
you become aware of those threats?
Secretary Nielsen. We'll continue to work with you on the
best protocols for that, yes.
Senator Harris. So the answer is yes?
Secretary Nielsen. The answer is it's very difficult if a
State does not want to be identified because it's a voluntary
relationship. I don't want to do anything that would limit our
ability to understand who is being attacked. So we'd have to
work with the victim, just like we do in any other sector, and
work with you to make sure that we do it in the right way.
Senator Harris. Would you commit to informing your
oversight committee, which is the Homeland Security Committee
of the United States Senate?
Secretary Nielsen. I understand your question, and again
we'll have to work with the victims. It's a voluntary system.
Senator Harris. You sit on the Principals Committee of the
National Security Council, is that correct?
Secretary Nielsen. I'm a member, yes.
Senator Harris. Okay. And that committee is comprised of
Cabinet officials and is responsible for advising the President
and coordinating policy on America's most serious national
security challenges. Has the Principals Committee held a
meeting focused on the security of the 2018 election?
Secretary Nielsen. I myself hosted it, yes.
Senator Harris. And when did that meeting take place?
Secretary Nielsen. A few weeks ago.
Senator Harris. And what decisions were made regarding
election security?
Secretary Nielsen. That State and locals remain in charge;
that DHS needs to continue to expand our tool kit of what we
can provide in support; that we need to work on tear lines, we
need to work on victim notification, we need to work on
clearances, and we need to work on communications to make sure
that the public is aware of the threat.
Senator Harris. And did you indicate timelines and due
dates for what should happen before the 2018 election?
Secretary Nielsen. Well, clearly everything should be done
before that, but yes, for each one of those we have an
agreement on a path forward with a timeline.
Senator Harris. Will you provide that to this committee?
Secretary Nielsen. Happy to.
Senator Harris. Thank you.
Chairman Burr. Thank you, Senator Harris.
The Chair would recognize himself, and then the Vice
Chairman, and then members based upon seniority.
Secretary Johnson, I remember very clearly when you called
a Gang of Eight meeting for the notification. And if I remember
my timing right, I think Senator Reid actually might have had a
brief the end of July because he happened to be in town. And
when everybody got back, the 1st of September, you sat down
with us and sort of presented us the scenario, and at that time
talked about the critical infrastructure designation. It was
followed some weeks after that by an all-members brief in the
Senate; I'm sure it was in the House, as well.
And I think you alluded to the fact that that was not
received by the states or election officials, the critical
infrastructure designation.
In hindsight, for us knowing going forward, was that a
mistake to even mention that? Did that taint the pool of their
trust with us, with government, and maybe what the intent was
on their part?
Mr. Johnson. Well, we put it aside; and I was very pleased
with the level of participation that we got. I thought it was
important--I thought that the critical infrastructure
designation, frankly, is something we should have done years
before. It made so much sense.
I think that the disadvantage we had with the timing was
that it was in the midst of an election year and a rather
heated election year. So I did put it aside, but then I, just
before leaving office, came back to it because I thought it was
something important to do.
But in answer to your question, Senator, I think that we
were able to build, in the time permitted, a pretty
constructive relationship with a lot of states, red states and
blue states, that all came to DHS to seek our assistance in the
election season.
Chairman Burr. I appreciate that. Even Secretary Nielsen's
reluctance to be able to say, ``I would definitely do it this
way''--let me just say, in our hearings we've found that states
do not want a critical infrastructure designation, that there's
a red line there. And I think we've learned as this has gone
on. We've seen it. It's visceral.
It's something that can be overcome with trust, and I think
that's why as we produce benefits to the customer, which is any
official or locality that has an election, then we gain a
little bit more trust, we gain a little bit more ability to
play a bigger role in the partnership, but not in taking over.
I want to make it clear: Our recommendations do not intend or
suggest that the government take over elections. It's not the
Secretary or the Department's view of that, and it wasn't from
the last Administration.
But that designation did affect their willingness to come
in and ask for help and suggest where problems were that they
saw.
Let me ask both of you. We'll start with you, Secretary
Johnson. In 2016, were there any votes that were affected by
this intrusion into any system in America?
Mr. Johnson. Not to my knowledge, sir.
Chairman Burr. Secretary Nielsen.
Secretary Nielsen. We have no evidence that any votes were
changed.
Chairman Burr. Secretary Nielsen, looking forward ahead to
2018, what is DHS's current estimation of the threat to our
elections from Russia or any other hostile actor?
Secretary Nielsen. Thank you for the question. I think, as
you've noted, many of you in the press conference yesterday,
unfortunately, once these vulnerabilities have been made clear,
it's not just Russia that we have to worry about. These are
vulnerabilities and attack vectors that any adversary could
pursue. So we think the threat remains high. We think vigilance
is important, and we think there is a lot that we all need to
do at all levels of government before we have the midterm
elections.
I will say our decentralized nature both makes it difficult
to have a nationwide effect, but also makes it perhaps a
greater threat at a local level. And of course, if it's a swing
State or swing area that can in turn have a national effect.
So what we're looking at is everything from registration
and validation of voters, so those are the databases, through
to the casting and the tabulation of votes, through to the
transmission, the election night reporting, and then, of
course, the certification and auditing on the back end. All of
those are potential vulnerabilities. All of those require
different tools and different attention by State and locals.
The last thing I would just quickly mention is we all
continue to work with State and locals to also help them look
at physical security. They need to make sure that the locations
where the voting machines are kept, as well as the tabulation
areas; they need access control and very traditional security
like we would in other critical infrastructure areas.
Chairman Burr. I thank both of you.
Let me just say for the public's education, there's a clear
distinction between what we're here to talk about today, which
is the election process and how an outside actor could impact
or influence that, versus, say, Russia's distinct campaign at
societal chaos and their use of social media platforms. That's
another area of investigation by this committee.
But this particular area is focused on the elections and
the process of one vote and it counts and that there's accuracy
in that count.
Vice Chairman.
Vice Chairman Warner. Thank you, Mr. Chairman.
I want to follow up on some of the line of Senator Harris'
question. And I'm sympathetic to the notion that you've got to
have this collaborative relationship with the states, and I
think the recommendations put forward by our members don't want
to take over the Federal elections.
But for both of you, because we know this is such a serious
problem, because we know the Russians are and potentially
others are coming at this, I think it is critical that, even if
you don't want to highlight this, someone needs to highlight
those states or localities that perhaps choose not to
participate or not to move to a paper trail.
You know, I have empathy for Secretary Johnson's notion of
calling elections critical infrastructure. I think they are,
but I get the notion of the pushback.
So how do we work through that? And I believe the public
does have a right to know if their State or if their community
basically is ignoring this problem. Briefly, from both, if you
could?
Mr. Johnson. Senator, there's actually a role for the
United States Senate to play in this.
Vice Chairman Warner. We're trying.
Mr. Johnson. During 2016, if I had resistance from a State
I would call one of you and say: ``Would you please call your
governor? Would you please call your secretary of state and
tell them that they really need to come to us for assistance?''
I did have that conversation with at least one Senator, I
recall very distinctly, and I thought it was effective.
Vice Chairman Warner. Secretary Nielsen.
Secretary Nielsen. I agree. I would say that there are 33
states right now who have their voting systems certified by
EAC. I think that's important. We should seek for all states to
do that. There's 35 states that require it by law, so we'll
continue to work with EAC on those voluntary voting system
guidelines.
But DHS is also working on our own baseline that would be a
much more comprehensive look at all of the cyber security
aspects within the election process. We intend to provide that
to you and we intend to ask states to meet it.
We have two states who aren't working with us as much as we
would like right now. We're working through that. But yes, our
intent would be to go to those congressional delegations and
get some help from you.
Vice Chairman Warner. I think it's very important, because
I understand you've got to have a cooperative relationship, but
I do think our constituents, our voters, need to know if a
State or a jurisdiction is not stepping up.
Secretary Nielsen. I agree.
Vice Chairman Warner. We've talked a lot about the actual
voting machines, and Senator Wyden may come to this issue when
his time is up, but when you look at an overall State or
locality's voter file, oftentimes those voter files are
maintained by an outside vendor. Many of those outside vendors
then collect all the information at a single point. So you may
not have to go through simply the State system, but you could
actually attack the vendors.
Could you address what we're doing to try to upgrade
security at the vendor level?
Secretary Nielsen. Sure. We're working with vendors on
supply chain, so we have launched a voluntary supply chain
initiative within DHS across all sectors, but also to help the
vendors understand the part and parcel that comprises the
machines that they sell, that they offer.
We also have a system or a program called Enhanced Cyber
Security Services. It's a version of our EINSTEIN program,
where we take classified indicators and we offer that through
the private sector to vendors and states alike. We have six
states taking us up on that and multiple vendors within the
vendor community.
Vice Chairman Warner. Well, I would make a request that,
again similar to the states and localities, if there are
vendors who are unwilling to cooperate or upgrade their
security, I think it's critically important that this committee
and other committees know so that perhaps we can bring
pressure, as well.
I think that is an enormous vulnerability. We've looked at
the systems, but I think the vendors who service those systems.
And I hope, Secretary Johnson, you would agree with that.
Let me get to one other area. Our committee's investigation
has been about election systems and security and how we can
protect ourselves going forward. One area that we know where
the Russians penetrated in 2016 was actually the campaigns,
their ability to hack into the----
Secretary Nielsen. Right.
Vice Chairman Warner [continuing]. The DNC and release that
information on a selective basis. Campaigns in many ways are
the ultimate startups. They have very little security built in.
This does not fit neatly into any governmental oversight, but
do you have recommendations for us? The policy recommendations
so far have been around systems, but should there be basic
cyber hygiene guidelines for campaigns? And I'd like to hear
from both of you on that topic.
Mr. Johnson. Yes, Senator, and the answer is yes. Campaigns
are not immune from nation-state surveillance, nation-state
hacking. I was very specific in not including political
campaigns in the critical infrastructure designation because I
didn't think it was appropriate. But, you know, you could go on
with a long list of infrastructure that needs certain basic
best practices, whether it's a political campaign, a utility,
an academic institution. So I would agree with that, yes.
We've seen a number of instances where political campaigns,
the e-mail systems of campaigns, have been hacked and data
information has been stolen, going back years, as you know.
Vice Chairman Warner. And recognizing it's voluntary.
Secretary Nielsen.
Secretary Nielsen. I completely agree. We are offering a
variety of services there, as well: the hygiene scanning, as
you mentioned, as well as just basic redundancy planning.
Again, the issue here is that the information in the voter
rolls, the databases, might be changed in some way, so having
some way to audit that, to have redundancy, resiliency. We're
working on planning with them and helping them understand best
practices for just basic continuity of operations. But yes,
you're hitting on another vulnerability that should be
considered.
Chairman Burr. Senator Rubio.
Senator Rubio. Thank you both, thank you both for being
here. This is an important topic that I think is misunderstood.
A lot of people focus on it as far as did they change the
results of the election.
So I sat down last night and I thought to myself, you know,
if you were to write, what's a hypothetical that could point to
people how serious a problem this can become in the future? So
here's a hypothetical scenario and I want you both to kind of
opine whether that's something that could happen and whether
I'm right in my assumptions, all right?
So let's assume for a moment that the year is 2020 or 2024
and there's a foreign leader who's tired of being lectured
about democracy in their own country and they decide they want
to create chaos in the United States and create doubts about
our legitimacy. So he or she orders an operation against our
presidential election. And now for the last five or six years
this foreign power has identified ways to penetrate election
officials at the State and the county level across America.
There are so many of these that there's just this target-rich
environment.
One of the things they've perfected over the years, for
example, in this hypothetical, is the ability to inject
misinformation into the bloodstream of the internet, and they
watch as this misinformation spreads like a virus until a
significant number of people believe it. They've also
perfected, by the way, strategic leaking of altered or factual
information, which the mainstream media picks up on and it fits
perfectly into the red-versus-blue dynamic that plays out on
cable news, making them unwitting agents.
So the plan of this foreign power in 2020 or 2024 in this
hypothetical would not be to change the election results; it
would be to create doubts about the validity of the election.
And then spread those doubts using social media and media
driven by red-versus-blue conflict, and ultimately call into
question the legitimacy of a new President and potentially even
trigger a constitutional crisis.
So what they do, is they penetrate the voter database of
local election officials in strategically located counties or
states. And then they use analytic information they may have
gotten from who knows where to identify specific voters, or
maybe just party registration, maybe the stolen data of a
campaign with identified supporters. And they use that
information to go into the database and they change the
addresses of individuals; thereby their precincts move around.
Maybe they even delete some people from the rolls.
The result is that on Election Day we start getting reports
about thousands of voters in different parts of the country who
can't vote because when they show up they're not registered,
they're not in the system. Or they show up and they're told
that their voting place is halfway across town somewhere else.
Interestingly, a significant number of these voters who
start complaining about this happen to be either of the same
party or at least self-identified partisans of let's just call
it Candidate A, and they live in a county or in a State that
miraculously happens to be controlled by government officials
of the opposite party.
So these reports start getting out there and suddenly,
magically, a bunch of these names on social media start
spreading all these reports about what's going on on Election
Day.
Here's the other thing this foreign government's been able
to figure out. This is all hypothetical. They've ultimately
been able to mess with the system that kind of posts the
results early, not the ultimate results, but just like
unofficial results. And so that evening these results start
coming up and, surprisingly, Candidate A is doing better than
Candidate B, and people are surprised by it. But then the
official results come back and it's a total reversal.
So what happens, as you can imagine, at that point is
Candidate A refuses to concede. There's this all-out fight
going on in American society. In the months to come millions of
people march on Washington to try to force the Electoral
College not to certify. The reverse millions come out the other
side.
Come January, we don't even know if we can swear in a
President. The military doesn't know who the commander-in-chief
is. We're in an all-out constitutional crisis, total chaos. For
the first time in 200-and-something years, the American
republic is under duress from the inside out.
That sounds like something from a novel or a drama, a
dramatic presentation in the movies. How far-fetched is this,
given the capability of foreign adversaries? Is this not the
central threat that faces us when it comes to elections and the
integrity of our election systems? And the reason why I ask is
not because anyone on this committee doubts it, but because we
also have local, State officials across the country who do not
have this perspective, this broader perspective. To them it's
just about whether or not they could change the tallies. You
don't have to change the tallies to create all-out chaos. Is
that not the central threat here?
Mr. Johnson. Yes, Senator. I actually believe that the
first half of your hypothetical was not a hypothetical. The
second half of your hypothetical, insofar as votes, was my
biggest concern in the fall of 2016 when we saw the scanning
and probing around voter registration data, and that's a very
real threat in my judgment.
The other point I'd like to make about your hypothetical:
In the fall of 2016, prior to the election, I thought long and
hard about where the single points of failure are that could
create that scenario. And the thing that occurred to me was
Associated Press. Associated Press for years has been the
entity on which we rely to report State election results to the
rest of the media.
So I actually picked up the phone and called the CEO of the
Associated Press to go over with him to ensure that he had
enough redundancies in their system if there was a failure on
election night, and I was satisfied that they did. But it's
something to also focus on.
But I think your hypothetical is a very good one and I
think all Americans should be concerned about it.
Secretary Nielsen. I agree. I think what you have
highlighted are all the various parts at which we need to make
sure that we are securing the system, because any one of those,
as you say, can create that doubt, which in and of itself is
perhaps what the adversary is trying to accomplish.
So from a DHS perspective moving forward, we're looking
very carefully at how we can help entities at all of the places
that you described protect their databases, as we saw in the
summer of 2016 with the Structured Query Language, the SQL
injections and attempts to manipulate the databases. We'll be
scanning for that should someone take us up on our offer.
Provisional ballots become very important for the reasons
you've described. States should plan for what happens on
Election Day if a variety of voters appear and suddenly they're
not on the rolls but believe that they should be.
We will have people in SOCs throughout the country. We will
be stood-up 24/7 on any Election Day to provide immediate
instant response should anything come up.
And then, as the secretary mentioned, on election night
it's very important to work with AP and others before the
election results are formally certified and audited, to ensure
that there's not information that's put out.
So what I would suggest is that we all look at what you
would call a hypothetical, but as the secretary rightly points
out, is probably closer to a very good possibility, and walk
through each of those and make sure that we are providing the
tools and resources we need to State and locals so that they
can prevent, identify, track, and then respond to any such
issues.
Chairman Burr. Senator Rubio said ``hypothetical,'' but if
I hear he's doing a book tour we're going to all claim royalty
off of it.
[Laughter.]
Chairman Burr. Senator Feinstein.
Senator Feinstein. Thanks, Mr. Chairman.
I think Senator Rubio hit the nail on the head, and I'll
tell you what surprises me. First of all, Secretary Johnson,
it's great to have you back again. I enjoyed working with you,
and so welcome.
Let me ask you this first question. I don't understand. You
learned about this in August. You did a number of specific
things. You spoke about the dates that you did these things.
And yet the American people were never told. Why?
Mr. Johnson. Well, Senator, the American people were told.
Senator Feinstein. Not sufficiently in any way, shape, or
form to know that there was a major active measure going on,
perhaps by a foreign power.
Mr. Johnson. On October 7, 2016, the Director of National
Intelligence and I issued a pretty blunt statement saying that
the Russian government was interfering in our political
process, directed by the highest levels of the Russian
government. That was a pretty blunt statement. Some people
believe we should have done that sooner.
Frankly, it did not get the attention that I thought it
should have received. It was below-the-fold news the next day
because of the release of the Access Hollywood video the same
day and a number of other events. I was expecting follow-up
from a lot of journalists and we never got that because
everyone was focused on the campaign and that video and the
debate that Sunday.
Senator Feinstein. As I recall, I was Ranking and, as I
also recall, Senator Burr and I and a couple of others had Mr.
Brennan in--not Coats--well, it was Brennan, it was the head of
the--it was Comey, and it was Clapper who laid it out to us.
Now, this was highly secret.
Subsequently, it became known that there were 21 states
that in fact had been pierced. But that information as to what
states has not been released.
So when we first heard, it was highly secret, in a SCIF. We
could say nothing about it. And even now, where I see no reason
that 21 states can't be released as having been even possibly
pierced by an active measure of a foreign country at this time,
so those states would at least know that maybe they should take
a look and do something about it.
If either of you can answer that--it's not in a question
form, but I think you know where I'm going, because if we're
told and it's all classified we can say nothing. If this is
being done by the Administration to prevent it from being
released, nobody can protect themselves.
Mr. Johnson. Senator, two things. First, as Secretary
Nielsen pointed out, very often the victims of a cyber attack
are extremely sensitive to the fact of a disclosure that they
were the victims of a cyber attack, and that was true in this
circumstance.
I also know and recall that in 2016, when we were working
with the states, every State or every State owner of a system
that had been targeted, was informed either by DHS or the FBI
or through the MS-ISAC, the information-sharing organization.
Senator Feinstein. But it was never made public, Mr.
Johnson.
Ms. Nielsen, I don't understand why the same thing
persists. I mean, this ``victim'' sort of appellation--
America's the victim and America has to know what's wrong. And
if there are states that have been attacked, America should
know that. So this ``victim'' answer with me has no credibility
at all.
Secretary Nielsen. As you know, the 21 states themselves
have been notified. But I take your point.
Senator Feinstein. But the people have to know. If my State
is notified, I better see that they do something about it.
Everybody thinks, oh, it's some other State.
Secretary Nielsen. Right, I understand. I look forward to
reading your report and finding out what you heard from the
states.
I think what I was trying to explain earlier is,
unfortunately what we've seen in other sectors----
Senator Feinstein. There was no report.
Secretary Nielsen. The one that you're working on, I'm
sorry, the report. I just look forward to reading it to see
what you've--because I know you've talked to many of the states
yourselves.
But what we've seen, unfortunately, throughout the last 15
years at DHS is, when it comes to this situation the victims
stop reporting. When they stop reporting, we're just not aware
of the attacks. Not only can we not help them, but we can't
help other victims that are likely to be victimized in the near
future based on the same vulnerabilities.
So we have to balance that. I really look forward to
working with you on this. I take your point. We've got to find
a way to encourage reporting and encourage cooperation while
also making it transparent.
Senator Feinstein. But I think states have to know that
it's going to be known by the public if they don't. And if it's
never made public, I'll bet you you have a bunch of states:
Well, we've invested in this and we're not going to do anything
about it now, and we'll see what happens in the future. I'll
bet that happens in some places, and you're enabling it.
Secretary Nielsen. Well, I think what we're doing at DHS is
we'll come out with this. As I mentioned before, EAC has
guidelines, but we're working on a baseline that's much more
comprehensive. What we will do is not only tell states that
that's our best recommendation at what they need to meet, but
we'll be very transparent as to the states that don't meet it.
So we will do that. From a preparedness side and a prevention
standpoint, we will make clear what states need to do more.
But in terms of moving forward, yes, we need to work on
this issue of the notification.
Chairman Burr. Senator Feinstein and I were faced with a
similar task as it related to cyber security legislation. Do
you make it mandatory reporting? Do you make it voluntary? If
you make it voluntary, what latitude do you have to make public
disclosures of who has turned in information?
And we decided with that legislation that voluntary was the
best approach for cyber reporting and it was up to the
companies then whether they wanted to make public
acknowledgements. I think all of us know that the banking
system is riddled with intrusions, but no financial institution
in America wants to go out and that to be public. So we do have
a predicament.
Senator Feinstein. And that may change.
Chairman Burr. That may change.
The committee is committed to work with the Department of
Homeland Security to continue to make our system better.
Senator Blunt.
Senator Blunt. Thank you, Chairman.
Well, you know, we do know that the fabric of democracy is
people's belief that what happened on Election Day was what
actually happened, so securing those systems, important;
securing the systems of registration, important.
Secretary Johnson, you mentioned, following Senator Rubio's
great hypothetical of what clearly could happen, you said it's
not hypothetical. Now, you didn't mean by that that this is
what happened, did you?
Mr. Johnson. I thought that the first half of Senator
Rubio's hypothetical, as I heard it, was real----
Senator Blunt. You think that----
Mr. Johnson [continuing]. Insofar as the misinformation
campaign that he described.
Senator Blunt. I thought what you were talking about was
the infiltration of the registration systems.
Mr. Johnson. No, no. That was my--that is hypothetical, but
it was my biggest concern in 2016.
Senator Blunt. Well, it is a concern. There's no doubt
about that.
At the same time, we've never had an election where--let me
see if I can find your quote, Secretary Nielsen--where a number
of voters didn't appear on Election Day who were not on the
voting rolls but thought they were. I was a State election
official; I was a local election official. There is never an
election where lots of people don't show up, particularly a
presidential election, and they're sure they should be on the
rolls----
Secretary Nielsen. Right.
Senator Blunt [continuing]. But often there are reasons
that they're not on the rolls.
Most states that didn't have a provisional opportunity to
cast a ballot before 2000 I think added one after 2000. So that
voter almost always is allowed to cast their ballot. If this
needs to be judged in some way, it's done after the election.
Sometimes it's easily figured out. Sometimes it turns out that
the voter has already voted somewhere else, or the voter lives
in another county, or the voter lives in another State. But
they get a chance in most states to cast that ballot even if
they have--if there's a question about whether they're on the
voter rolls.
I'm much more--I'm concerned about the voter rolls,
concerned about the infiltration of the voter rolls. I'm much
more concerned that we secure the counting systems. We're going
to have another panel to talk about that, that the counting
systems themselves be secure. I think it really is critical
infrastructure.
Secretary Johnson, your August outreach to election
officials, did you provide much information as to what it meant
to become critical infrastructure? Or did they have any reason
to really understand why you were making this suggestion of a
great change of responsibility 90 days before the election?
Mr. Johnson. I went through with them in August in detail
what a critical infrastructure designation would mean. And I
explained essentially three things: that it prioritizes the
assistance that we provide if they ask; it means for a certain
greater level of confidential communications between DHS and
the states; and it means that they would have the protection of
the international cyber security norm. And I stressed at the
time that this is all voluntary and it prioritizes assistance
if they seek it.
Senator Blunt. You know, we're going to have a secretary of
state on the next panel who I think was on that call, and I
don't believe that's their view of how that conversation went.
But we'll see what their view is.
The other question when you brought this up before, what
would the protection of the international norm be? We've had
our Federal personnel records have been--somebody has those. We
have all kinds of financial information that's been out there.
What good--what is the international norm supposed to provide
here that it doesn't appear to provide anywhere else in terms
of real protection?
Mr. Johnson. The international norm is that nation-states
will not attack critical infrastructure. Now, obviously it's
incumbent upon the victim State to then do something about it
if their critical infrastructure is attacked. But the
designation makes clear that we consider election
infrastructure to be critical infrastructure like government,
like our defense industry, like our financial services
industry.
Senator Blunt. Well, I don't disagree that it's critical
infrastructure. I'm not sure I agree that calling it ``critical
infrastructure'' provides much of a level of security right
now.
My last question for this panel. Secretary Nielsen, you
mentioned the Election Assistance Commission a couple of times.
Do you have concerns that we're moving into an area here where
that commission and your agency will not quite know where the--
how do we define this in a way that creates the lines of
responsibility so that somebody knows who is responsible and
what they're responsible for?
Secretary Nielsen. Yes. As you know, DHS is working very
closely with EAC. We've created a Government Coordinating
Council. EAC and DHS sit on that along with a variety of State
and local election officials.
EAC certifies the systems. EAC has the voluntary voting
system guidelines. We're working with them and NIST to update
those. They need to be updated. We hope that the final draft
will come out next month. We need to continue to work with them
to expedite that so that we have a guideline that reflects the
current threat.
But I would say I think the role between DHS and EAC is
clear right now. It's just making sure that we're doing it in
lockstep so that we're together providing the assistance that
the states need.
Senator Blunt. I may have some questions for the record on
that topic.
Thank you, Mr. Chairman.
Chairman Burr. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman.
Secretary Nielsen, Secretary Johnson, good to have both of
you here.
I want to start by talking about the fact, 43 percent of
American voters use voting machines that researchers have found
have serious security flaws, including backdoors. These
companies are accountable to no one. They won't answer basic
questions about their cyber security practices, and the biggest
companies won't answer any questions at all.
Five states have no paper trail, and that means there is no
way to prove the numbers the voting machines put out are
legitimate. So much for cyber security 101.
My question to you, for Secretary Nielsen, is: Does your
agency have the authority to mandate basic cyber security in
the electronic voting machines used in this country?
Secretary Nielsen. No, sir.
Senator Wyden. Does any agency?
Secretary Nielsen. Not to my knowledge, not at the Federal
level.
Senator Wyden. Okay.
Now, Americans don't expect states, much less county
officials, to fight America's wars. The Russians have attacked
our election infrastructure. Leaving our defenses to states and
local entities, in my view, is not an adequate response.
Our country needs baseline mandatory Federal election
security standards, and what I'm talking about here are paper
ballots and post-election risk-limiting audits. You and I have
talked about this before, and I'd like to get your views for
the record of whether you believe the continued use of
paperless voting machines in this country threatens our
national security and the Department is now prepared to
recommend paper ballots.
Secretary Nielsen. So yes, sir. If there is no way to audit
the election, that is absolutely a national security concern.
So we're working with states. There's a variety of ways to
do that. As you know, one is paper ballots. One is having a
system itself that has a voter-verified paper audit. So in
other words, you vote electronically, but the machine spits out
almost like a ticker tape, what you voted and you have that for
your record, and then we can also have it for a record. So it's
a different way of doing it from paper ballots.
But yes, sir, we absolutely have to have a way to audit and
be able to verify the integrity of the information of the
votes.
Senator Wyden. I think that sounds like a step in the right
direction, because I was just stunned at the brazenness of
these voting machine companies. I mean, the biggest one won't
answer anything at all. And you've now told us that the status
quo is a national security threat.
I just want to, before we wrap up, see if we can drill a
little bit further into the question of whether you all are
prepared to recommend that our country have paper ballots. I
think you're almost there.
Secretary Nielsen. We have said it's a best practice. We do
recommend it. What we say is you must have a way to audit. You
can do it through paper ballots or you can do it through this
voter verification, but you must have a way to audit and verify
the election results.
Senator Wyden. Are you aware of the way we do it in Oregon
and we've done it now for decades? We vote by mail. Everybody
gets a paper ballot. There is an audit trail. We've done it for
decades. It's been supported by Democrats and Republicans.
I'd like in 2020 every American to get a ballot in the
mail. I think it is a national scandal, the security issues
you've talked about and the idea that so many of our people
wait in these lines only to be told they ought to go somewhere
else.
What do you think of the Oregon system?
Secretary Nielsen. So I'm not as familiar with it. I look
forward to learning more about it. Some of the issues that,
aside from this particular conversation, that have been raised
with mail is just making sure that the person who's voting is
who we think they are. So we do have to have a way to verify
identity.
Senator Wyden. We'll show you how to do it because we've
done it----
Secretary Nielsen. Happy to learn.
Senator Wyden [continuing]. We've done it for two decades,
and we basically say right on the envelope: ``If you aren't the
person that you say you are, you are in one heck of a bad way.
You are going to face serious, serious penalties.'' And that's
why it has worked and is supported on both sides of the aisle.
Thank you, Mr. Chairman.
Chairman Burr. Senator Cornyn.
Senator Cornyn. Thank you both for being here. I think it
sends a very good message to see both of you sitting side by
side and appearing to answer the committee's questions, and
appreciate your service to the country.
I want to start, Secretary Nielsen, by thanking you for
your comments about the bombings in Austin. When I talked to
Chief Manley at the Austin Police Department the day before
yesterday, he told me there were roughly 500 Federal
authorities on the ground doing everything they could to
identify the bomber.
And as we've learned today, he will not be doing that
anymore. But it's important to remain vigilant, I think you
also said, lest there be some other unexploded bombs out there
that he might have planted.
I'd like to ask both of you to comment on this. My
understanding of our adversaries, whether they be Russia or
China, is they view the internet and cyber space far
differently than we do. In other words, they view it as a
domain for information warfare. They do not allow their
citizens to use the internet for the purposes that we use it
for, for commerce or for communication between friends and
family, to share social media, pictures of grandkids, things
like that. They use it as a weapon, and we don't.
It seems like we are just constantly playing defense. And
while I know today the topic of the hearing has to do with our
election systems, and there couldn't be anything more important
in terms of securing those election systems, it does raise the
question about what is America's national security cyber
strategy?
I know we learned from the Department of Defense that they
are late responding to a mandate in the Defense Authorization
Act to respond in terms of their role. But clearly the
Department of Homeland Security plays a very important role
too, but you're not alone. There are other government agencies
that are involved in this question.
So what do you think it's going to take, and what do you
recommend for the United States government that we do to create
an all-of-government strategy to deal with the cyber threat?
Maybe start with you, Secretary Johnson.
Mr. Johnson. Senator, I think that's a very good question
and I think you have to look at several aspects of the problem.
One, I think that when you're talking about a nation-state
actor we have to create an environment of sufficient deterrence
to that nation-state. All nation-states will not engage or will
refrain from behavior if it's cost-prohibitive behavior, if
they know it's cost-prohibitive.
The Department of Homeland Security has a role on defense
in working with the public to harden our cyber security. I do
think that--and I think your question touches on this--our open
society, our strength as an open society, is also our
vulnerability, and we have to be somewhat careful in going down
the road of having U.S. government agencies trying to regulate
speech, trying to regulate political speech, political debate.
As you know, they do that in other countries. We don't do that
here.
So the information marketplace and its easy access is
definitely a problem for our democracy, but I would hesitate
for the U.S. government to go down the road of trying to
regulate it in some way. There are matters of Federal election
law, to be sure, things that violate Title 18, but I happen to
believe that a lot of this has to depend upon self-regulation
by internet service providers and social media providers.
Senator Cornyn. Secretary Nielsen, do you think we have a
national security strategy?
Secretary Nielsen. We do.
Senator Cornyn. When it comes to cyber?
Secretary Nielsen. We do. But, having said that, the White
House is working on an update to the national cyber security
strategy. An update to DHS's strategy will nest within that.
But I also want to just take the opportunity to reaffirm
what you said. I think there's two parts to this at least.
There's the part we're talking about today, but then closely
related to that is the malign foreign influence in general.
I agree with Secretary Johnson, we have to be very careful
in that conversation about substance, but I think the real
issue is who is providing that substance. The example that I've
used before is: If I read something on the internet or social
media, et cetera, and I believe that it's from 50 of my closest
friends and neighbors, I might feel very differently if, in
turn, I'm told that's from 50 machines in Russia.
So it's not so much the substance as it is perhaps
Americans need more understanding of who is messaging and the
intent behind the messaging. So that is something that the DOJ,
FBI, and State Department are leading on, but I do think is a
very important part of this conversation.
Senator Cornyn. If the Chairman will permit me just one
last comment, I think what I also think about is some of the
social media companies basically throttling or censoring the
news. Since they've become a primary vehicle for people to
learn what's happening in the world, if they then take that
role of censors, what the implications of that might be.
Something for us to think about and talk about maybe in the
future.
Secretary Nielsen. Yes, we need to be very, very careful.
Chairman Burr. Thank you, Senator Cornyn.
Secretary Nielsen, your staff has accommodated a slight
change in your schedule, if it's okay with you, that we would
go for--we've got two members that are here, maybe a third one
that might come back for questions. We will finish by 11:15 if
you're in agreement.
Secretary Nielsen. Okay, yes, sir.
Chairman Burr. Thank you.
Senator.
Senator King. Thank, Senator--or Mr. Chairman.
I spent about an hour yesterday afternoon reading the
classified draft report of our committee on this subject. All
along we've been talking about the Russians penetrating our
systems and messing around with our elections. That's not
sufficient. What I learned yesterday was horrifying. What we
saw wasn't messing around or penetrating. It was a
sophisticated, thorough, comprehensive, malign, and malicious
attack on our electoral system.
What worries me is that, although the intelligence is
uniform that no votes were changed, they weren't doing it for
fun in 2016. What it looks like is a test, and it was
incredibly, as I say, thorough and comprehensive.
I want to follow up on Senator Cornyn's question. We can
patch software systems till the end of time and we're not going
to defeat these people. The history of warfare is the history
of the invention of new offensive weapons, and then eventually
defensive weapons catch up.
We saw the advent of a serious offensive weapon in 2016
being used against us. All of the patches aren't going to work
if we don't have a strategy of deterrence. And that's the point
of the question that Senator Cornyn asked and Senator Heinrich
asked, and we don't have that strategy. In 2016 we passed the
National Defense Act. It had an amendment requiring the
Secretary of Defense by last June to give us the elements of a
national cyber strategy. It hasn't happened yet.
180 days from that report was supposed to be a report from
the President. Of course, that hasn't happened yet because the
first report hasn't happened.
This problem is not being treated with the urgency that it
deserves, and a deterrent strategy--because the problem now is
the Russians send in this whole operation into our election
system, into our states, 21 states that we know of, and paid no
price. And we've had testimony from admirals and generals and
people in CYBERCOM, and they've said: ``Yes, Senator, there's
no price that will change their calculation.''
And so, Secretary, I hope when you go back--and by the way,
this was a failure of the prior Administration in my view,
because we've known this for four or five years, that this was
coming. So this isn't a partisan observation. But I hope you'll
go back and join with DNI Coats and with Secretary Mattis and
the President and make this the highest priority that we have.
This is, I believe, with the possible exception of North
Korea's nuclear weapons, this is the most serious threat that
our country faces today and we are not adequately dealing with
it.
And please expunge from your lexicon the word ``whole-of-
government.'' Every time I hear that I think: That means none
of government. I want to hear who's in charge and what they're
going to do about that.
So, Secretary Nielsen, I think you're in a key position.
And I hope you'll read this classified report because----
Secretary Nielsen. I look forward to it.
Senator King [continuing]. It will terrify you. And then,
of course, this is just one aspect of this attack on us. So I
believe this is an incredibly important area.
Now, let me ask a more specific question. You mentioned
earlier--we talked about clearance of State officials and only
20 have been cleared. I hope that can be accelerated, because
we've already had several primary elections and we're headed
into many more this spring. Do you have plans to try to
accelerate that clearance? Because communication won't work if
you can't tell them.
Secretary Nielsen. We do, yes, sir. It is a problem that is
not unique, unfortunately, to this particular stakeholder set,
so I do look forward in general----
Senator King. No, you're right. 791,000 clearances that
we're behind.
Secretary Nielsen. I know.
But what we have done is we've worked out the processes
whereby, if we have actionable information, we will provide it
to the State and local officials on a day read-in. So we are
not letting the lack of a clearance hold us back. We're in
contact with them. If we have information to share with them
with respect to a real threat, we will do so.
Senator King. Let me make a modest suggestion, because
we're going to have State officials here soon; we've had State
officials before. The general reaction is--and I don't want to
over-characterize it, but the general reaction is: We're doing
a pretty good job; we're in good shape. I get the same thing in
the Energy and Natural Resources Committee from utility
executives: Don't worry; we've got it in hand. I don't believe
that.
You have the capability--this is my modest suggestion:
Create a red team in DHS, a group of really skillful hackers,
and hack some of these states and show them how vulnerable they
are. Because I don't think they're going to believe it until
you show them what your people can do. And that may mean--this
country has to wake up, and I just suggest that as a possible
technique. You've got some skilled people you can work with,
NSA or CYBERCOM, and develop a red team that will kind of shock
people into the realization of how serious and how vulnerable
they are. Would you consider that suggestion?
Secretary Nielsen. We will consider it. We do try to
currently get at that through our risk and vulnerability
assessments. We have continued to encourage states to take us
up on that. That is a comprehensive assessment we do on site.
It includes pen testing; it includes wireless access; it
includes database. So it gets at some of what you're saying.
But yes, sir. We need to help them understand where they've
vulnerable, absolutely.
Senator King. Well, I appreciate your leadership and really
urge you to go back with your hair on fire.
Secretary Nielsen. You have an advocate here.
Senator King. This is an urgent matter.
Mr. Secretary, it's good to see you. Seeing you back
reminds me of the old country song: ``How Can I Miss You If You
Don't Go Away?''
[Laughter.]
It's nice to see you, sir.
Thank you, Mr. Chairman.
Chairman Burr. Senator Risch.
Senator Risch. I think that was meant as a compliment. You
need to study the country songs genre a little more, Senator.
Look, we've all, you and everybody on this panel have
looked at thousands of pages, and done the interviews, and
reviewed everything there is.
A simple question I have for you. Right now, we pretty much
know what happened and everybody's got an idea of what's
happened. The question I have for you is: Are either one of you
aware, or has it been suggested to either one of you, or have
you seen any evidence of any kind that any U.S. person was
involved in this scheme?
Ms. Nielsen.
Secretary Nielsen. Not to my knowledge. No, sir.
Senator Risch. Mr. Johnson.
Mr. Johnson. You have to--I'm sorry to be a lawyer here.
Which scheme are you referring to?
Senator Risch. I'm talking about the Russian scheme to do
what they did as far as attempting to interfere in the
elections, the kinds of things we've been talking about this
morning, the attacks, the penetrations, and what have you.
Mr. Johnson. My recollection of the Special Counsel's
indictment is that there were some U.S. citizens included in
it. That's my recollection, but I could be wrong about that.
Senator Risch. You want to follow up on that?
Secretary Nielsen. Just I have no knowledge, if we're
talking about the topic of this hearing, which is the hacking
of elections, I have no knowledge that a U.S. citizen was
involved in that.
Senator Risch. Thank you very much.
Thank you, Mr. Chairman.
Chairman Burr. Senator Manchin.
Senator Manchin. Let me just follow up on that very
quickly, if I may. Do you all, either one of you all, have any
doubt whatsoever, from what your knowledge and talking to the
intelligence communities, that the Russians were involved at a
higher level than they've ever been involved before?
Secretary Nielsen. I have no doubt.
Mr. Johnson. No, sir. No doubt.
Senator Manchin. Okay. And as a result of the Russians
meddling in 2016, I'd fought to ensure the bill passed out of
the Senate Appropriations Committee included a directive for
DHS to provide technical assistance to State and local law
enforcement to secure networks against cyber attacks. And
before our committee this past year I was shocked to learn that
multiple Federal agencies, including DHS, could not confirm
that they did not have Kaspersky software in their system after
we recognized the threat it posed to our national security.
So my question would be, if our own Federal Department of
Homeland Security has trouble finding a reliable vendor and
relates to a Russian vendor such as Kaspersky, wouldn't you
think our cash-strapped states and local partners might have
the same problems?
Secretary Nielsen. The short answer to that is yes. As you
know, we issued a binding operational directive to remove all
such products from Federal systems. We do not have authority to
mandate that states do that, but we have taken it----
Senator Manchin. Have you removed Kaspersky from yours?
Secretary Nielsen. Yes, sir, and we have taken it of the
GSA catalogue, as you know, which would allow states to
purchase it with Federal funds.
Mr. Johnson. I generally agree with what the Secretary
said.
Senator Manchin. The other thing, Russia or any other
country that has been found guilty of meddling in our
elections, which I think that we have confirmed by all our
intelligence communities, what punishment or what
recommendations of punishment or sanctions would you all
recommend that would be stringent enough to prohibit that from
happening or any other country going down this path that Russia
has gone down?
Secretary Nielsen. Sir, I can just tell you I think it's a
very important question because we have a multifaceted
relationship with Russia. We still seek their cooperation when
it comes to North Korea, Syria, Iran, for example. So, the
consequences and what we do in reaction to their meddling in
the election needs to be proportionate, but also needs to be
driven in a way that they understand the specific behavior that
we are seeking to avoid.
And as the Secretary said, you know, the hope in general is
that the international community continues to recognize that
affecting and attacking critical infrastructure of another
nation is a red line. As an international community, we all
need to hold each other to that and recognize that that is a
red line.
So from a U.S. government perspective, we've looked at
everything from sanctions back from the Obama Administration,
to sanctions now, to the PNG'ing of diplomats, to indictments.
We need to do more. We need to continue to make the point.
Senator Manchin. Well, let me expand on that. Should we
treat a cyber attack or intrusion on our government, on our
country, if sponsored or directed by a foreign government,
which we know was, an act of war?
Secretary Nielsen. We need to look at that very carefully.
As you know, we have not made that decision as a country,
either as a policy perspective or a congressional perspective.
But I hope that we can work together and with other parts of
the Administration and decide where is that red line.
Senator Manchin. Secretary Johnson, do you think that we
have deterred Russia from continuing their operations as far as
trying to infiltrate our election system for the 2018 election?
Mr. Johnson. No, we have not, based on the testimony in
this room last month from our intelligence chiefs.
Senator Manchin. So we're facing the same, if not worse?
Mr. Johnson. Correct. Yes, sir.
Senator Manchin. Secretary Nielsen.
Secretary Nielsen. Yes, there's no reason to believe they
will not attempt again.
Senator Manchin. Well, if that's the case then we have a
nuclear weapons retaliation policy; shouldn't we have a cyber
retaliation policy?
Secretary Nielsen. I think that's what some of the members
have asked about. Yes, we have an Executive Order 13800 Mr.
King was mentioning and Mr. Heinrich, what we need to do in
terms of being very specific with respect to our deterrence.
You have an advocate here. I will go back to my colleagues and
the President and make sure that we get that done very soon.
Senator Manchin. We're coming down to the wire on the
election, as you all know.
Secretary Nielsen. Agree.
Senator Manchin. The primary, most of our states have
primaries very shortly, and November election coming up, and
we're faced with the same. And our states don't have the
wherewithal in order to deter this if they're hooked to the
internet in any way, shape, or form.
Secretary Nielsen. I'm happy to take that message back. As
you know, DHS does not do offensive cyber----
Senator Manchin. Do you believe the Federal Government
should be involved in helping secure the election process State
by State?
Secretary Nielsen. Oh, we are, yes, sir. We are. At their
request, we're working State by State, locality by locality.
Senator Manchin. How much money do you all have targeted
for this?
Secretary Nielsen. We've asked for another $25 million
specifically to help our own resources. But as I've mentioned
earlier, we've prioritized these.
Senator Manchin. Do you all have a final recommendation on
how you're advising the states to secure their system?
Secretary Nielsen. Oh, yes. We have many, many, depending
on all of those different parts that I mentioned earlier.
Senator Manchin. Have they spoken back to you about the
money, they don't have the money to either meet the
requirements or suggestions you've made?
Secretary Nielsen. In some cases, yes, they have. Of course
they have resource constraints. Some of the machines themselves
are old, as you know.
Senator Manchin. But it's a concern for the 2018 election?
Secretary Nielsen. Yes, sir.
Senator Manchin. Thank you.
Chairman Burr. Thanks, Senators.
Secretaries, we've come to the end of this hearing. And,
Secretary Johnson, I'm not a lawyer, so I had to turn to our
counsel. Of the four individuals that have been indicted by the
Special Counsel, two were on lying to the FBI; the other two
was a mix of bank fraud, wire fraud, mail fraud. So no
individual that's been indicted by the Special Counsel.
The other indictments--the other charges were directly at
the IRA, the Russian facility that carried out. So if that
helps to clarify your memory.
And let me say to Senator Manchin that it's my
understanding that the appropriators have taken care of, in the
omnibus bill, an amount of money to be grants and other items--
I don't want to speak for what their language is going to be--
that mirrors the research that this committee did.
And I want to thank Shelley Moore Capito, who chairs that
Appropriations Committee, for working with our staff, and
hopefully I've made a commitment to Secretary Nielsen that we
would be more than open to address any other needs as we see
those as we move up to 2018 or to 2020.
I want to thank both of you for your testimony today and
your willingness to appear together. Everybody's said something
about it and I think it sends a strong message that the
integrity of our election system is not a partisan issue and
it's truly the heart of the strength of our democracy.
The committee's investigation found ample evidence to agree
with DHS's assessment in 2016 that Russian government actors
scanned an estimated 21 states and attempted to gain access to
a handful of those. In at least one case, they were successful
in penetrating a voter registration database. We've heard our
witnesses confirm that assessment today. Despite that activity,
I need to reiterate that the committee found no evidence of any
vote totals that were changed, a finding that was confirmed by
our witnesses also today.
The committee also discovered that Russian activities
directed at the states fell in a seam of our national
intelligence infrastructure. It was a foreign activity, but
carried out on the United States inside the United States,
where our intelligence agencies have limited authorities. And I
can't stress that enough, that we've got to consider that as we
go forward.
The intelligence community was therefore almost entirely
dependent on the states for the insight into these activities.
The committee found that DHS and FBI alerted states to the
threat in the summer and fall of 2016, but in a limited way.
Our witnesses today confirm that they provided warnings to
state IT staff, but notifications to election officials were
delayed nearly a year. States therefore understood that there
was a cyber threat, but not the seriousness of the scope of
that threat.
This committee intends, hopefully before the end of the
week, to produce an overview of our report that's sanitized,
that can be released. The committee's full findings and
recommendations on election security will be reviewed for
declassification and possible redaction and, when that is
complete, released to the American people so that they can make
their own judgments about involvement and attempts to intrude
into our system.
Once again, I want to thank both of you for being here. I
want to conclude our first panel. A two-minute break as we
bring the second panel up.
[Pause.]
Chairman Burr. I'd like to welcome our second panel here
today and I'll say to each of you, thank you for your
willingness on a snowy day to either come to Washington,
because I know some of you made the trip or to travel through
this town that sometimes understands snow removal, sometimes
doesn't. So it's always a crapshoot.
Our second panel is comprised of: Jeanette Manfra; National
Protection and Programs Directorate, Assistance Secretary for
the Office of Cyber Security and Communications at the
Department of Homeland Security. The only thing that's changed
is ``Acting'' is no longer in front of that, and I'm glad for
that.
Jim Condos, President-elect of the National Association of
Secretaries of States and Vermont Secretary of State. Jim,
thanks for bringing this weather today.
Amy Cohen, Executive Director of the National Association
of State Elections Directors.
And Eric Rosenbach, Co-Director of the Harvard Kennedy
School Belfer Center for Science and International Affairs.
I might add for the record that we also invited a
representative of the Federal Bureau of Investigation to
participate in today's hearing, but the committee's request was
declined.
You are the experts on cyber security and elections. And
while we just received the big picture assessment, and we're
going to rely on you to provide us a great deal more fidelity.
Jeanette, I'd like you to provide some details on the services
DHS is providing to states and local election officials and
what additional resources DHS may need to provide these
services comprehensively.
Jim and Amy, I hope you'll provide a candid view from the
states and from those on the ground who actually run elections.
It's critical that we hear what states really need and whether
all of this help from D.C. is proving to be valuable.
Eric, the Belfer Center has done an in-depth look at
states' cyber security posture and has run table-top exercises
with election officials. And I look forward, very forward, to
hearing your outside assessment of how the partnership between
DHS and the states is working.
In the interest of time, I'll end my remarks and go
straight to the Vice Chairman. But when I recognize you, we
will go Manfra, Condos, Cohen, and Rosenbach.
Vice Chairman Warner. Well, thank you, Mr. Chairman. I just
want to make two brief remarks. I think the first panel was
very good, but I understand this is a collaborative
relationship with the states and localities.
But I do think, as Senator King has mentioned and I
mentioned in terms of my State, there are enormous
vulnerabilities. Based on the Hackathon of last summer, I made
sure in Virginia that we took out voting machines that didn't
have auditable paper trails. So, recognizing the collaboration
particularly between the State and DHS--I'd love to have all
your comments on this--how do we make sure that we
appropriately noodge or perhaps we as policymakers, we have to
call out states and localities who don't participate, who don't
upgrade their systems, who don't realize the seriousness of
this problem. Not in the way that will fracture the
relationship between DHS and the states, but leave that perhaps
to us or others.
I'd also like to hear your comments on--we focused a lot on
the states and localities itself. But there are clearly a whole
host of vendors who manage voter files, who provide the
equipment. How do we make sure, again, they are actually using
best practices; and those that are not, that the states and
localities who might hire those vendors are notified that they
are not meeting standards of security that are appropriate?
So those are the kind of questions I'm going to hope to
drill down on. Thank you, Mr. Chairman. I look forward to your
testimony, everybody.
Chairman Burr. Thank you, Vice Chairman.
Jeanette, the floor is yours.
STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE, OFFICE OF CYBER SECURITY
AND COMMUNICATIONS, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Thank you, sir. Chairman Burr, Vice Chairman
Warner and members of the committee: Thank you for today's
opportunity to testify, on this lovely D.C. spring day,
regarding our ongoing efforts to assist with reducing and
mitigating risks to election infrastructure.
Before I discuss elections, however, I want to take a
moment to thank Congress, Chairman McCaul and Ranking Member
Thompson of the House Homeland Committee, Chairman Johnson and
Ranking Member McCaskill, the Senate Homeland Security and
Government Affairs Committee, and this committee in particular,
for your long and continued support and legislation in granting
DHS the authorities that we need to not only secure the
integrity of our elections, but also to do our job in
protecting Federal networks and critical infrastructure.
These efforts highlight the importance of the creation of
the Cyber Security and Infrastructure Security Agency, at DHS,
which would see our organization, the National Protection and
Programs Directorate, become a new agency under DHS. This
change reflects the important work we carry out every day on
behalf of the American people to safeguard and secure our
critical infrastructure. Again, we strongly support this much-
needed effort and we appreciate Congress' action and look
forward to becoming the Cyber Security Infrastructure Security
Agency.
Though I was appointed to this position in July of last
year, I have spent the last decade of my career after leaving
the Army to advance the Department's cyber security mission
within the Department of Homeland Security. During my time at
DHS, I have personally witnessed the commitment, dedication and
tireless efforts of the men and women to secure Federal
networks, critical infrastructure systems and most recently our
election systems.
During the 2016 elections, the Department used every
resource based off of the information that we had to ensure
that election officials were receiving the information we could
provide them and the services we could provide them to secure
their infrastructure.
As cyber threats continue to evolve in times of calm and in
times of crisis, our network defenders at DHS will never waiver
in their duty to protect the homeland. And I'm honored to have
the privilege of leading that organization today. I would like
to publicly thank them for their service and their excellence,
and I look forward to continuing to lead and serve alongside
them.
Since I last appeared before this committee, the National
Protection and Programs Directorate at DHS has continued to
lead an inter-agency effort to provide voluntary assistance to
State and local officials. This inter-agency assistance brings
together the Election Assistance Commission, the FBI, the
intelligence community, NIST, other DHS partners and is modeled
on our work with other critical infrastructure sectors.
Importantly, it also depends on our partnership with the
representatives on the panel, whether that's from academia, the
National Association of Secretaries of State, or the National
Association of State Election Directors.
Since 2016, we have learned much from our State and local
partners; and in the efforts we undertook to assist them in
2016, we've worked to refine and improve our partnerships and
our services. Securing the Nation's election systems is a
complex challenge and a shared responsibility. There's no one
size fits all solution. Our Nation's election systems are
managed by State and local governments in thousands of
jurisdictions across the country and they must remain that way.
State and local officials have already been working
individually and collectively to reduce risks and ensure the
integrity of the elections they're responsible for running. As
threat actors become increasingly sophisticated, DHS sands in
partnership to support the efforts of these officials.
Through these collective efforts, we've made significant
progress by creating government and private sector councils who
collaboratively work to share information, promote best
practices, and develop strategies to reduce risks to the
Nation's election system. The recently formed Election
Infrastructure Information Sharing and Analysis Center,
facilitates the sharing of near-real-time information about
potential cyber incidents. Additionally, 38 states are
receiving feeds of actionable cyber threat indicators provided
by the Department.
We are sponsoring up to three election officials in each
State for security clearances. And while not all of them have
submitted the paperwork, we have been able to grant security
clearances to 21 individuals in 19 states.
We have increased the availability of free technical
assistance by reprioritizing resources that were previously
dedicated to securing Federal networks to the priority of
securing election infrastructure. And we will continue to offer
those services, whether those are cyber security assessments,
red teaming, intrusion detection capabilities, information
sharing, incident response, or training and career development
free of charge to all State and local officials.
We will continue to collaborate, coordinate and support
State and local officials to secure our election infrastructure
for the 2018 primary, special, and general elections. Cyber
actors can come from anywhere, internationally or within the
U.S. borders.
We are committed to ensuring a coordinated response from
DHS and its Federal partners to plan for, prepare for, and
mitigate risk to any threat to our critical infrastructure. We
understand that working with the election stakeholders is
essential to ensuring a more secure election.
Our voting infrastructure is diverse, subject to local
control and has many checks and balances. As we work
collectively to address these and other challenges, the
Department will continue to work with Congress and industry
experts to support our State and local partners.
I look forward to further outlining our efforts to help
enhance the security of elections which are administered by our
State and local partners. Thank you and I look forward to your
questions.
Chairman Burr. Thank you very much.
Jim, the floor is yours.
STATEMENT OF JIM CONDOS, VERMONT SECRETARY OF STATE
Mr. Condos. Thank you. First, I'd like to just say thank
you for this warm welcome with the weather outside. It makes me
feel right at home. And just to give you a perspective, it was
minus 11 on the first day of spring in Vermont.
Chairman Burr. When your flight is canceled, I hope you'll
hold us equally as----
Mr. Condos. I don't have a flight now until tomorrow night.
Good morning, Chairman Burr, Vice Chairman Warner, and
distinguished members of the committee. Thank you for this
opportunity to appear before you representing the Nation's
secretaries of state, 40 of whom serve as chief State election
officials in their respective states.
My name is Jim Condos and I am the Vermont Secretary of
State. I am also President-elect of the non-partisan National
Association of Secretaries of State and a member of the
Department of Homeland Security's new Election Infrastructure
Government Coordinating Council. That's a mouthful.
NASS President Connie Lawson of Indiana was not able to be
here today, but I want to acknowledge her outstanding
leadership in leading our organization. Our organization is
comprised of members with strong and very diverse opinions. But
when we speak for NASS, we speak with one voice.
Voting is the very core of our democracy. We are in the
2018 election cycle, with November's general election only
eight months away. I want to assure you and all Americans that
election officials across the states, across the country, are
taking cyber security very seriously. While it is important to
ask what really happened in 2016 and learn from it, we believe
it is even more important for us to be discussing what lies
ahead.
The 21 states that were not notified until September of
2017, one year after the supposed scans. No votes were changed,
as you have heard. But let me be clear. Secretaries of state
across this Nation are diligently working each day to safeguard
the elections process.
When former DHS Secretary Jeh Johnson announced the
``critical infrastructure'' designation for election systems in
January of 2017, our members raised many questions and
expressed serious concerns about potential Federal overreach
into the administration of elections. With the ``critical
infrastructure'' designation in place, we are focused on
improving communications between the states and with DHS to
achieve our shared goal of election security.
Under DHS Secretary Kirstjen Nielsen's leadership, we are
now working well together. NASS is committed to facilitating
this relationship. State and local autonomy over elections is
our best asset against cyber attacks. Our decentralized, low-
connectivity electoral process is inherently designed to
withstand and deter threats.
States use many resources available to them to bolster
cyber security. Some utilize resources provided by DHS, others
use private sector security companies, and still others partner
with colleges and universities.
Mr. Chairman, in your press conference yesterday you and
other Senators outlined cyber security recommendations. I would
like to highlight that states are already implementing many, if
not all, of the committee's recommendations, including in my
own home state.
In Vermont--and let me go to my Vermont home State--we
completed a thorough review of our cyber posture back in 2014,
and we completed both physical and cyber. In 2015, we
implemented a new election management platform. Because the
system was new and it was nearly designed, it included built-in
cyber risk assessments.
Some of the acknowledged best practices that we use in
Vermont are: paper ballots, post-election audits, no internet
connection of our vote tabulators, daily backup of our voter
registration database, daily monitoring of traffic to our site,
blacklisting of known problem or suspected IP addresses,
additional penetration testing.
We also have same-day voter registration and automatic
voter registration. And we are planning, we're in the process
of planning a statewide cyber security forum to be held in our
State.
We have no less than three levels of security between the
outside internet and our cyber systems and they're monitored on
a daily basis. We have joined the Multi-State Information
Sharing Analysis Center, better known as MS-ISAC. We receive
weekly DHS cyber hygiene scans, and we have met with both DHS
and FBI contacts. We have also recently ordered an Einstein
monitor to attach to our systems to help us monitor.
Secretaries and their staffs are also working to secure
more funding for improved cyber security, new voting machines,
and to strengthen our existing election systems. These efforts
have become much more challenging as election officials have to
work now to counter cyber security in addition to our
election's administration.
To ensure the integrity of our systems, my colleagues and I
do have a prepared ask for you. One of the most critical
resources that Congress could provide to the states, is the
remaining $396 million from the Help America Vote Act of 2002.
It was allocated, but never completely appropriated. Meeting
the ongoing demands for updated equipment and ongoing cyber
security upgrades requires funding that the states simply do
not have within their own budgets.
I must say, the new and immediate funds are absolutely
critical as we are now only eight months away from the November
general election. If we do not receive this money until August,
it's too late for this year. We need the money now.
As election officials work to fulfil this commitment and to
improve voter confidence, we ask Congress to fulfil that
commitment. We ask that Congress, DHS and others help us
improve America's confidence in our election systems by
promoting State and local efforts in providing clear, accurate
risk assessment.
I want to again thank the members of this committee for
holding this hearing and giving me this opportunity to speak to
you on this important matter. On behalf of NASS, I look forward
to answering your questions.
[The prepared statement of Mr. Condos follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Jim, thank you very much. I'm not going to
speak for the Appropriations Committee and I haven't read the
omnibus bill. But there is a sizable chunk of money. It matches
about what you're mentioning.
Mr. Condos. We appreciate that.
Chairman Burr. Where that goes, I'll leave that up to the
instructions of the appropriators. But I feel fairly confident
that the committee, the appropriators and DHS are all on the
same page on this one.
Amy, the floor is yours.
STATEMENT OF AMY COHEN, EXECUTIVE DIRECTOR, NATIONAL
ASSOCIATION OF STATE ELECTION DIRECTORS
Ms. Cohen. Thank you, Chairman Burr, Vice Chairman Warner,
and distinguished committee members, for the opportunity to
submit this testimony on behalf of the National Association of
State Election Directors.
My name is Amy Cohen and I'm the Executive Director of
NASED. NASED's members are the State election directors in all
50 states, the District of Columbia, American Samoa, the
Commonwealth of the Northern Mariana Islands, Guam, Puerto Rico
and the U.S. Virgin Islands. Our members are the nonpartisan
professionals who administer and implement election-related
policies, procedures and technologies. And NASED's mission is
to promote accessible, accurate and transparent elections in
the United States and territories, which we do by sharing
information and best practices. Since elections were designated
``critical infrastructure'' in January 2017, our efforts have
become more important than ever before.
In 40 states, the secretary of state or lieutenant governor
is the State's chief election official. And in the remainder,
the chief election official is the executive director of a
board or commission. Beyond differences in leadership and other
obvious differences in policies, the states also differ in the
way elections are conducted. In eight states, elections are
conducted at the township level instead of at the county level.
Wisconsin alone has 1,853 local clerks responsible for
conducting elections, in addition to the State election office.
I highlight these differences as a reminder of how complex the
administration of elections truly is.
Every State election official, though, is a planner. They
have spent every day since the 2016 election learning how to
improve for the future, and the ``critical infrastructure''
designation has given us access to resources many did not know
were available previously. Now, approximately 15 months into
the designation of elections as ``critical infrastructure,''
we've made great strides as a field.
State election directors must communicate basic information
to their voters to ensure that every eligible voter who wants
to cast a ballot can do so. And election officials must give
them confidence that their vote will then be counted as they
intended. Effective communication with local election officials
who serve as the boots on the ground in running elections is
also paramount. States run regular trainings and provide
information and resources year-round every year to make sure
that local officials have access to the information, tools, and
skills they need to do their jobs effectively.
State election directors must also communicate with our
colleagues in the Federal Government. Until 2016, this was
primarily with the members and staff of the Election Assistance
Commission, who provide an invaluable service to our field
through their guides and best practices, informed by both
qualitative and quantitative data.
Communication with DHS was new to NASED members in 2016 and
is an area where we have seen significant improvement. In
October 2017, DHS, the National Association of Secretaries of
State, NASED and local election officials convened the first
meeting of the Government Coordinating Council as a mechanism
for sharing information about elections infrastructure threats
across State, local, and Federal Governments. Since then, the
GCC has met several times by telephone and again in person at
the NASS and NASED winter conferences. The executive committee
of the GCC, which has representatives from NASS, NASED, local
election official organizations, and DHS, meets every other
week by telephone.
The GCC voted unanimously in February to adopt goals and
objectives for the elections infrastructure sector. Working
groups are doing the challenging work of writing a strategic
communications plan, to develop guidelines around
communications, and of writing a sector-specific plan to
formalize the strategic goals of the elections infrastructure
sector for the next several years.
In addition, the Elections Infrastructure Sector
Coordinating Council was launched in December 2017 with
representatives from private sector vendors and nonprofit
organizations.
The GCC and the executive committee of the GCC are critical
to distributing information to all 50 states, the District of
Columbia, and the territories, as well as disseminating
critical cyber security information to the more than 8,000
local election officials.
The GCC also voted at the February meeting to formally
recognize the Multi-State Information Sharing and Analysis
Center as the elections infrastructure ISAC. While all 50
states, the District of Columbia and the U.S. territories were
members of the MS-ISAC prior to 2017, election officials were
not privy to the information shared by the ISAC and thus could
not act on any of the information shared about the 2016
election.
As of today, however, the EI-ISAC, which is free for
election offices to join, counts 38 State-level election
offices and more than a 100 local election offices as members.
NASS, NASED and the executive committee of the GCC strongly
encourage all State and local election jurisdictions to join
and are developing a strategic outreach plan to make sure every
one of our State and local election officials understands the
benefits of participation and joins.
DHS has also facilitated secret-level security clearances
for State chief election officials, as well as additional
election office staff, including State election directors. Our
hope in doing so is to ensure that any future information-
sharing will not be hindered or delayed by the information's
classification. As you are aware and have heard about this
morning, processing for security clearances can take time, but
we continue to make progress with DHS in this area.
Finally, DHS hosted more than 60 election directors and
staff, representing 43 states, D.C., and two territories, for a
secure briefing with the Office of the Director of National
Intelligence and the Federal Bureau of Investigation in
conjunction with our February conference.
It would be naive to say that we received answers to all of
our questions, but the briefing was incredibly valuable and
demonstrated how seriously DHS and others take their commitment
to the elections community as well as to our concerns.
There have of course been challenges, but we have taken
incredible leaps forward in a relatively short amount of time.
Since the November 2016 elections, states have hardened the
defenses of their voter registration databases and other IT
systems against intrusion. This has included taking advantage
of free resources such as vulnerability and risk assessments
from DHS, cyber security services offered by State branches of
the National Guard, and utilizing services offered by other
branches of State government.
Several private sector vendors have made tools and
resources available to State and local election officials
providing additional defenses. The Belfer Center at Harvard and
the Center for Internet Security have provided practical
guidance and tools for State and local election officials to
use to strengthen their cyber security posture. Election
officials have long taken steps to build resiliency and
redundancy into their systems, and all states are evaluating
the steps they take in light of the cyber security threats we
face today.
Aging voting equipment has been at the forefront for
election officials for years. The Presidential Commission on
Election Administration report, released in 2013, highlighted
the impending crisis in voting technology. The voting
technology problem and its effect on cyber security is multi-
faceted. First, I mentioned earlier that states run their
elections differently. Local election officials are strapped
for resources and are sometimes reliant on vendors or
contractors for IT support. This can make it difficult for
local jurisdictions to make smart technology purchases and adds
an additional layer of complexity to maintaining a defensive
cyber security posture. Many are taking advantage of in-State
academics or national resources, including those at the EAC, to
make sure that purchases comply with best practices.
Second, many jurisdictions purchased their current voting
equipment with Federal funds received under the Help America
Vote Act of 2002, meaning that the equipment and software often
predate parts of our lives we now take for granted, such as
smartphones. Without additional funding, jurisdictions cannot
afford to purchase new technology. We're encouraged to hear
that Congress may release some outstanding HAVA dollars in the
omnibus appropriations bill.
Third, a handful of states still use voting technology that
does not have a paper record or a voter-verified paper audit
trail. These states are reliant on the accuracy of their voting
machines, because in the event of a recount their records only
exist in the machine. To be clear, we have seen no evidence
that voting machines or election results have been manipulated
or compromised in any election. But election officials must
remain vigilant.
Understanding these risks is important, but we should not
overlook the safeguards currently in place to protect the
existing technology. Elections are decentralized. There are
thousands of jurisdictions, hundreds of thousands of voting
locations, and many more hundreds of thousands of voting
machines. The diversity of equipment used and the sheer number
of precincts and machines creates obstacles to a large-scale
attack on voting equipment. Voting machines themselves are not
connected to the internet, making them less susceptible to
intrusion.
And results released on election night are not the official
results. Every State and every local jurisdiction for elections
run at the local level conducts an official canvass of results
several days after election day to complete the official tally
of results. In addition, an increasing number of states are
doing post-election audits and many more are considering risk-
limiting audits.
In summary, the field of election administration has made
great strides since the 2016 presidential election, and State
and local election officials cannot do this alone.
If 2016 taught us anything, it is that we need a whole-of-
government approach, with strong coordination and communication
across the Federal, State, and local players.
We appreciate this committee's recommendations released
yesterday and are pleased that many of those are already
underway in many states. Thank you for the opportunity to share
NASED's thoughts and opinions with you, and I am happy to
answer any questions.
[The prepared statement of Ms. Cohen follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Thank you, Amy for that testimony.
Eric, the floor is yours.
STATEMENT OF ERIC ROSENBACH, CO-DIRECTOR, BELFER CENTER FOR
SCIENCE AND INTERNATIONAL AFFAIRS, HARVARD KENNEDY SCHOOL
Mr. Rosenbach. Chairman Burr, Vice Chairman Warner, other
distinguished members of the committee: Thank you very much for
the invitation to testify. The committee is one of the very few
bipartisan efforts to address threats to the integrity of our
democracy right now, and your leadership is crucial to charting
the course forward. As a former professional staff member on
the Senate Intelligence Committee, I have great respect for
your bipartisan approach to what you're doing and genuinely
thank you and your hardworking staff for all the work you're
doing and your service.
Our response to Vladimir Putin's ongoing attempts to
undermine the strength of American democracy will be a defining
issue of our digital age. Putin's attacks are not limited only
to our election systems. Recent reports from the Department of
Homeland Security make clear that Russian military intelligence
operatives continue to conduct the preparatory steps needed for
a major cyber attack against our energy infrastructure,
including pre-placing the same malware in the United States
that they used to take down the electric grid in Ukraine,
twice.
Imagine, if you would, that during the Cold War we found
out that Soviet military intelligence operatives had placed
secret explosives that could take down the electric grid all
around the United States. Would our leaders have stood by and
debated the nature of the threat or would we act?
Unfortunately, over the past three years and both
Administrations our national response to Russian cyber and info
attacks both against the United States and our allies has been
too weak. America and democracies around the world need action
and, given the current environment in Washington, the Senate
Intelligence Committee will need to play a leading role in
driving that action.
In the summer of 2017, a little team up at the Harvard
Kennedy School set on a mission with one primary goal: to do as
much, as quickly as possible, to help lower the risk of cyber
and information attacks on the 2018 mid-term elections. So this
project, known as the Defending Digital Democracy Project, is a
bipartisan initiative that I co-lead with Robby Mook and Matt
Rhoades. And we're developing real-world practical solutions to
try to defend against cyber and information attacks.
It's a diverse team. We have technical experts, political
operatives, public affairs ninjas, and a hardworking team of
Kennedy School students who are working very closely with NASS,
NASED and the Department of Homeland Security to support our
project. They've been truly outstanding partners, including
several secretaries of state, Mac Warner in West Virginia,
Denise Merrill in Connecticut, and Alison Lundgren Grimes in
Kentucky, all part of the team.
Since then, our team has conducted field research in 34
State and local election offices, observed the November 2017
elections in three states, and conducted a nationwide survey on
cyber security in 37 states and territories, and engaged State
and local elections officials in a tabletop exercise at a
national level three different times.
Based on that research and our observation, we have
released four different practical election-related security
playbooks, including for political campaign staffs, local
election officials, and two specific playbooks on incident
response.
Next week, up in Cambridge, Massachusetts, we'll host over
160 State and local election officials from 38 states to run
them through a series of crisis simulations that are structured
to train and empower them to improve their cyber defenses and
incident response capabilities, and to provide them with the
tools to run these exercises back in their home states. The so-
called ``train the trainer'' exercise, a traditional military,
Army way of doing things, we'll follow up then with a
hackathon, where we sponsored a national competition for
student teams from around the country to compete for three
$10,000 prizes which will be awarded to the best developed tech
and policy options to counter Russian information operations.
Now, I would like to tell you a little bit about our
observations of the states. Chairman Burr, you asked about
that. And the bottom line is this: State and local election
officials are on the front lines of the effort to defend
against nation-state attacks on our democracy. They accept this
mission admirably. Our team has always been impressed with
their professionalism and dedication. But, that said, the
states need more help. They simply are not equipped to face the
pointy end of the spear of cyber attacks and information
operations from advanced nation-states.
One often underemphasized issue is that the states, along
with the Federal Government and outside organizations, need to
continue to develop the capabilities for public incident
response to information operations. So not just the hacks, but
along the lines of what Senator Rubio mentioned, an information
operation trying to sow distrust in the outcome of the election
even if a hack were not successful. One of the few real
antidotes to aggressive information operations like the
Russians regularly conduct is effective public communications
about the true state of affairs.
The work we've done at the Kennedy School is really just a
small part of the assistance that the states need and deserve
to defend themselves. They need extra help. Specifically, it
will require a four-cornered effort an all-of-nation effort,
not just government. There's a lot that people not in the
government can do now.
The first is the State governments, which I think you've
heard a lot about and so I won't reiterate. Second of all, we
need to pay attention to political campaigns. They're the soft
underbelly of this system right now. Their cyber hygiene
generally is not good, and the overall chaotic environment in
which they operate is not conducive to good cyber security.
Social media companies, who must accept that our
adversaries will continue to manipulate their platforms unless
they dramatically change their organizational culture and their
operational paradigm.
And finally, the Federal Government, which must better
support State and campaign efforts, oversee social media, and
lead in creating the credible national defensive posture equal
to the cyber and information threats that our elections face.
Thank you very much. I look forward to answering any
questions you have about any of our research, and I promised
your staff that I wouldn't go over five minutes.
[The prepared statement of Mr. Rosenbach follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Eric, thank you.
Mr. Rosenbach. Yes, sir.
Chairman Burr. Thank you for your service on this
committee. Senator Hagel would be proud of you, as we are.
I would note that today we're highlighting one slice of the
Russian effort into the U.S. democracy. It's the election
process. When we've completed our investigation, which has been
extensive, hopefully it will expose all of the portals that
Russia used to sow chaos and societal chaos and everything else
that they did.
But you also mentioned a lot of things at the beginning
that have not historically been on the plate of the Senate
Intelligence Committee, that are now front and center, not
because of the lack of interest of other committees, but
because of the unique expertise of the staff on this committee
and the interests of the members. And so we're juggling a lot
of balls in the air right now.
With that, I'd like to recognize Senator Lankford for the
first round of questions.
Senator Lankford. Thank you, Mr. Chairman.
Thank you all for being here and the time you've dedicated
to this already.
Let me ask just, Mr. Condos, about the recommendations that
this committee has made on trying to make changes for cyber
security, whether that be systems that can be audited, whether
that be--obviously being separate from the internet during
voting times, attentive when there are updates for software
even when you're not connected to the internet for those
machines, having a way to be able to do risk-limiting audits,
security clearances for individuals when they--so we have a
point of contact with DHS so they can do rapid communication.
Any of those--are any of those concerns to you or to your
organization?
Mr. Condos. Let me speak on behalf of personally and the
State, not----
Senator Lankford. Sure.
Mr. Condos [continuing]. Not NASS on this, because we have
actually not taken a formal position because we just barely got
the recommendations. But let me just say that we have long
believed that having paper ballots, having an audit--we've been
completing audits since 2006 and to date we've not had any
anomalies from those audits.
In fact, the audit that we do now, that started in 2014,
now we call it a 100 percent census because we do the entire
set of ballots for a particular town. We do a series of towns,
randomly picked, and we do the entire ballot bag for that town
that were cast, and then we also do every race that's on that
ballot from President on down.
We believe that having audits is critical to this and we
are completely in agreement with that. I think that some of the
other recommendations that you have put forth are excellent
recommendations. We're already implementing many of them in
Vermont and will be--like for instance, we're adding two-factor
authentication for our local towns. We do not have county
government in Vermont. We go straight from the towns to the
State, so we're looking now at putting two-factor
authentication between now and probably May or June.
Senator Lankford. Can I ask you if DHS has been proactive
to be able to help your State over the past year in
communication and ideas.
Mr. Condos. So let me just say that I think there was a lot
of trepidation between the states and DHS in the beginning, but
over the last----
Senator Lankford. When you say ``in the beginning,'' are
you talking about that August 15th call?
Mr. Condos. Well, I'm talking about from August 16th--
August 2016 to sometime last fall. Since that time we have
really improved communications and we're working well together.
You know, there's the obvious ups and downs that you have, but
we are working well together, and I think that communication
has improved tremendously.
Senator Lankford. Has DHS been an asset to you?
Mr. Condos. Yes. We do use the weekly hygiene scans. Many
of the other products that they give, we've already done and we
will continue to do. I don't want to leave the impression that
just because we're not doing it with DHS, we're not doing it.
Senator Lankford. No, I understand. They're a resource that
will be available to you if you choose to use those.
Mr. Condos. Correct.
Senator Lankford. There is the concern that some of us have
that if an individual State is attacked, that State identifies,
I'm getting in some certain attack, and that information,
whether it be the IP address or the type of malware or whatever
it is, that the State picks up, if that's not shared with DHS
there's not the opportunity for other states to also be able to
check their system.
How can we improve the trust level, that when a State
identifies, I'm getting an attack that's unique, that they
share that with DHS and so other election systems can also
check for it?
Mr. Condos. Well, let me explain what we've done in
Vermont. When we see an anomaly, what we think of as an anomaly
in our daily monitoring of our systems, if we encounter
something like that, we will automatically count our FBI, DHS
partners, and MS-ISAC to let them all know. And once we have--
they will tell us what they need from us and then we provide
that to them so that they can look at it.
But I definitely, I think where you were going is the fact
that if one State is attacked, all states are attacked.
Senator Lankford. Right.
Mr. Condos. And that's the way we have to approach this.
Senator Lankford. And one of the issues that we have is, if
one State is attacked, the other states might have already been
attacked, they just didn't pick it up and you did.
Mr. Condos. Possibly.
Senator Lankford. So it's exceptionally important that we
get the chance to have that two-way communication going, again
voluntarily. But it is good participation whether it's just to
be able to make sure that we can help each other.
You mentioned as well duplication in your voter rolls. You
said you do that every single day, to be able to duplicate
voter registration rolls?
Mr. Condos. Yes, we back up our system daily. It's kept for
a period of time before it's cycled out. So at any given point
in time, we could always go back to that date and re-establish,
and then we only have a small sliver that we have to
authenticate after that.
We also have same-day voter registration so nobody will be
denied at the polls.
Senator Lankford. Okay. I just want to make one quick
comment and I want to yield back to the Chairman as well. Thank
you for all the work. You've been in quite a few meetings with
our team and with Homeland Security that Senator Harris and I
have both seen you on oftentimes. You've done a lot of work on
a lot of these issues, boots on the ground, and we do
appreciate your daily work on this. You've had some long days
with your team, being able to work through some issues, so I
appreciate your work on it.
I yield back.
Vice Chairman Warner [presiding]. Senator Harris.
Senator Harris. And I couldn't agree more with Senator
Lankford. Miss Manfra, every day it seems like we're seeing you
on one of these committees, so thank you for your work.
Mr. Rosenbach, as everyone understands, achieving cyber
security will be extremely difficult. In fact, some say we
should--we're never going to actually achieve security, but we
will try to do as best as we can. But there are no absolutes in
this realm.
So the concern I have is that I think that there's a very
real chance that when we're talking about HAVA, which is the
Help America Vote Act of 2012--2002, that it may be a
simplistic approach to suggest that the HAVA grant program is
the solution to election cyber security.
One of the concerns that I have heard and I'd like your
opinion about it, is that there is a very real chance that
states could acquire a new batch of insecure systems--and Miss
Cohen actually spoke a bit about that concern as well--because
they just don't have the resources and it may be the technical
resources or advice or support to make the best decisions about
acquiring the best and most secure equipment.
So what is your perspective about that? And should states
be required also to use those funds only for cyber security
improvements versus other needs they may have?
Mr. Rosenbach. Yes ma'am. I think, to start with your idea
and highlighting that risk mitigation in cyber needs to be much
broader than just the technical cyber security issues. So you
talk about an incident response plan----
Senator Harris. Right.
Mr. Rosenbach [continuing]. And leadership at the top.
Vermont seems like a model in terms of a secretary of state who
can talk about two-factor authentication and is doing all these
things. That's what you want.
Senator Harris. And he's at this table for that very
reason.
Mr. Rosenbach. Exactly, but that's a rare thing.
Senator Harris. Yes.
Mr. Rosenbach. And the states take this very seriously, but
that level of knowledge is a rare thing.
Senator Harris. Right.
Mr. Rosenbach. So the money will do one thing, but it's
leadership that's even more important, and rehearsing what
happens when you do get hacked or if you don't get hacked, but
the Russians manipulate your information, that is very
important.
I do think having outside technical expertise that has no
vested interest can be helpful to the states in trying to
determine maybe how to allocate resources. I don't think that
you want to make it bureaucratic because we need to move fast
and things are already bureaucratic enough in government. But
some way to help the states I think would be appropriate.
Senator Harris. And so, as you think about that, as
Congress considers appropriating this money, do you have some
thoughts about how we can make sure that grant recipients use
it in the best way, the most efficient way?
Mr. Rosenbach. Yes, ma'am. I think you definitely should
appropriate it. There's no doubt about that. And a couple
options would be something almost like the NIST framework,
where it's an agreed-upon framework. You would never try to
stipulate specifically what they should do because the
diversity of systems is so great, it would never be exactly
right. It would also change in two years. That broad type of
approach, with some outside technical expertise, may be one
option.
Senator Harris. Assistant Secretary Manfra, do you agree
that there's a certain type of election interference that we
should be concerned about, that would target the so-called
swing states or those jurisdictions within states that have
been identified as perhaps making all the difference in terms
of the outcome of a national election. I know we've talked a
lot about the diversity and the number of jurisdictions that
hold elections. But some perhaps are more pivotal than others,
as we have seen.
Ms. Manfra. Yes ma'am, thank you for your question. While
our focus is on the security, not the political dynamics of
elections, we do take a risk-based approach to everything that
we do with critical infrastructure in terms of how we
prioritize. So what we seek to understand is how would the
adversary, if their end goal was to--whether that's to sow
chaos and discord or to manipulate a voting process--what would
be the most likely way that they would do that?
So we would definitely include consideration of that
scenario that you described as to how we would think about a
risk-based approach to prioritizing, if that answers your
question, ma'am.
Senator Harris. It is, but so that we can just take it out
of the theoretical, there's pretty much consensus about what
are the so-called ``swing states'' and ``swing counties.'' What
I really hope and would like to know is that you and DHS has
identified those perhaps as being priorities, knowing that
foreign adversaries, Russia for example, all they have to do is
pick up the paper to figure out where they should target if
they actually want to manipulate the outcome of the national
election.
Ms. Manfra. Yes ma'am, we would consider those priorities.
Senator Harris. Great. And my understanding is that
basically if a State election agency is hacked, you pretty much
send out a hazmat team to get right out there on the ground,
boots on the ground, and do whatever is necessary to help the
State in terms of getting back up and also figuring out in a
forensic way, maybe in an investigative way, what you need to
determine in terms of who was responsible, who the perpetrator
is, where the specific breaches are and so on. Is that correct?
Ms. Manfra. Yes ma'am. There's two models. One would be
where we know whether the State has--and this is applying our
model that we use for all critical infrastructure and Federal
networks to states. But one scenario where a State or an entity
reports that they have had some type of unauthorized access and
they voluntarily request our assistance, our priority then
would be, yes, to deploy a team. Sometimes we can do it
remotely, but we deploy a team, work with them to gain access
to their system, and then our responders would help first
identify the presence and how wide scale that presence is.
We need to be careful not to evict them too quickly,
because we want to understand completely how much of the
network or the systems that they're on. Once we've identified
that, then we work with the victim organization to remove the
malicious actors from the system and then, importantly, help
them get back up and running very quickly.
In other scenarios where we have maybe intelligence or
other information, where we think someone may have been a
target, but we don't know, we do something that's called a
hunt, and that is also voluntary, but we work with that target.
Ideally, they would voluntarily let us connect to their system,
and we attempt to search for any evidence of that adversary.
Sometimes we find them; sometimes we find that they were
effective, the entity blocked that potential intrusion.
Senator Harris. And if I may, and I'm over my time, but all
of that happens, all of that work happens, when and if you have
been notified by the State, correct?
Ms. Manfra. In the former case, it would require
notification by the State. In the latter case, it would be
usually something from the intelligence community, though it
could be from the State or say from the MS-ISAC.
Senator Harris. Okay. And--and, Mr. Condos, I think you
would agree--that DHS is best able to do its job if there's
that kind of notification and cooperation.
Ms. Manfra. Yes, ma'am.
Senator Harris. Thank you.
Chairman Burr. Thank you, Senator.
The Chair would recognize himself, then the Vice Chairman,
and then members by seniority. If Senator Heinrich or Collins
come back, we will work them in since this is their lead.
Jim, let me ask you a simple question. When you leave here
today, are you thoroughly convinced that the United States
government does not want to take over the election process of
states and localities?
Mr. Condos. I am in that position right now.
Chairman Burr. Okay.
Mr. Condos. Yes.
Chairman Burr. We have accomplished a lot based upon where
we started.
Jeanette, let me ask you. It seems it took a while for DHS
to come to a solid estimate about the number--or a solid number
about the number of states that were actually targets of
Russian attention and activities. The scanning activity ran
through the fall of 2016. What's your confidence level in that
assessment?
Ms. Manfra. What I would say, sir, is that, based off of
the visibility that we had at the time, which has increased
since 2016, but based off of the partnership with MS-ISAC, with
states and the intelligence community, we are confident that
that 21 number is accurate.
Chairman Burr. I'll ask you a very broad question. Have you
seen things running up to the 2018 election, activities that
concern you that an adversary might be testing the systems?
Ms. Manfra. Not at this time, sir.
Chairman Burr. Okay.
Jim, to you and Amy. State election officials reviewed with
our staff two of the DHS conference calls with states. One was
in August of 2016. What was shared with us was that states say
about that call that they didn't understand why DHS was
contacting them in August 2016; there was little context to the
call or to any threat relayed. Is that what you hear from your
members?
Mr. Condos. I would say that in the August call, it kind of
caught us out of the blue. We knew we were invited to this
call, we were on the call, and when Secretary Johnson spoke to
us about some of what was going on, we weren't sure what was
happening.
When he talked, when he spoke about the critical
infrastructure, we really pushed back. I will say that we
pushed back. Red states and blue states were pushing back
because we were looking at potential for a Federal overreach.
Chairman Burr. So when I suggested to him today that just
the mere mention of State elections being under the critical
infrastructure, that this was a passionate point for the
states, I didn't understate that, did I?
Mr. Condos. No, you did not. I will say, though, when
Secretary Johnson actually declared, made the designation in
January of 2017, it was not until July when we met in East
Greenbush, New York, at the MS-ISAC Center, that we actually
got a presentation on what critical infrastructure designation
was going to be about. Up to that point, we still didn't--so
almost a year later, we still didn't know what was happening
until then.
Chairman Burr. So I think we would all agree on this
committee that communication was poor. Jeanette, you sort of
inherited, one, the state of mind that they were in. Eric,
you've had an opportunity to look at it as well. And you were
tasked with, come up with a plan that solves this.
In the September 17 call, DHS for the first time announced
21 states had been scanned and that State election officials
might not know their states were targeted. States told our
staff that they felt shocked and waited for one-on-one calls
with DHS to find out if they were one of the 21. Many then
reported that they were surprised by additional lack of
details.
What's changed since then and what assurance can you give
the states that not only we're on top of the number, we're
confident of the number, and, more importantly, we got a plan
in place?
Ms. Cohen. Yes sir. Looking back on some of the lessons
learned over the past couple of years, our policy has always
been, in order to notify a target or a victim of a potential
cyber intrusion, to prioritize communicating with that. In the
partnership with the MS-ISAC, which all 50 states participate
with and have sensors, the primary interlocutor, I guess we'd
say, was usually the states' CIO for the MS-ISAC.
So we prioritize per existing protocol notifying those
victims. What we didn't fully appreciate at the time and
through those multiple conversations in 2017 in particular, was
that just by notifying that victim that didn't necessarily mean
that that senior election official who's responsible for that
overall administration received that notification.
It was at their request that we undertake that broad
notification in September. So while we did notify the potential
targets or the victims when we saw the activity, it was
notifying those senior election officials and giving them more
insight.
The other issue which is always a challenge in cyber
incidents or targeting, is we don't always have perfect
information. So we prioritize notifying a target even if we in
the intelligence community don't fully understand what's going
on, because, frankly, by having a conversation, by being able
to deploy our incident response teams, it will help the
intelligence community and DHS learn more about what's going
on.
So when we first notified in 2016, we didn't fully
understand what was happening, who was actually targeting those
states. We just knew that it was coming from suspicious servers
and a company. So now what we have done is, working with the
Government Coordinating Council and the representatives, is
defining who are those points of contacts. The states provide
those points of contacts at the State level, and we have the
appropriate mechanisms to ensure that we get that information
and.
And again, we're not waiting for clearances. If there's
information that we can't declassify, we will provide one-time
read-ins to those organizations to ensure that, even if we
can't declassify, we can provide them additional context,
frankly, even if we're not completely sure at the time.
So those are some of the things that we've improved over
the past couple of years.
Chairman Burr. Thank you for that.
Eric, brief question, brief answer. As an outside entity
looking at this process, what letter grade would you give us
collectively on the progress that's been made based upon the
threat that you saw?
Mr. Rosenbach. That, sir, is a hard question. You know,
this is what I would say. I would give you all B, and it's
mostly----
Chairman Burr. Not us, but collectively.
Mr. Rosenbach. But I'm talking about the whole government.
In particular, it's a B because DHS in particular over the last
year has been working very hard to rebuild that trust with the
states and with other organizations so that they can do better.
And just working hard can overcome maybe not having a lot of
capacity or, coming from DOD, having a $600 billion budget.
DHS, they're not like that. But, it's not as good as it should
be.
Chairman Burr. I think we all agree we've got more to do.
Vice Chairman.
Vice Chairman Warner. Thank you, Mr. Chairman.
Let me say I understand probably the concerns that were
raised by the states when they got the call from Secretary
Johnson. But I think history has shown that designation was
correct, and I am appreciative of the recognition. Miss Manfra,
you had to receive some of my concerns last June at the
hearing, but the notion that we've worked through some of the
security clearance issues and that there is this better
communication, I want to commend your efforts.
My first question is for you, Miss Manfra, and you, Mr.
Rosenbach, and it's a bit of a speculative question. Try to
answer fairly brief, though. Which is: We know how vulnerable
now our systems were. I know that the Hackathon that took place
last year, where virtually every machine was broken into fairly
quickly--I had to really raise heck to make sure we changed out
machines in Virginia before our election system.
One of the things I've always wondered: With the
capabilities that clearly Russia has and the level of
sophistication of their cyber activities, the fact that they
scanned 20 states and only broke into one. Would you speculate
whether their goal was to actually go in and change voter
totals in 2016 or whether it was just in a sense to leave
digital dust that might then be interpreted as outside
interference, that somehow could then be used to stir up
dissension and the kind of concerns that Senator Rubio raised
about his scenario, which I think was potentially very real?
Either one of you want to try on that?
Ms. Manfra. I could start, sir. I would say that what the
Russians were trying to do, which we've talked about a lot, was
sow chaos and confusion and discord. And I believe, while--and
this is my opinion--that by scanning systems, they were looking
for vulnerabilities, they were looking for weak points. And the
good news is most of the states deflected it, and I think
that's something that doesn't get talked about a lot. But you
know, they scanned, they looked for weak spots, and the State
systems deflected that.
That doesn't mean that there aren't continued
vulnerabilities. But I believe that's what they were likely
looking for, is weak spots to get into systems.
Chairman Burr. Mr. Rosenbach.
Mr. Rosenbach. Yes, sir. I'd start by saying, I've been
working in cyber and intel and on the Russians for almost 20
years, and I just don't believe when someone tells me we know
everything about what the Russians did or didn't do. So I want
to be very clear. I'm not basing this on intel and it is
speculation, but I have to be honest: I don't believe that
there isn't more to the Russian story, and that they may not
have penetrated more than we know right now.
That's always been the case when I've seen these advanced
Russian actors, and the GRU in particular, and just like we
learned more about them being in the energy grid.
So my fear is that, if you look at the Gerasimov doctrine
and the way Putin is now recently re-elected, that this is all
about something even bigger, which could be when there's an
escalation of tensions and they know they have malware in our
grid and they have malware in our election infrastructure, that
there will be a threat and a type of coercion that advances
broader national security interests.
So I don't want to sound, you know, shrill, but that's my
assessment.
Vice Chairman Warner. I agree, and I think, again, one of
the reasons why the very good work so many members on this
committee have done in a bipartisan way to try to help
alleviate this issue and lay out specific recommendations.
One of the question I raised on the earlier panel and I
want to raise again, Mr. Condos and Miss Cohen, is how do we
make sure that your vendors--my understanding was that the
Belfer study showed that over 60 percent of American voters
cast ballots on a system operator owned by a single vendor. I
think it was back in 2012, but there are still these large,
large vendors.
How do we ensure that, working with DHS, that they're up to
security? Are you auditing that, that they're guarding your
voter files in an appropriate way?
Mr. Condos. Let me start by just saying that the simple way
is that we build it into our contracts with the vendors. So we
require them to meet NIST standards. If we're buying new
equipment, it has to be EAC certified. So those are the ways
that you can do that, is to get them involved in it. But then
we also have our own independent security folks that will do
penetration testing, will do risk assessments, to determine
whether what we've got is what we hope to have to defend, as
was pointed out.
So I think many of the states, the idea of putting in stuff
into the contract, requirements into the contract, I think that
has changed over the last few years. When we first proposed it,
we were told, oh, nobody does that. Then, now it's becoming
standard, at least in our State for all IT contracts. So we are
moving in that direction to try to protect ourselves.
Ms. Cohen. I'd add that many of the changes that we've seen
in the election technology space have been consumer-driven over
time. And Secretary Condos' point is a good one, that as we
educate State and local election officials to better understand
what they're putting in their contracts and give them resources
like the EAC, like the Belfer resources and others, to make
sure that they're putting good things in their RFPs and in
their contracts, we will start to see a shift in the vendor
area.
Vice Chairman Warner. My time has expired, but I would also
commend my colleagues the work the Belfer Center has done, what
Eric has done. On the question around campaigns, these are the
ultimate start-ups and huge vulnerabilities. We obviously have
a whole segment of our government, the Secret Service, that
oftentimes protects candidates. I do think we're going to need
best practices and think about how we can put at least best
practices out there in terms of protecting campaigns, because
this could be a next layer of vulnerability. Having been
involved, and probably everybody up here on the panel being
involved in campaigns, at least in the past, cyber security has
probably been one of the last items you look at as you try to
put together--and I commend your good work there.
Chairman Burr. I'm just sitting here thinking. If you
thought we saw pushback from State elections officials, I can't
wait to see the pushback from campaigns.
[Laughter.]
But I would also agree that they are an extremely
vulnerable part of our whole election process right now.
Mr. Rosenbach. I think they're the most vulnerable. Quite
frankly, it's very chaotic, resource constrained, all the
things that lead to really poor cyber hygiene.
Chairman Burr. I'm going to turn to Senator Blunt, but as I
do that, the likelihood is that when we return from the Easter
work period Senator Blunt will then be Chairman of the Rules
Committee, where a majority of the Federal statute changes
relative to elections will fall. So I thank Senator Blunt for
being integrally involved in this process, because he will be
integrally involved in the next generation of this as well.
Senator Blunt. Well, thank you, Chairman. We'll see how
that works out. If it does work out, we'll expect to see all of
you back and all of you back when we actually look at
legislation.
I want to see if I can't cover a couple of topics with the
whole panel. One was, you can probably tell--you were all here
for the earlier testimony on notification and public
notification. As you can tell, we've dealt with this in other
areas before and have generally come to the conclusion that
public notification was not necessarily helpful and generally
not desired by the people you were encouraging to report in.
What's your view of that topic of whether states and local
entities are less likely, more likely, helped by some public
disclosure that someone attacked your system. Or does that make
it a different kind of decision when you report in what you
report in and why you report in?
So let's just start, Miss Cohen, with you. Your view of, if
we made that or DHS made that, we required them to report when
you reported to them?
Ms. Cohen. State and local election officials balance the
right to know and transparency with also impacting voter
confidence in the system. I can't comment specifically about
whether I think they should or should not make it public, but
it is a difficult balance for all election officials because
the public does have a right to know, as we've discussed
throughout this hearing. But balancing voter confidence and not
impacting people's confidence in their election system and the
outcome is something that has to be taken into consideration.
Senator Blunt. Mr. Secretary, what are you and your NASS
colleagues likely to think about that?
Mr. Condos. Well, I'll speak for myself. I won't speak for
my NASS colleagues on that. But I think that I will say that,
as Miss Cohen has just said, it's a balance between
transparency and privacy, and I think we have to be careful
about that. I do think that if some of our citizens'
information was actually accessed, they deserve to know that.
If it was just a target or a scan--and by the way, I do
want to say that it is important that we use the right words. I
think during that discussion about the 21 states, they we
talked about targeted, scanned, hacked, breached; and it was a
scan or a target, which is similar to a burglar walking up to
your house and trying the doorknobs or looking through the
windows. I think we have to be careful about how we use those
words because they do matter.
So I do think that there's some likelihood that there will
be some public announcement if people's information was
actually accessed, and I caution that we have to be careful.
You also want the incentive to be on the states to notify their
partners that things have occurred or may possibly have
occurred. And you don't want to have it be a disincentive.
Senator Blunt. Secretary Manfra.
Ms. Manfra. I would agree with my colleagues. I think this
isn't just an issue just for this sector. It's across all
sectors. We very much would like them to voluntarily report
incidents to us, particularly if we've published a document
asking industry to look or State and locals to look for
indicators of compromise, and let us know, because that just
benefits everybody. It benefits the government, it benefits our
defense.
I would say, as far as publicly talking about it, I agree
that individuals have a right to know when their information
has been stolen or tampered with, and a lot of states have
different laws governing that. I do think we always have to
balance, as Ms. Cohen noted, the public confidence in our
system.
Also, as I mentioned before, often you know the fact of an
incident, but you don't know everything about it, and you don't
know what was taken, you don't know all these different pieces
around who did it; and it's hard to convey a lot of that nuance
publicly.
So I know it's complicated, it's challenging. I look
forward to continuing to work with you on this issue, but I
guess I would prioritize notification to the Departments over
public notification.
Senator Blunt. I might point out here, too, that, in case
anybody is paying attention to this, the information in your
voter registration file usually is not nearly as extensive as
the information in lots of other files. So your Social Security
Number, things like that, that we've seen large segments of
information be accessed improperly, the voter registration file
doesn't have a lot of that in it.
Let's get a final response.
Mr. Rosenbach. Yes sir. I'll be real quick. I would say it
matters most if it's a compromise. If it's a compromise, it's
something different. That definitely requires disclosure to the
Hill for certain, and I think you have to disclose it to the
public. And here's why. You all know this. It's almost
impossible to keep a secret, and when something like that comes
out in a leaked way it undermines the public's confidence in
the government and what they're doing. So, although it's very
hard, I think you just have to err on the side of publicly
communicating about these things and giving as many facts as
possible and doing that over and over.
Otherwise, you create a new seam for the Russians to try to
get in and sow this disinformation.
Senator Blunt. It would be another area where how you
define ``compromise'' matters, too. Was information shifted
around, people have reason to believe they're going to be
directed to the wrong place, anything like that, as opposed to
there was an attempt to get into this information, we are
confident that attempt failed, but we want to report it because
other entities might also be having the same kind of attempt.
At some point--we don't have time today, but the whole idea
of the audit system, the paper trail, all of those things and
who is doing that, who's not, provisional voting, things that
can give voters some sense that, no matter how many of these
things go wrong, they on election day are going to be able to
cast the ballot they intended to cast and without a government
that stands in the way of doing that.
Thank you, Chairman.
Chairman Burr. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman.
Ms. Manfra, to just recap a little bit from this morning, I
talked with Secretary Nielsen about the 43 percent of Americans
who vote with voting machines that researchers say have serious
flaws, including backdoors, which would make them obviously
susceptible to frauds and hackers. She claimed, to her credit,
that this is now a national security problem. She said best
practices are paper ballots. That's encouraging.
I just want to go a little bit further, and I think this is
an area that might be part of your expertise. So I've written
to the major manufacturers of the voting machines to get basic
answers to their cyber security practices. I asked, for
example, if they employ cyber security experts, if there were
audits and if they had ever been hacked.
Most of the companies have just been stonewalling. So this
is how almost half of America votes. There is essentially no
accountability over these companies.
My first question would be: If the voting machine companies
do not employ cyber security experts and they don't have
independent audits of their products, how confident are you
that the election technology they sell to the states follows
cyber security best practices?
Ms. Manfra. Sir, I'll do my best to answer those pieces.
While we've been talking a lot about our work with the State
and local entities that administer our elections, we have also
worked with the industry that supports election officials, most
recently setting up a sector coordinating council, which--it
allows us to use our critical infrastructure partnership
authorities to have non-public conversations with industry on
security issues.
Those manufacturers and others are participating in that.
Our partnership with them is more nascent than with the State
and locals, as my colleagues have talked about the importance
of State and locals and, frankly, businesses everywhere in
ensuring that they require cyber security best practices for
their vendors is important.
I can't comment on the specific statistic. I'm not familiar
with that statistic.
Senator Wyden. You don't have to comment. The question is,
though, ma'am, how confident are you as of this afternoon that
the election technology that they're selling to the states
follows cyber security best practices?
Ms. Manfra. Sir, it's just hard for me to judge right now.
I don't have perfect insight into the machines that the states
buy. What I can tell you is that many of those manufacturers
have submitted their equipment through a voluntary compliance
process, run by the EAC and NIST and now DHS, that includes
things like a code review--so they've voluntarily submitted
those for compliance. And that many states use whether it's a
voluntary voting standards, guidelines or similar mechanism for
assuring the security of those systems, whether they mandate it
or they do it voluntarily.
I can also tell you that many of those machines that
researchers say have vulnerabilities or other issues, that
those can only be exploited when an individual has physical
access to those machines. And election officials have other
mechanisms that they've put in place to ensure that that
physical access is not possible.
Senator Wyden. Well, let me be----
Ms. Manfra. Yes sir.
Senator Wyden. Let me be specific on it. There have been
press reports that that biggest company actually stipulated
that remote access software be installed in the machine. Now,
if that's correct--and that's why I very much want your agency
to get back to us. I think my time is almost out. I would like
to have you get back to me with a written response to my
question, of how confident you are that this technology they
sell to the states follows best practices.
I heard about the voluntary certification and the like,
because when you read press reports that the biggest seller of
voting machines is doing something that violates Cyber Security
101, is actually directing that you install remote access
software which would make a machine like that a magnet for
fraudsters and hackers and the like, you say, ``Boy, we've got
to really beef up what we're doing.''
The Secretary, to her credit, said,``Hey, this is a
national security, you know, issue.'' She wants best practices,
to include paper ballots.
Can you get back to me with an answer within a week with
respect to how confident you are of the technology they sell as
following best practices?
Ms. Manfra. Yes sir, although if I could add, remote access
software is only useful to an attacker if there is an internet
connection, which the states do not allow. But I will
absolutely get back to you, sir.
Senator Wyden. If the press reports are talking about it, I
think we ought to at least get an assessment from you----
Ms. Manfra. Yes, sir.
Senator Wyden [continuing]. With respect to how confident
you are.
Ms. Manfra. Yes, sir.
Senator Wyden. Thank you, Mr. Chair.
Chairman Burr. Jim, you look like you maybe wanted to
comment on that. Do you?
Mr. Condos. Thank you. Going by the press reports, the
press reports initially stated that there was remote access
software, but I believe there was a follow-up from perhaps that
software company that--or the machine company--that said that
they don't use that. That was something that was done at one
time, but is not any longer used.
Senator Wyden. Well, let's just hear from Ms. Manfra and
that would be in writing within a week, and we'll go from
there.
Thank you, Mr. Chairman.
Chairman Burr. Senator King.
Senator King. Thank you, Mr. Chair.
Mr. Rosenbach, I want you to be shrill. You said you don't
want to be shrill. I want you to be shrill. Tell us in 30
seconds about General Gerasimov.
Mr. Rosenbach. General Gerasimov believes that the most
powerful weapon you can use is information combined with----
Senator King. He's a Russian general, right?
Mr. Rosenbach. He was the second ranking person on the
Russian general staff. I'll tell you a story about this. You
know, I used to be in charge of cyber at the Pentagon and there
was a time when we actually talked to the Russians and the guy
I was talking to was a three-star, he was like the number three
ranking guy in the Russian military.
He was taunting me, because he said, ``You guys are so
dumb; you're building a Cyber Command that doesn't even have
information operations and information operations is the way
that you take a country down.''
Senator King. And they in fact hacked the Pentagon, they
hacked the White House, they hacked the Joint Chief of Staff,
they hacked the Democratic National Committee. I mean--I don't
believe we're--you're grading on a curve, man. You said it was
a B. I think you're giving us too much credit.
Mr. Rosenbach. It's a B for effort, but that doesn't mean
that we can sleep well.
Senator King. Yes. Where I come from, effort doesn't count.
Mr. Rosenbach. No, but it doesn't mean you can sleep well.
I mean, the Russians, remember, they're very good, which means
they have capability, and they're mean, and they have interests
that are directly opposed to the United States, so they have
motive. Those are the two things you look at.
Senator King. Mr. Condos, welcome from Vermont. We in Maine
think of Vermont as the West Coast of New England. We're glad
to have you here.
I understand that in Senator Lankford's bill originally
there was a red team provision--you heard me describe that--
that would have had a hacking team at DHS or somewhere
practice; and that the states furiously opposed this and that
it was dropped out. Is that true?
Mr. Condos. I am not aware of it being--I can't answer
that. I don't know if that was true or not.
Senator King. Do you think it would be a good idea?
Mr. Condos. I think many of the states, if not all of the
states, are going through penetration testing already, which is
I think the same thing as what you're talking about, is
professional folks who try to hack into your systems. We're
already doing it. We've done it already in Vermont and we are
continuing to do it as we go.
Senator King. Well, I just hope it's being done at the
highest possible level, because I understand there was a so-
called Hackathon last summer where every State or every State
that they tried, they managed to penetrate. The results were
devastating. So, I just hope that this is something that's
really been taken seriously.
I just worry. I have to say, I just have to worry that
there's an overconfidence here in terms of the sophistication
of our adversaries.
Mr. Condos. If there was a hack last year that hit 50
states, the 50 states don't know about it.
Senator King. I don't know about 50 states. It was a number
of states. I don't know if it was 50 states.
Also, you mentioned that you thought one of the strengths--
and frankly, I thought this, too--of our system was that it was
so decentralized. Do you know how many election system vendors
there are, anybody?
Mr. Condos. I do not know how many vendors there are.
Senator King. Does anybody know?
[No response.]
My sense is that there are not very many, and that they're
getting fewer, fewer and fewer all the time.
Anybody know how many election systems have foreign owners?
[No response.]
No?
Ms. Manfra. Sir, I don't have it with me, but we can get
back to you.
Senator King. Could you get that for us, yes?
Ms. Manfra. Yes, sir.
Senator King. That's just what I was going to ask you. If
you could----
Ms. Manfra. Yes, sir.
Senator King [continuing]. Give us a report on how many
vendors there are and what the ownership structure of those
vendors are.
I think a point that's been made that ought to be
reiterated: They don't have to change votes to win; they just
have to sow lack of confidence, and people lose confidence in
the electoral system, they lose confidence in the democratic
process.
We haven't talked too much about registration lists or
election night reporting. What if they hack into that system
and the election night reporting turns out to be all wrong the
next morning? That would be rather chaotic. So I think that's
something.
I understand the issues of transparency, but I think we
have to understand that they don't have to actually get in and
change votes in order to achieve the result that they're
seeking.
Mr. Rosenbach, do you agree with that?
Mr. Rosenbach. Yes sir. I was just going to say they've
done that. They did that in Ukraine. They hacked the web page
used to publicly announce the final vote, used misinformation,
and Ukraine was left in chaos for days afterwards trying to
figure out who won. So we need to look at that playbook. They
will do it to us.
Senator King. So it could be--we're not necessarily talking
about voting machines not connected to the internet. How about
the lines from the Associated Press to CNN, because it may be
that that may be a place where there could be mischief.
Ms. Manfra. Yes sir. And I know we've focused mostly on
voting machines, but that is not our exclusive focus. We're
concerned about the entire process, as Secretary Nielsen
outlined, everything from registering to the final
certification of the vote.
And as former Secretary Johnson talked about, the
Associated Press engagement. We remain focused and thinking
about if an adversary is trying to undermine confidence, what
are the ways to do that? We've published best practices on
voter registration systems. We've worked with states on
everything from voting machines to election management systems,
which can include tallying, how we secure the secretary of
state website, how we think about unofficial election night
reporting, how we think about crisis communications, if there
is misinformation on the day of an election or immediately
following.
So we are trying to take a very holistic approach and not
just thinking about voting machines. In fact, using this risk
based approach to it and thinking about the difficulty in
actually trying to manipulate a vote itself is why we
prioritize engagement on those systems that are connected to
the internet, like voter databases and others, that could cause
that misinformation issue.
Senator King. Thank you.
I know I'm out of time, but, Mr. Rosenbach, yes or no: Do
you agree with the contention that we, this country, aside from
all of these defensive measures, needs to develop a cyber
deterrence strategy in order so that our adversaries know that
there'll be a price to be paid for these kinds of incursions?
Mr. Rosenbach. Yes sir. I could not agree more strongly at
all.
Senator King. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. Senator Collins.
Senator Collins. Thank you Mr. Chairman.
Secretary Manfra, Senator Heinrich and I wrote a letter to
the Department asking specifically whether or not you needed
new statutory authority or funding in order to help State
election agencies and ensure the integrity of our elections
systems and the voting process. I personally am surprised that
the Department has not been more proactive in that area in
submitting requests to the Congress.
What is your answer to that question? Does DHS need
additional authorities or additional funding in order to assist
states and ensure the integrity of our voting systems?
Ms. Manfra. Yes, ma'am; thank you for the question. On the
authorities piece, we have the authorities we need right now to
do our job. Thanks to the work of this committee and the
Homeland Committees, frankly, over the last few years, we have
very broad authorities that we can apply.
We're continuing to build the capacity and the capability
to fully execute those authorities. We have reprogrammed money.
We have reprioritized money. That does mean that we have had to
lower the prioritization of other entities receiving our
services, whether those were Federal or other critical
infrastructure, but we felt it was appropriate for the risk. We
have spoken with appropriators and others to ensure that we do
have the resources that we need to continue to prioritize
elections in addition to our other missions.
Senator Collins. Well, you certainly need to prioritize
elections, but you also have to be cognizant of other critical
infrastructure such as the power grid and natural gas
pipelines. So more specifically, are you going to and have you
requested additional funding to ensure the integrity of our
elections?
Ms. Manfra. Yes, ma'am, we have spoken to the appropriators
and requested additional.
Senator Collins. And how much additional funding have you
requested?
Ms. Manfra. Approximately $25 million.
Senator Collins. Well, I would note, Mr. Chairman, that I
believe the bills that many of us have co-sponsored called for
far more funding than that, like $386 million; and I know
you've worked hard to get it into the omnibus bill.
Secretary Condos, I apologize for being out for part of
your testimony and much of the Q and A due to another
commitment that I have. It's my understanding that, at least
until recently, you've been pretty disappointed with the level
of communication between the Department and your office. I'm
curious whether you're one of those lucky 21 of the 150 State
election officials who has received a security clearance.
Mr. Condos. First, let me say yes, I have received my
clearance, so I'm fully cleared at this point.
Secondly, I will say that I'm not sure that that's being
lucky or not.
Senator Collins. I was being facetious actually.
[Laughter.]
Mr. Condos. But I think that the communication levels
between the states and Department of Homeland Security have
improved greatly, specifically in the last six months, and I
think we're on the same page and we're working to secure our
election systems.
Senator Collins. Finally, let me ask you: State election
officials have expressed apprehension about the risk that being
too public about the threat that we face might provoke exactly
the impression that they're endeavoring to dispel, that is,
that the Nation's voting systems are insecure and subject to
compromise, and thus may help the Russians and other foreign
adversaries achieve their goals.
I would note, to counter that, that when the French and the
Germans made very public what the Russians were trying to do in
their elections, it had a beneficial impact on the public, and
the public was much more weary of fake news stories or other
issues.
In your view, how do we strike the right balance for public
communications concerning threats to our election
infrastructure?
Mr. Condos. As far as the threats themselves, I think that
we should be communicating with the public to let them know
what's going on. I will say that in our State we are right now
preparing for an early April cyber summit that we're going to
do in Vermont for the media, for the public, for our
legislature, so that they are fully aware of what is going on
and where we are going and how we are set up to fend off in the
attacks.
I think it's also very important to know that the bad
actors that tried to hack us yesterday are going to try a
different way today and they're going to be different tomorrow.
They evolve probably--not probably. They evolve far quicker
than any government can set up. So what you need to do is make
sure that you have the protocols in place, that you have the
processes in place, and that you have the defenses in place, in
hopes to be able to fend those off.
No computer, no computer, is safe from a hack. Every
computer can be hacked if it's out there. What you want to do
is make sure you have the proper defenses in place.
Senator Collins. Thank you.
Mr. Chairman, thank you, and Vice Chairman, for this
excellent hearing. My final message to DHS is again to stress
the urgency. Everyone seems focused on the November hearings.
We're having elections right now. We're having the by-
elections, we're having special elections, we're having
primaries coming up now. We can't wait. We can't just be
focused on November.
Thank you Mr. Chairman.
Chairman Burr. Thank you Senator Collins.
We have exhausted the questions. I'm going to turn to the
Vice Chairman briefly.
Vice Chairman Warner. I want to first of all thank the
panel. I want to echo what Senator Collins has said, but I do
think, echoing what has Eric said, there's been some progress.
At least there is a recognition of how significant it is.
I think in the omnibus, because of the work frankly that
has been done by members on this committee, that some of the
resources that our State partners are looking for will be
there. We're going to want to see regular milestones on how we
move forward on that.
I want to echo what Senator King has said. We've spent a
lot of time in closed sessions on this, and that is the need
for our country to have an articulated cyber doctrine. I think
that's going to raise a lot of tough questions. I think it's
going to raise questions about where does the responsibility
lie to report and how far down does it go.
It may raise questions around the whole question of
software liability, which has been an area that has been not
talked about for years. But in this new realm with the level of
vulnerabilities we have, it may have to be explored.
Again, I know I gave Secretary Manfra some challenging
times last year, but this question, not just with election
security, but across the government, of the slowness of getting
security clearances. We had a good hearing on this again
yesterday. We had a public hearing a couple of weeks back. This
just has to be a higher priority. We're 700,000 in arrears.
We've got only a few of the election security officials. I
would argue, frankly, we need Fortune 1,000 chief security
officers to have security clearances as well. So a lot of work
to be done.
I do want to just close before I turn it back to the
Chairman, though, and not all of the members are here, but
thank all of those members particularly from both parties who
have worked so diligently on putting together a legislative
effort that I'm proud to co-sponsor, that I think shows the
kind of commitment of this committee to not only investigate
looking backwards, but to also try to lay out some solutions
sets going forward.
I would point out again, yesterday at the press conference
we had on this we had virtually every member of the committee
attending, and that's a credit to the good work of a lot of
folks on this committee.
With that, thank you Mr. Chairman.
Chairman Burr. I thank the Vice Chairman and, more
importantly, I thank this panel. You have provided us some
great insight, not just today, but on an ongoing basis, and
we're grateful for that.
I will note at this time that the Lankford-Harris
legislation is not legislation from this committee, but it is
important legislation. And there's others out there, and
Senator Blunt and probably Government Oversight will
jurisdictionally have pieces of it. I have joined Senator
Warner in co-sponsoring the legislation now that we've finished
this portion of our investigation.
I want to thank each of you for being here. In 2016, states
faced a threat they never expected to confront: a hostile
nation seeking to invade networks essential to the functioning
of our democracy. While our collective insight is still limited
and based in large part on states' self-reporting when they saw
a problem, the committee has found that the actual damage was
limited. No votes were changed and only one State reported an
actual penetration of voter registration database.
Still, given the capabilities and the intent of Russia and
other potential cyber adversaries, the lack of resources
available to most states, the committee remains concerned about
potential future attacks. States should not be asked to stand
alone against a nation.
We heard today from DHS how they learned, course-corrected,
and have become a true partner with the states. We commend you
for that. DHS needs to continue to rise to the challenge, with
more resources if needed; and they need to tailor their
assistance to where the State needs are.
We've heard from NASS and NASED how the states feel about
suddenly being in the cross-hairs of a hostile foreign power.
We've also heard what states need to do to secure their
election systems. Our witnesses lined up today made clear the
strength of decentralized vibrant election systems at the State
and local level, paired with capability and resources at the
Federal level.
However, we also need to have in place a solid deterrent, a
deterrent to activities like this in the future. Any hostile
power who seeks to undermine the fundamental structures of our
democracy should be prepared to pay a hefty price.
The close of this hearing concludes chapter one of our
committee's investigation. I believe we've shown through our
work today and over the past year that these issues go beyond
party politics. We may disagree on some things, but we all
agree on this committee that we must take steps to ensure
elections are secure. We've investigated and uncovered the full
scope of a sobering threat. We now hand this over to the Rules
and the Government Affairs Committee to consider legislative
approaches within their jurisdiction.
I'd also like to take a moment to thank the committee staff
for their work. The staff involved in this effort has worked
tirelessly with few days off over the last 14 months in a
politically charged and demanding environment. They are
talented, they are professionals, and they are focused, and
they have done outstanding work for the committee and, more
importantly, for the American people. While their names won't
be on the report and probably and hopefully will never be
released publicly, they should know just how much we appreciate
their hard work and how beneficial this has been to states,
localities, and to the American people.
Once again, thank you for your testimony today. This
hearing is adjourned.
[Whereupon, at 12:37 p.m., the hearing was adjourned.]
Supplemental Material
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]