►
From YouTube: Cybersecurity for Elections: State Policy Options
Description
Learn about legislative options to secure elections, from voter registration through voting itself and on to election results reporting. Hear from legislators and experts who have delved deeply into cybersecurity as it applies to elections.
B
You
senator
I'm,
not
sure
you
told
who
you
were
so
I'm
gonna
tell
who
you
are.
This
is
Senator
Daniel,
Ivy
Soto
from
New
Mexico,
and
he
just
told
me
that
the
Russians
aren't
trying
to
get
into
New
Mexico
systems
because
they're
not
part
of
the
United
States.
So
no
well
we'll
see.
Oh
he's
a
better
joke.
Teller
than
I
am
I.
Should
let
him
do
the
jokes?
Okay,
a
couple
of
things
for
you.
The
first
is
that
I
have
asked
for
the
temperature
to
be
increased
in
this
room.
So
now
that's
always
dangerous.
B
You
might
get
what
you
wish
for,
and
maybe
it's
gonna
get
too
hot
in
this
room,
we'll
see
what
happens
on
that.
I
do
have
a
few
little
housekeeping
kinds
of
things,
the
first
of
which
is
that
I
would
like
to
introduce
my
NCSL
colleagues
Dylan.
Would
you
raise
your
hand
Patrick?
Would
you
stand
up
and
raise
your
hand,
and
we
have
christie's
I'ma
Ripa
back
at
the
office?
So
there
are
four
of
us
right
now
who
work
on
elections
and
redistricting
topics,
and
any
of
us
are
happy
to
help
you
at
any
point.
B
We
see
our
job
as
supporting
the
work
of
legislators
and
legislative
staff.
So
if
we
don't
get
questions
from
you,
if
we
don't
get
assignments
from
you,
we
sometimes
make
it
up
as
we
go
along,
and
we
want
to
be
sure
that
we're
serving
your
needs
so
by
all
means
check
in
with
any
of
us
another
little
piece
around.
B
However,
my
appetite
knows
no
bounds,
so
if
any
of
you
have
funders
that
you
who
are
interested
in
these
topics
by
all
means,
let's
have
a
conversation
at
5:30
right
here
in
this
room
about
funding.
Okay.
So
why
are
we
doing
a
very
long
session
on
election
security?
It's
because
for
those
of
us
who
are
up
here
on
the
panel,
it's
a
fun
topic.
How
many
of
you
in
the
audience
also
see
this
as
a
fun
topic?
B
Some?
Yes,
some
no
well
we'll
see
if
we
can
make
it
at
least
somewhat
fun
for
you,
you
know
it.
We
really
have
given
more
time
to
this
topic
than
any
other
one
here
at
MC
s,
l's
elections
and
redistricting
track,
because
we
think
it
is
so
important
and
so
we're
going
to
see
what
we,
what
we
can
learn
out
of
this
I
will
tell
you,
though,
that
this
isn't
like
the
end
of
the
year.
For
us,
we
have
three
regional
meetings
on
election
security
coming
up
in
the
next
few
months.
B
One
is
for
Mid
America
States
one
is
for
Great
Lakes
states
and
one
is
for
southern
states.
So
if
you
think
that
you
represent
a
state
that
could
fit
into
any
of
those
three
categories
by
all
means,
holler
and
we'll,
let
you
know
what
we're
doing
on
that
front
and
if
you're
from
a
state
that
doesn't
fit
any
of
those
categories
still
holler.
Sometimes
we
can
just
have
a
visitor
from
the
other
regions
at
these
kinds
of
meetings,
okay,
so
election
security.
Why
is
it
important
or
how
do
we
know
that
it's
important?
B
B
Despite
Trump's
assurances
states
struggle
to
protect
2020
election,
we
I
don't
know
what
2018
was
going
to
happen,
but
2020
was
what
was
mentioned
and
Kristin
Nielsen
told
state
election
officials,
US
elections
couldn't
be
shaken
by
cyber
attacks
and
foreign
meddling
must
be
taken
seriously.
That's
from
The,
Wall,
Street,
Journal
and
I
think
we
can
all
take
it
seriously
and
have
some
fun
with
it
and
are
the
2018
midterms
under
continuing
threat
of
foreign
meddling.
So
I
want
everyone
to
be
able
to
answer
that
question
on
the
panel
all
right.
B
So,
in
addition
to
all
of
those
things,
we
do
know
that
something
like
twenty
one
or
maybe
it
was
18
or
maybe
it
was
fifty
states
had
their
voter
registration
systems
tapped
by
bad
actors
by
potential
intruders
in
the
2016
timeframe.
It's
not
clear
whether
that's
continuing
to
happen
and
where
that
number
doesn't
much
matter,
whether
there's
18
or
21
or
50.
It's
a
concern
for
the
states
and
then
when
the
feds
saw
that
this
was
a
problem,
there
has
been
a
lot
of
action
in
the
last
two
years.
B
One
piece
was
for
the
Department
of
Homeland
Security
to
identify
election
infrastructure
as
critical
infrastructure,
which
gives
it
a
certain
set
of
priorities
and
the
federal
mandate
and
then
also
just
recently,
Congress
provided
380
million
dollars
to
the
states
for
cybersecurity
options,
each
state
to
choose
its
own,
and
that
sounds
like
a
whole
lot
of
money,
but
is
that
a
whole
lot
of
money?
Is
that
a
whole
lot
of
money?
B
Okay,
so
I
said
we
have
a
long
session
two
hours
and
15
minutes
together.
I
do
promise
to
give
you
a
break
and
it
depends
on
how
quickly
we
talk,
whether
that's
a
10-minute
break
or
a
5-minute
break,
we'll
see
how
things
go
and
the
first
part
we're
going
to
hear
from
some
true
experts
on
this
topic
and
I
just
get
to
sit
back
and
hear
what
they've
got
to
offer
us
and
then
we're
going
to
take
that
little
break
and
then
we're
going
to
come
back
and
you
all
are
gonna
work
at
your
tables.
B
I,
probably
shouldn't
have
told
you
that
some
of
you
might
leave
who
don't
want
to
do
table
work.
No
we're
gonna
switch
it
up
now,
anyway,
after
the
break.
Do
you
expect
to
come
back
and
be
able
to
talk
a
little
bit
about
some
scenarios
that
are
fairly
realistically
based
so
with
that
I'm
going
to
tell
you
quickly
who's
on
our
panel
and
then
I'm
gonna?
Have
you
start
first
Matt,
but.
B
B
B
Advisor
at
the
Department
of
Homeland,
Security,
Matt
Masterson,
so
I'm
gonna
give
a
little
bit
more
about
you
Matt,
but
go
ahead
and
get
up
there
and
get
your
slides
started.
If
you
don't
know
Matt,
he
was
one
of
the
commissioners
at
the
u.s.
election
assistance
Commission
before
and
I
always
referred
to
him.
As
commissioner
Masterson.
That's
tripped
over
your
title.
He's
now
been
scooped
up
by
the
Department
of
Homeland
Security
and
he
continues
in
his
role
of
sharing
what
resources
are
available
from
the
federal
government
with
the
states.
B
C
C
Just
so,
you
know
my
background
before
being
at
Homeland
Security
and
before
being
a
commissioner
at
the
election
assistance
Commission
as
I
worked
in
the
state
of
Ohio
for
the
Secretary
of
State's
office
as
the
CIO
in
the
office,
as
well
as
deputy
elections
directors,
so
I've
worked
in
elections
worked
with
state
and
county
officials
from
my
entire
career
and
they're.
The
best
group
of
public
servants
I've
ever
worked
with,
and
so
it's
an
honor
to
be
up
here
with
secretary
Wyman
and
do
this.
This
is
the
scariest
slide.
I'll
present
to
you
today.
C
Generally
speaking,
when
you
finish
up
a
big
election
like
the
2016
election
and
you
certify
the
results,
you
have
about
a
day
or
two
to
kind
of
take
a
deep
breath,
and
then
you
begin
the
process
of
evaluating.
What
can
we
do
better?
How
do
we
improve?
What
steps
can
we
take
to
improve
the
process
for
our
voters?
2016
was
different.
C
Think
appropriately
so-and-so
election
officials
were
thrust
into
this
environment
where
they
were
preparing
for
the
next
set
of
elections,
while
trying
to
understand
the
threat
and
what
went
on
in
2016
and
what
not.
So
the
conversation
continues
right
immediately
following
in
2016,
there
immediately
presented
with
the
questions
around.
Are
your
systems
hackable?
What
have
you
done
to
secure
the
process
since
the
November
election?
How
what
steps
are
you
taking
to
protect
against
nation-state
actors,
and
the
reality
is
that
state
local
officials
across
this
country
now
have
to
be
prepared
to
answer
those
questions
regardless?
C
If
it
was
their
systems
that
were
targeted
or
not,
all
10
thousand
election
jurisdictions
in
this
country
have
to
be
able
to
the
questions
around
what
steps
they're
taking
to
secure
and
improve
the
resilience
of
the
process.
Part
of
the
story
from
2016.
However,
many
are
familiar
with
the
Illinois
story.
C
Okay,
if
you're
not
get
familiar
in
2016
the
state
of
Illinois
there's
all
publicly
reported
was
targeted
by
nation
state.
Cyber
actors
through
an
SQL
injection,
which
is
a
typical
known
attack,
used
commonly
to
access
data
to
manipulate
or
exfiltrate
data,
and
they
had
voter
registration
records
taken
out
of
their
voter
registration
database.
There's
no
evidence
of
it
being
manipulated
or
changed,
but
the
reality
is
hundreds
of
thousand
or
at
least
a
hundred
thousand
records
were
taken
from
the
state
of
Illinois.
C
You
can
imagine
the
impact
on
the
elections,
community
and
voters,
understanding
and
hearing
the
nation
state
actors
targeted
their
systems,
but
it's
not
just
nation
state
actors
and
I
think
to
understand
the
threat.
So
much
of
the
conversation
focuses
on
nation
states
and
their
the
level
of
sophistication.
The
reality
is
various
groups
of
actors,
whether
they
be
terrorist
groups
or
hacktivists,
or
just
someone
looking
to
cause
mischief
now
view
elections
as
a
as
a
very
prime
target
because
of
the
publicity
and
ability
to
get
or
get
attention
or
cause
or
undermine
confidence
in
the
process.
C
This
is
an
example
from
an
elections
website
where
Isis
simply
hacked
the
website
and
posted
Isis
propaganda
on
there.
You
can
imagine
now
for
election
officials
understanding
what
is
my
plan?
How
do
I
respond
that
if
this
were
to
occur
on
Election
Day,
not
just
how
do
I
get
the
website
back
to
where
it
needs
to
be,
but
how
do
I
communicate
with
the
public
that
the
integrity
of
the
election
remains
intact?
The
reality
is,
this
is
just
their
website
right
and
website
and
website.
C
Defacing
as
Maurice
will
talk
about
is
not
a
complicated
hack
is
not
a
technically
sophisticated
hack
necessarily,
but
can
be
a
really
impactful
hack.
If
your
goal
is
to
undermine
confidence
in
the
process
right
to
have
on
a
state
election
or
County
election
website,
I
love
it
though
Islamic
state
on
Election
Day.
Imagine
the
impact
on
the
voters
and
the
need
to
be
able
to
communicate
and
respond.
How
many
are
familiar
with
Atlanta
anyone
here
from
Georgia
all
right
how
about
ransomware
who's
familiar
with
ransomware
it
really
seriously.
C
If
you
all,
aren't
familiar
with
ransomware
get
there.
Atlanta
is
a
prime
example.
Ransomware
is
when
a
malicious
actor
locks
up
all
your
data
and
says:
if
you
pay
me
a
certain
amount
of
bitcoin
or
whatnot,
we'll
give
you
your
data
back
well
one.
How
do
you
know
they're
gonna,
give
you
your
data
back
and
to
imagine
the
costs
and
for
the
state
error
for
the
city
of
Atlanta.
The
costs
are
very
real,
anywhere
I've,
seen
estimates
anywhere
between
three
five
or
nine
million
dollars.
C
How
many
of
you
have
budgeted
at
the
state
or
how
many
counties
or
cities
have
budgeted
for
a
three
to
nine
million
dollar
impact
on
their
budget?
The
reality
is
cyberattacks
outside
of
just
being
expensive.
As
far
as
public
confidence
are
literally
expensive,
if
you're
not
prepared
to
recover
from
them,
and
so
preparation
is
critical
in
this
I
have
a
good
friend
who
says
if
you
think
a
good
elections
expensive,
you
should
see
a
bad
one
and
that's
that's
the
facts.
C
It's
there's
very
real
dollars
in
play
with
these
types
of
attacks,
as
evidenced
by
an
eye
you
could
insert
major
company
here.
This
has
Equifax
how
many
are
familiar
with
targets
right
all
of
those.
The
reality
is
even
those
who
spend
millions
and
in
some
cases,
billions
of
dollars
to
protect
data
still
have
cyber
incidents,
and
so
this
cannot
just
be
about
investing
in
protection.
C
The
reality
of
states
and
counties
do
not
have
enough
resources,
not
just
money
but
personnel
in
time
to
be
able
to
protect
everything
all
the
time,
and
so
the
ability
to
detect
and
recover
or
build
resilience
is
at
the
very
core
of
what
needs
to
be
done
in
elections.
Now,
the
good
news
is,
as
Secretary
Wyman
will
speak
to
election
officials
are
natural
contingency
planners.
C
They
constantly
ask
themselves
what
could
go
wrong,
how
do
I
prepare
and
mitigate
for
it,
and
then
what
else
could
go
wrong
right
and
so
that
part
of
the
puzzle
is
where
election
officials
are
already
incredibly
mature
prepping
for
that
ability
to
recover
if
I
lost
all
the
data
in
my
voter
registration
database
do
I
have
backups,
are
they
tested?
Are
they
ready
to
be
implemented
and
can
I
keep
the
process
going
and
one
of
the
important
things
to
keep
in
mind
for
elections,
and
what
I
think
makes
it
unique?
C
Is
that
the
most
valuable
resource
is
time?
It's
the
one
thing
election
officials
cannot
get
more
of
once
Election
Day
is
there.
There
is
no
scrubbing
the
launch.
There
is
no.
Can
we
delay
7
to
10
days,
it's
Election,
Day
and
you're
running
the
election,
so
every
day
spent
recovering
from
a
cyber
attack
or
having
to
recover
data
or
get
back
up
in
operational
as
time.
They
cannot
get
back
towards
other
things
in
an
area
where
they're
under
resourced
and
typically
have
a
lack
of
personnel.
C
That's
our
mission,
that's
our
job
to
help
identify
risks
and
help
election
officials
manage
those
risks.
Who
are
these
actors?
Who
could
be
targeting
the
system?
Well,
as
I
mentioned
before,
it
could
be
anything
from
nation-states
to
criminals,
to
insiders
to
politically
motivated
groups
that
the
reality
is.
Elections
are
a
target
and
what
we
know
from
2016
is
if
the
goal
is
to
undermine
confidence
in
the
process.
C
Any
jurisdiction
is
a
possible
target
because
you
only
need
to
target
one
or
access
one
to
call
into
doubt
others
right
and
that
puts
all
ten
thousand
election
jurisdictions
in
play.
As
we
look
at
this,
this
is
a
credit
to
the
Belfer
Center
by
the
way,
there's
a
graphic
they
develop
as
part
of
their
defending
digital
democracy
project.
Some
common
attacks
to
be
familiar
with,
particularly
as
we
head
into
the
exercise
spearfishing.
How
many
are
familiar
with
spearfishing
all
right.
C
If
you
run
a
campaign
which
I
suspect
most
of
you
either
do
or
associated
with
you
better
know,
spearfishing,
and
not
only
that,
if
you're
associated
with
a
state
or
an
officeholder,
even
if
you
work
on
their
staff
in
the
governmental
side,
the
reality
is,
you
could
be
a
target
for
spear
fishing
to
try
to
get
to
them.
Actors
use
emails,
highly
tailored
emails
or
other
outreach
in
order
to
get
you
to
click,
a
link
or
open
an
attachment
and
then
get
control
of
your
credentials
in
your
computer
or
your
systems.
Here's
an
example.
C
This
is
just
a
general
one,
but
it
was
actually
targeted,
as
we
did
a
presentation
at
nasse
and
in
one
of
the
secretaries
in
particular,
and
it
was
based
on
15
minutes
worth
of
research
that
our
staff
did
and
the
second,
when
she
read
this
email,
one
immediately
new
is
targeted
towards
her
and
her
face
turned
white.
How
did
they
get
this
information
and
the
reality
is
in
this
environment,
with
campaigns
using
Instagram,
Facebook
Twitter,
whatever
the
case
may
be,
people
know
what
organizations
what
boards
you
sit
on,
what
events
you
attend?
C
What
your
dog's
name
is
what
your
kids
names
are,
and
they
will
use
those
to
target
you.
They
will
use
that
information
to
create
spear,
phishing
emails
and
other
attempts
that
seem
very
tailored
to
you
and
seem
safe
this
quickly.
What
the
elections
environment
looks
like,
and
this
is
I,
think
Wendy
and
I
is
probably
our
favorite
slide.
There's
what
election
officials
do
and
protect
every
single
day.
C
These
are
the
systems
used
to
run
elections,
and,
if
you
take
nothing
else
from
this
understand
that
election
officials
now
operate
in
a
complex,
IT
environment
in
many
counties,
they
run
the
largest
IT
operation
in
that
County.
If
you
count
the
total
number
of
assets
that
they
have
all
the
voting
systems,
all
the
e-poll
books,
all
the
election
night
reporting
and
ballot
on
demand
printers.
It
is
a
large,
complex,
IT
operation,
and
so
when
we
go
work
and
talk
with
election
officials,
we
frequently
talk
about
whether
they
want
it
or
not.
C
They're
complex
IT
system
managers
and
that
has
very
real
implications
for
them.
So
just
to
close
for
all
of
us,
the
challenge
is
to
anticipate
the
next
headline.
The
next
attack
and
I
love
this
slide,
because
it
kind
of
creates
some
that
the
level
of
absurdity
that
election
officials
now
have
to
operate
in
whether
they
were
targeted,
whether
the
attacks
were
aimed
at
them.
C
C
So
the
challenge
for
all
of
us
in
particularly
you
all
state
legislators
as
you
look
at
appropriations
as
you
look
at
bills
and
ways
to
address
the
challenges,
is
to
identify
those
things
that
truly
matter
what
data
systems
IT
infrastructure,
work
with
in
the
election
sphere,
what's
within
the
election
officials,
control
and
where's
that
mesh
point,
because
you
cannot
possibly
appropriate
or
address
through
a
bill
all
of
the
risks
to
all
of
the
cysts
in
elections.
So
what
are
those
priorities?
C
And
how
can
you
power
election
officials
to
manage
those
risks
to
those
systems
all
with
the
goal
of
being
able
to
protect
it
first,
but
then
detect
and
recover
when
an
incident
occurs,
because
the
reality
is
all
of
us
are
going
to
be
impacted,
all
election
officials
are
going
to
be
impacted
by
a
cyber
incident
of
some
sort
of
the
other.
It's
part
of
the
reality
now,
whether
it's
our
vendors,
our
providers,
our
own
election
offices,
our
counties
that
other
counties,
the
state,
IT
infrastructure,
we're
going
to
be
impacted.
C
B
C
C
Are
Brian
and
team
over
there
wave
your
hand
they're
there,
the
government
affairs
folks
at
DHS.
They
are
awesome
and
I,
encourage
you
please
reach
out
to
them.
You
can
also
contact
me
I'll,
make
sure
Wendy
distributes
my
contact
information,
but
you
are
a
critically
important
group
for
us,
a
group
that
we
want
to
engage
with
as
much
as
possible
to
help
you
understand
the
environment
that
election
officials
are
working
in
and
the
needs
of
that
those
election
officials
as
we
work
with
them
to
address
the
risk.
Well.
B
B
In
Washington
is
a
state
where
that's
just
done
quite
a
lot
legislatively
I,
don't
know
what
your
thoughts
are
about.
All
the
many
things
that
got
passed
but
I
would
like
you
to
address
a
couple
of
things,
one
of
which
is,
we
don't
have
a
local
representative
here.
So
if
you
could
just
let
us
know
the
role
they
play
and
then,
secondly,
that
that
the
cybersecurity
that
we
just
heard
about
is
terrifying.
But
is
there
also
some
plain
old,
garden-variety
security?
We.
D
E
D
20
years
the
moment
election
officials
started
putting
out
information
online
at
night
on
election
night
with
results.
We
were
aware
of
the
potential
for
being
hacked,
so
it
is
something
we've
been
doing
in
the
background
for
many
many
years
it
just
became
front
and
center
in
2016,
for
the
media,
legislators
and
and
the
public,
so
I
want
to
walk
kind
of
through
what
we're
doing
in
Washington.
D
To
give
you
an
idea,
and
this
same
activity
is
going
on
in
all
50
states,
so
my
background
is
being
an
election
director
for
the
county,
Thurston
County
in
Washington,
which
is
Olympia
and
then
being
the
county
auditor,
which
is
like
a
County
Clerk
in
most
states.
So
my
background
is
elections
and
I
was
here
during
hava
and
I
was
here
during
the
National
Voter
Registration
Act
for
that
matter,
and
when
I
got
into
office
as
Secretary
of
State.
D
What
I
was
critically
aware
of
was
that
in
2005
our
state
got
a
new
voter
registration
database.
We
got
new
infrastructure
for
our
tabulation
systems
and
all
of
those
things,
and
by
and
large,
most
counties
and
the
state
had
the
same
system
when
I
entered
office
in
2012
and
how
many
of
you
have
a
computer,
that's
more
than
five
years
old
in
your
personal
life.
That's
what
I
thought.
So
we
made
it
a
priority
and
in
2014
we
had
convened
what
we
call
the
tech,
some
and
I
started
the
summer.
D
With
this
very
simple
question,
knowing
what
you
know
today,
would
you
build
the
system
we
have
and
not
a
single
hand
went
up
and
that's
how
I
got-
and
this
is
a
bragging
point
right
now
for
me,
I
got
40
independently
elected
officials
to
agree
on
something
think
about
that.
Think
about
that.
Think
about
that,
and
at
that
time
we
were
trying
to
figure
out
why
we
needed
to
modernize,
and
you
can
see
this
list.
D
There
are
a
whole
lot
of
reasons,
but
for
me
the
most
pressing
was
the
the
architecture
that
we
we
created
in
2004
2005
was
old
and
we
had
built
a
whole
lot
of
layers
of
other
things,
on
top
of
it
from
election
night
reporting
to
tools
that
voters
could
use
to
get
information
and
all
of
these
systems
were
kind
of
operating
independently
and
not
as
efficiently
as
we
would
like.
Plus
in
my
state,
giving
you
some
perspective.
We
have
about
4.2
million
registered
voters
in
Washington
state.
D
We
are
vote-by-mail
much
because
of
hava
and
a
very
close
governor's
race.
We
had
in
2004,
in
fact
the
closest
governor's
race
in
the
country's
history,
and
we
realized
that
vote-by-mail
was
really
the
solution
for
our
state,
because
about
50
percent
of
our
voters
were
voting
permanent
absentee
anyway,
so
we
were
running
two
elections
and
it
just
spread
us
too
thin.
So
those
of
you
in
states
that
have
early
voting
and
absentee
and
pull
site
voting
and
maybe
vote
by
mail.
D
D
Now
one
of
the
things
I
want
to
make
a
real
important
delineation
for
those
of
you
who
may
not
be
totally
familiar
with
elections.
There
are
two
systems
in
the
elections
world.
You
have
those
that
do
voter
registration,
election
management,
getting
balanced
to
the
voters
properly.
All
of
that
in
tabulation,
so
I'm
gonna
spend
most
of
my
time
talking
about
the
voter
registration
side,
but
tabulation
I
am
very
confident
that
the
2016
attempts
to
get
into
voter
systems-
and
he
heard
a
lot
about
that
in
the
media-
that
no
votes
were
changed.
D
Not
only
are
they
air
gapped
you're,
mindful
of
when
you're
doing
election
night,
reporting
that
you're
putting
a
clean
stick
into
the
Machine
and
it
never
goes
back
in
and
that
it's
all
one
way
and
there
are
all
sorts
of
physical
security
and
and
technical
security
that
we
build
into
those
systems,
but
but
I'm
gonna
focus
on
the
voter
registration
side,
because
that
is
where
the
21
states
had
attempts
made.
So
I
also
want
to
paint
for
you
that
the
reality,
since
most
of
you
are
legislators
in
the
room
well
we're
facing
in
Washington
State.
D
We
did
this
tech
summit.
We
have
identified
what
we
want
our
new
system
to
be
we're
literally
starting
to
bring
it
up
now
hope
to
have
it
in
place
by
2019.
Parallel
to
that,
the
Legislature
passed
four
major
election
bells
in
my
state,
I'm,
so
happy.
Could
you
tell
any
one
of
these
would
be
incredibly
actually
five,
if
you
can't
risk
eliminating
on
its
any
one
of
these
simplement
would
be
a
pretty
major
overhaul
of
our
election
system,
whereas
you
can
see
doing
all
of
this
kind
of
simultaneously
between
now
and
2020.
D
We
knew
that
if
we
gave
it
just
to
the
counties
as
grants,
the
money
would
be
pretty
insignificant
for
the
things
that
they
needed
to
do.
They
would
not
be
able
to
leverage
some
money
in
the
way
that
we
did
and
because
we
had
had
this
project
that
we'd
worked
on
for
the
last
four
years.
I
had
a
lot
of
trust
built
up
with
them,
so
they
bought
in
and
basically
we
have
kind
of
four
things
we're
focusing
on
with
the
money.
D
First,
we
are
beefing
up
our
IT
team
in
my
office,
and
it's
not
just
to
make
my
team
better.
My
challenge
is
of
those
39
counties.
I've
got
great
diversity
and
I
would
venture
a
guess.
In
most
of
your
states,
you
have
the
same
problem.
We
have
King
County
with
about
1.5
million
registered
voters.
They
have
a
very
robust
IT
team.
They've
got
a
lot
of
resources.
They've
got
a
lot
of
money
to
Columbia
County,
which
has
fifteen
hundred.
D
You
know
what
I
hope
they
have
an
IT
person
in
their
county,
let
alone
in
their
elections
division.
So
we
realized
that
that
those
the
bottom
you
know
half
of
those
39
counties
probably
needed
a
little
bit
more
help
in
robust
support
than
we
could
give
them
right
now.
So
we're
adding
IT
support,
we're
reinforcing
our
infrastructure
with
stronger
firewalls
and
putting
on
some
sensors
and
monitors
to
help
us
with
reporting
not
only
in
our
state
but
actually
to
share
that
information
through
the
MSI
SEC
with
the
ìiî
SEC.
D
And
these
are
information
sharing
networks
where,
if
one
state
starts
seeing
an
IP
address,
for
example,
that's
doing
something
questionable,
they
can
share
it.
And
now
we
all
know
that.
Maybe
this
is
something
suspect
and
we
can
block
it
and
prevent
it
and
then
finally
doing
testing
and
training
getting
out
to
the
counties
and
doing
tabletop
exercises
and
exactly
what
what
Matt
mentioned.
You
know
really
getting
them
to
start
thinking
about
the
what-ifs,
because
I
think
in
the
in
the
world
of
modern
cybersecurity.
D
It's
no
longer
a
matter
of
when
it's
it's
not
a
matter
of
if
or
when.
It's
they're,
probably
already
in
your
system
right
now.
And
what
are
you
gonna
do
when
you
figure
it
out
and
that's
kind
of
the
shift
in
mindset
that
I
think
most
of
us
have
made.
So
when
this
critical
infrastructure
designation
happened
in
2016,
we
had
actually
had
some
activity
that
we
had
detected
and
knew
was
questionable.
D
We
started
working
with
the
FBI
at
that
time
in
2016
and
it
turned
out
that
it
was
in
fact
Russian
actors
who
were
trying
to
get
into
our
system
and-
and
we
had
a
lot
of
resources
available
to
us
because
of
homeland
security,
and
it
was
really
exciting.
It
was
also
really
scary
because
the
question
that
we
asked
earlier
do
you
think
it's
a
state
responsibility
to
do
elections
or
the
feds
it's
States
and
we're
all
a
little
worried
to
start
partnering
with
the
state
agency
like
Homeland
Security.
D
Are
they
gonna
try
to
take
over
our
role
and
the
good
thing
is
I?
Think
we've
we've
worked
through
our
arranged
marriage
very
well,
and
it
is
an
arranged
marriage
little
bumpy
at
first,
but
we're
doing
much
better
now
and
the
resources
that
I
have
as
Secretary
of
State
are
far
more
robust
than
I
could
have
ever
had
singularly.
We
have.
They
had
some
testing
done
by
a
number
of
different
entities.
We
have
the
msi
sac.
D
We
have
information
that
we're
privy
to
now
that
we
weren't
before,
and
it
just
helps
us
make
better
decisions
and
then
one
of
the
things
that
helped
us
expand,
not
only
the
partnerships
with
the
federal
organizations,
even
with
our
own
state,
so
we've
been
partnering
with
the
Washington
National
Guard
for
years
on.
Our
continuity
of
operations
plans
all
the
what-ifs.
What
if
we
had
a
flood?
What
if
we
had
a
fire?
D
What
if
we
had
an
earthquake,
it's
just
a
natural
partnership
to
do
cybersecurity
and
in
my
state,
I'm,
really
fortunate
to
have
Microsoft
and
Amazon
and
Google,
and
a
lot
of
texts
that
our
National
Guard
people
in
their
off
time,
and
so
they
have
a
really
good
cybersecurity
unit
and
I
would
say
to
all
of
you
in
your
own
States.
That's
something
if
you
have.
If
you
have
the
opportunity
to
work
with
your
election
officials
in
your
state,
let
them
know
that
National
Guard
may
have
those
kind
of
resources
in
your
state
as
well.
D
So
really
you
know
Matt
touched
on.
This
is
the
world
we
live
in
now,
where
we
are
just
in
a
constant
loop
of
trying
to
protect
and
defend
our
systems
and
if
something
is
Detective
detected,
making
sure
that
we
have
some
sort
of
recovery
plan
and
and
then
how
we're
going
to
message
and
have
a
communications
plan.
This
is
probably
the
most
critical
part
of
it,
because
what
we're
seeing
of
these
attacks
and
you've
all
heard
about
the
various
ones
is
your
reputation.
Risk
is
the
biggest
challenge,
and
so
in
the
private
sector.
D
It's
it's
a
reputation
risk
in
our
world.
It's
people
losing
confidence
in
the
elections
process,
and
that
is
all
our
job
is
I
mean
most
of
election
administrators.
That
I
know
got
into
this
because
they
believe
in
democracy
and
they
believe
in
their
role
in
it.
But
at
the
end
of
the
day,
one
cyber
hack
could
change
people's
perception
of
how
strong
and
how
secure
our
system
is.
So
that's
where
we're
spending
all
of
our
time
is
making
sure
all
of
you
so
believe
in
our
process
and
believe
that
those
results
reflect
how
people
voted.
D
So
how
we're
doing
all
of
this
is
multi-layered
but,
like
I,
said
working
closer
with
the
counties
to
do
exercises
and
testing
and
we're
gonna
be
having
going
into
counties
and
having
people
test
them
and
probably
scare
them
to
death.
But
it's
a
good
thing
because
pretty
much
all
the
briefings
that
I've
had
in
the
last
six
months
make
me
not
want
to
have
my
phone
anymore
so
roll
through
all
that
really
fast.
If
I
know
we're
going
to
do
questions
here
shortly,
but
Kim
dot,
Wyman
at
SOS
water
gov.
B
B
D
Okay,
I
I
mean
every
state
is
kind
of
approaching
it
differently,
because
we're
all
so
different
I
mean
one
of
the
strengths
that
our
election
system
has
in
America.
Is
that
it's
very
decentralized?
There
are
7,000
people
like
me
that
are
either
state
officials,
county
officials,
local
government
officials
who
are
in
the
election
space-
and
that's
that's
a
good
thing,
but
it
also
makes
it
really
hard
to
manage
because
we
are
all
different.
D
It's
going
to
bring
our
states
up,
but
this
equipment's
going
to
wear
out
and
we
don't
have
three
billion
dollars
laying
around
in
the
states
and
now
here
we
are.
You
know,
14
years
later,
where
we're
trying
to
figure
out
where
to
find
the
money,
so
I
think
states
are
really
scrambling
trying
to
figure
out
what
that
long-term
solution
is.
Thank.
B
You
very
much
Maurice
I'm,
going
to
turn
to
you.
Next
Maurice
Turner
came
to
one
of
our
security
meetings
and
it
was
a
real
pleasure
to
find
someone
who's,
a
technologist
who
can
walk
and
talk
like
a
white
hat
hacker
I,
don't
think
you've
ever
walked
and
talked
like
a
black
hat.
The
hacker
knows
the
technology
super
super
well
and
also
knows
and
loves
democracy,
and
so
he's
able
to
put
those
together
and
kind
of
translate
from
one
world
to
the
other,
and
that's
something
I
very
much
appreciate
so
share
the
technology
side
of
this.
B
F
All
right,
thank
you.
Everyone
I
appreciate
you
still
being
here
and
being
awake,
and
hopefully
this
will
be
a
little
bit
more
exciting
I'm,
actually
a
little
bit
scarier
than
Matt,
slides,
but
I
think
it'll
be
good
to
get
a
little
bit
more
of
the
technical
side
of
what
we're
talking
about
here.
When
it
comes
to
election
cybersecurity,
I
work
for
the
Center
for
Democracy
and
Technology.
We
put
the
emphasis
in
democracy
this
year,
not
so
much
as
we've
been
emphasizing
technology
in
the
past,
but
really
where
the
two
come
together.
F
My
background
is
both
on
the
technology
side,
but
also
local
government
side.
I
last
sure
I
was
a
fellow
in
the
Senate
and
then
before
that,
I've
also
worked
for
local
government,
as
well
as
technology
companies
and,
most
importantly,
I.
Think
for
this
role
is
that
I've
also
volunteered
for
elections?
F
So,
when
we're
talking
about
risk,
it's
really
just
probability
times
the
impact.
Basically,
how
bad
can
it
be?
If
something
does
happen,
and
the
key
to
remember
is
that
you're
not
going
to
be
able
to
eliminate
risk,
you
can
mitigate
it,
but
it's
just
impossible
and
impractical
to
try
to
eliminate
risk
altogether
and
it's
something
that
we
know
intuitively,
because
we
do
it
every
single
day.
Every
day
we
get
into
our
cars
every
day,
we're
walking
around
the
street.
F
We
know
that
something
bad
can
happen,
but
we
weigh
the
bad
thing
versus
the
the
good
thing
and
we
decide.
Okay,
you
know
what
this
is
probably
safe
enough,
where
the
risk
is
low
enough
for
the
thing
that
I
want
to
do
so
we
have
a
couple
of
options
when
it
comes
to
mitigating
a
risk,
we
can
reduce
the
impact,
so
we're
talking
about
elections
are
really
any
IT
systems.
F
You
can
have
backups,
we
can
shift
the
risk,
so
we
can
partner
with
other
organizations
or
we
can
get
insurance
or
we
can
just
accept
the
risk
know
that
there
it
is
some
things
that
are
totally
out
of
our
control,
but
the
light
third
of
them
have
putting
our
so
low
that
we
shouldn't
be
worrying
about
it
every
day.
Just
have
it
in
the
back
of
our
heads
in
order
to
go
through
this
process,
we
need
to
make
sure
that
we
are
identifying
and
prioritizing
all
of
our
assets.
F
Really
it
comes
down
to
what
is
the
organization
care
about,
and
what's
the
worst
that
can
happen
from
there,
we
can
move
forward
into
continuously
monitoring
and
reassessing
what
can
happen
to
those
assets.
What
the
actual
risk
is
so
really
what's
changed
about
the
threat
and
then
also
what's
changed
about
the
organization's
priorities.
F
So
not
just
doing
a
one-time
observation,
a
one-time
assessment,
we're
really
a
continual
improvement
process,
high-value
assets
now
we're
getting
into
acronym
land,
so
I
think
mat
might
be
a
little
bit
more
familiar
with
it
talk
about
the
the
FIPS
199
and
it
really
breaks
down
into
impact
and
CIA
CIA.
Its
weather
impact
is
going
to
be
categorization,
so
really
how
bad
can
that
impact
be?
Are
we
talking
about
a
low
impact,
a
moderate
impact
or
a
high
impact
again
going
back
to
in
your
day
to
day
lives?
F
If
you
lose
your
your
pencil,
that's
a
relatively
low
impact,
it
might
be
an
inconvenience
you
can
lose.
Your
house
keys,
probably
a
bit
of
a
higher
impact,
so
think
about
it
in
sort
of
these
normal
terms
of
what
the
impact
can
actually
be,
and
that
might
help
prioritize
how
you
might
want
to
defend
the
assets.
F
F
Lastly,
there
are
just
going
to
be
some
intangible
assets
that
you
won't
be
able
to
categorize
in
a
traditional
sense
and
in
this
case
we're
talking
about
voter
confidence.
It
is
an
absolute
asset
that
we
all
need
to
recognize,
but
it's
one.
That's
did
the
call
to
measure
until
we
know
that
there's
something
very
wrong
with
it.
F
It's
really
simple
to
break
that
down
to
are
we
talking
about
data
or
you're
talking
about
communication,
the
way
that
attackers
are
going
to
be
looking
to
actually
harm
these
systems
would
be
through
phishing
as
Matt
mentioned
ransomware,
so
that
would
be
an
attack
on
the
data
and
the
communication
theft,
so
stealing
that
that
data
and
then
also
confusion,
and
that
goes
more
toward
a
communication
style
attack
where
you
may
not
have
any
data.
It's
changed.
F
There
may
not
be
any
votes
that
are
changed,
but
the
mere
fact
of,
let's
say
a
website
being
defaced
or
there
being
some
misinformation
out.
There
might
be
enough
to
cause
confusion
and
then
again
have
that
negative
impact
on
voter
confidence,
something
that
we've
been
hearing
going
back
and
forth
ever
since
2016
is,
did
the
Russians
actually
interfere
with
our
elections
right?
F
It's
been
a
pretty
good
distraction
and
what
I'd
say
is
that
fixing
fixating
on
one
attacker
is
actually
a
vulnerability
in
itself.
Attackers
can
come
from
everywhere.
It
can
be
a
nation-state,
it
can
be
a
terrorist,
it
can
be
an
activist.
It
can
be
a
criminal
organization
interested
in
changing
the
outcome,
and
it
really
could
just
be
a
lucky
hacker.
There
are
plenty
of
examples
out
there
and
I'll
give
you
one.
F
So
a
hacker
can
do
some
research
and
find
out
there's
a
particular
vulnerability
in
a
device.
Let's
say
it's
just
a
wireless
router.
The
hacker
would
know
that
that
wireless
router
has
a
default
name
and
default
password
and
then
go
through
and
scan
millions
of
machines
all
across
the
internet
and
if
they
find
one
they
might
just
decide
to
go
ahead
and
break
into
it.
Now
the
difference
is
they're,
not
necessarily
targeting
anyone
in
particular
they're,
not
necessarily
targeting
any
type
of
data,
in
particular
they're,
just
targeting
a
known
vulnerability
in
known
equipment.
F
Well,
this
actually
happened
and
it
turned
out
that
the
router
that
was
hacked
into
was
actually
on
a
military
base
and
it
turned
out
that
hacker
was
able
to
get
into
the
router,
find
the
way
around
through
different
machines
on
the
network
and
steal
repair
manuals
for
drones
for
tanks
right
I
guarantee
you,
the
hacker,
wasn't
looking
for
the
information.
Why?
F
That
means
that
needs
to
happen
internally
and
externally,
as
Secretary
of
State
said.
Having
a
plan
in
place
for
continuity
of
operations
is
critically
important
for
elections.
Other
agencies
in
the
state,
other
departments
in
the
county
do
it.
So
it's
not
like
there
needs
to
be
any
sort
of
reinvention
of
the
wheel.
It
says
being
involved
in
the
conversation
communicating
that
elections,
yes,
are
in
fact
critical
infrastructure
and
hopping
on
board
those
existing
plans
and
then
tweaking
it
to
make
sure
that
elections
are
proprietary.
F
So
many
audits,
those
are
a
cost
effective
assurance.
We're
not
talking
about
the
mandatory
minimum
recounts,
we're
talking
about
having
an
audit
happen
after
every
single
election
to
help
build
confidence
in
the
system
that
is
already
in
place
and
then
making
sure
that
that
can
roll
over
and
through
continuous
improvement
improve
for
the
next
elections.
It
also
acts
as
an
effective
deterrent.
If
someone
knows
that
there
is
going
to
be
an
audit
of
every
single
election,
they're
less
likely
to
actually
try
to
manipulate
the
election.
F
However,
if
there's
only
a
mandatory
minimum
recount
of
certain
elections,
they
may
decide
to
target
other
elections
that
don't
seem
to
be
that
close
and
make
that
margin
of
victory
just
large
enough
to
help
avoid
that
manual.
Recount
and
I'll
leave
you
with
this
point
on
when
we're
talking
about
communication
vocabulary.
Matters
now,
I'll
challenge
everyone
in
the
room
to
spread
the
word
about
using
the
term
meddling
meddling
sounds
innocent.
F
It
sounds
as
if
we're
not
really
taking
this
as
seriously
as
it
needs
to
be
taken,
so
let's
really
get
down
into
what
it
was
interference,
manipulation,
let's
use
words
that
are
serious
about
the
issue,
to
help
communicate
why
we
should
all
be
paying
attention
to
the
level
that
we
are
I'll.
Also
challenge
you
to
think
critically
about
using
the
term
hack.
When
we
hear
the
word
hack,
we
automatically
think
that
something
was
broken.
Our
imaginations
can
go
wild.
Why?
F
Because
we
don't
have
the
level
of
detail
that
we
need
to
in
order
to
have
the
conversation
so
think
about
whether
or
not
when
you
hear
the
term
hack,
the
person
reporting
it
actually
meant
scan
or
breach
or
denial
of
service
leveraging.
Social
media
is
a
powerful
tool
that
all
officials
can
use
when
we're
talking
about
fake
news
and
again
I'll
go
back
to
challenging
you
again
on
why
words
matter.
Let's
see
if
we
can
be
a
little
bit
more
nuanced
about
fake
news.
I
think
at
this
point
we're
all
probably
tired
of
it.
F
So,
let's
break
it
down
into
these
components.
We
can
talk
about
disinformation,
misinformation
and
mal
information.
They
all
have
a
different
spin
on
what
news,
what
information
is
actually
used,
whether
it's
true
or
false,
and
whether
or
not
the
intent
was
to
harm
or
not
to
harm.
So,
let's
make
sure
that
we're
using
the
right
words
so
that
we
can
have
a
serious
conversation
about
what's
going
on
and
that
the
people
involved
in
the
conversation
have
an
understanding
fortifying
local
defenses.
This
is
a
chart
of
the
top
20
most
effective
data
security.
F
Steps
see
is
the
Center
for
Internet
Security
put
this
together.
They
will
even
say
just
start
with
the
top
5.
If
you
can
do
the
top
5
you're
off
to
a
really
good
start.
I
will
say
this
for
the
legislators
in
the
room
focus
on
these
three
as
a
way
to
have
a
conversation
with
local
election
officials.
One
ask
them:
did
you
contact
Homeland
Security
two
are
implementing
two-factor
authentication
for
your
passwords
and
three?
F
Are
you
testing
your
backups
each
one
of
those
questions
would
involve
a
layer
approach
to
make
sure
that
the
right
answer
is
being
presented
contacting.
Homeland
security
is
important
because
the
homeland
security
has
an
absolute
spectacular
catalog
of
services
that
are
available.
They
also
have
another
list
of
resources
that
are
available
for
local
election
officials,
number
two
two-factor
authentication.
That
implies
having
passwords
and
some
other
manner
of
authentication
to
make
sure
that
phishing
attacks
are
less
successful
and
three
testing
backups.
F
This
is
a
stage
where
you
will
where
organizations
are
at
if
they
know
that
there
is
something
wrong
and
they
need
to
address,
but
they're
not
technically
competent
to
address
it
yet
I
call
it
the
danger
zone.
What
we
want
to
do
is
keep
moving
down
the
timeline
and
increasing
performance
so
that
a
culture
of
security
is
in
fact
in
place.
F
We're
not
going
for
just
compliance,
but
we
want
everyone
involved
to
be
thinking
about
security
as
part
of
their
daily
functions
again:
security
as
part
of
their
daily
functions
every
day
when
people
are
walking
in
the
room,
especially
around
security
around
elections.
People
ought
to
be
thinking
about
how
am
I
making
sure
that
the
job
that
I'm
doing
also
involves
security
thinking
outside
of
the
box.
This
is
where
I
want
you
to
come
in
with
an
open
mind.
F
As
the
Secretary
of
State
mentioned,
the
National
Guard
has
worked
well
with
election
officials
in
her
state,
so
think
about
how
technical
volunteers
can
be
identified
and
cultivated
within
local
communities
to
assist
election
officials.
Election
officials
already
do
a
fantastic
job
of
identifying
and
vetting
volunteers
to
work.
It
takes
a
small
army
of
volunteers
to
supplement
election
staff
to
pull
off
an
election.
F
How
can
we
get
folks
who
have
a
stronger
background
in
IT,
or
maybe
some
other
technical
skills
involved
in
elections,
so
they
can
be
of
assistance
on
the
technical
side,
there
are
already
resources
in
communities.
There
are
schools,
trade
organizations,
local
businesses,
if
you're
lucky,
maybe
some
bigger
businesses
that
have
folks.
With
that
technical
background
that
may
be
interested
in
helping
now.
This
is
one
that
might
be
giving
in
to
a
little
bit
of
trouble.
F
F
Local
government
does
not
state
government
does,
but
when
you're
talking
about
ten
thousand
jurisdictions,
there
is
no
way
that
there
can
be
procurement
experts
in
each
of
those
jurisdictions
and
we've
already
seen
there
is
a
wide
range
of
of
contracts
that
are
in
place
and
depending
on
the
size
of
the
jurisdiction
there
be
mayor,
there
may
be
more
or
less
leverage
that
those
jurisdictions
have
when
it
comes
to
actually
entering
into
those
contracts.
I
believe
that
states
are
in
the
perfect
position
to
partner
with
systems
integrators
to
meet
local
needs
according
to
local
laws.
F
It's
not
that
the
states
will
be
left
out
of
the
security
conversation.
It's
just
that
the
federal
government
would
take
a
larger
role
in
the
development
and
the
monitoring
of
security,
and
this
includes
the
full
DHS,
continuous
diagnostics
and
mitigation
systems
and
longer-term
budgeting.
This
is
infrastructure,
we're
not
talking
about
one
offs
where
we're
waiting
every
decade
or
so
to
get
a
large
infusion
of
cash
that
eventually
leads
to
a
deteriorated
system,
that's
in
place
at
the
local
and
state
level.
F
This
needs
to
be
a
life
cycle
approach
where
there
is
longer
term
planning
and
I
think
that
the
federal
government
taking
a
larger
role
in
the
development
and
procurement
process
could
lead
to
more
stable
planning.
So
that
way,
states
can
budget
appropriately
to
make
sure
that
we're
not
waiting
until
failure
to
replace
systems.
F
You
wouldn't
want
to
drive
your
vehicle
until
it
absolutely
broke
down
repeatedly
and
repeatedly
and
repeatedly.
You
want
to
make
sure
that
you're
planning
ahead
of
time
so
that
these
systems
are
performing
as
well
as
they
can
for
as
long
as
they
can.
You
know,
there's
a
planned
replacement
here
are
some
resources
that
are
available
from
CDT
we're
developing
field
guides
and
we
also
have
online
courses.
B
Thank
you
very
much.
Maurice
I
have
about
ten
questions,
but
I'm
not
going
to
ask
them
because
I
think
people
in
the
audience
might
have
questions
too.
So
we'll
and
we'll
hold
the
questions.
What
I'd
like
to
do
now
is
ask
senator
Stern
to
come
up,
and
he
in
a
sense,
is
representing
you
all,
because
he
is
an
elected
official,
a
legislator
and
in
fact,
in
your
case,
the
chair
of
the
Elections
Committee
in
in
the
California
Senate.
So
what
have
you
heard
today
that
you
can
reflect
on
from
the
California
perspective?
E
Well,
thank
you.
We
actually,
we
we
had
a
hearing
a
couple
months
back
joint,
a
joint
hearing,
bicameral,
hearing,
sort
of
kicking
the
tires
on
our
election
system.
Looking
ahead
at
this
2018
cycle
and
mr.
Masterson
senior
advisor
here
was
lucky
that
we
were
lucky
enough
to
have
him
come
out
and
it
really
does
help
to
have
a
DHS.
That's
engaged
and
sort
of
pushing
for
standards
and
practices
that
are
going
to
lift
lift
the
bar
because
we're
all
we
sort
of
all
rise
and
fall
together.
E
But
both
counties
take
this
incredibly
seriously
and
are
trying
sort
of
on
their
local
basis
to
get
the
infrastructure
in
place
to
to
manage
the
risk
out
there
and
to
instill
confidence
in
in
their
voters
in
part
of
our
challenge,
and
the
legislature
has
been
to
find
those
bipartisan
opportunities
where
we
can
really
move
dollars
and
move
issues
forward.
And
this
seems
like
such
an
obvious
one
I
mean
that
so
we
were
able
to
achieve
bipartisan
consensus
and
establish
an
office
of
election
cybersecurity
this
year
with
ongoing
funding
in
the
budget.
Granted.
E
Not
it's
not
a
ton
of
money,
but
it's
enough
to
start
building
a
culture
in
the
Secretary
of
State's
office.
That
says
we
want
top
talent
coming
into
the
state
architecture,
to
assist
the
counties
and
administering
this
and
to
really
you
know
in
in
house
some
of
that,
and
there
was
on
both
sides
of
the
aisle.
There
was
pretty
strong
consensus.
E
Our
budget
was
doing
pretty
well
this
year,
though
so
money
money's
a
factor
and
a
lot
of
you
know,
I
heard
it
from
secretary
Wyman
and
I
know:
I
mean
the
Hava
money
is
so
critical,
so
we're
grateful
to
Congress
for
moving
that
and
we're
certainly
gonna
put
it
to
work.
But
who
are
you
the
one
who
said
I'm,
not
gonna,
I'm,
not
going
to
say
what
you
said.
What
was
it
like
paying
for
the
at
the
wedding.
E
Grateful
for
whatever
we
can
get
but
independently
the
states
put
over
250
million
dollars
in
this
last
budget
cycle.
Just
to
give
you
sort
of
sense
of
scale
of
what
California
is
investing
and
that
has
to
do
with
upgrading
equipment
helping
some
of
these
counties
get
going,
but
we're
in
a
different
paradigm
too,
in
California
a
little
bit,
because
we
rely
so
heavily
now
on
vote-by-mail,
it's
incredibly
popular
among
our
constituents
and
spent
you
know,
seniors
love
it
working
families
love
it.
E
We
have
about
2/3
of
our
of
our
votes
that
came
in
through
this
2018
primary
were
on
a
vote-by-mail
basis,
which
is
a
very
different
animal
to
than
that
super
high-stakes
game
day
election
process
and
we've
we've
learned
from
Colorado
in
that
regard.
We're
we're
we're
moving
towards
that
vote
center
ten
day
grace
period
to
take
the
pressure
that
that
time,
pressure
off
of
our
local
elections,
officials
to
some
extent.
So
it's
it's
less
of
a
zero-sum
game
and
there's
more
room
to
solve
problems
as
they
come
up.
E
So
that's
been
big
for
us
and
you
know,
but
we've
moved
is
limiting
audits
through
our
committee
this
year.
It's
not
through
the
house,
but
that
that's
something
we're
pushing
right
now
in
the
legislature,
so
we're
not
perfect
on
that
front.
Yet,
as
I
said,
we
got
this
ongoing
cybersecurity
funding
and
we're
looking.
You
know
we're
looking
at
further
ways
to
tighten
up
we've
sort
of
been
doing
our
own
tyre
kicking.
E
We
that's
the
biggest
fear
of
all
is
that
people
actually
stop
doubting
that
their
vote
counts
and
that
can
corrode
the
entire
institution
of
all
the
houses
we
live
in.
So
yeah
I
think
we're
in
pretty
good
shape
after
this
budget
cycle.
But
you
know
it's
California's.
We
don't
want
to
be
exceptional
in
this
case.
We
don't
want
to
be
this
sort
of.
You
know,
there's
Western
exception.
Oh
you,
folks
in
California
I
mean
I.
I
can't
emphasize
enough
how
the
especially
in
the
non
elected
counties
right
where
the
registrar's
are
appointed.
E
There's
just
we've
been
able
to
take
some
of
the
politics
out
of
that,
and
it's
really
been
helpful
and
we've
had
some
really
good
Republican
partners
in
the
State
House
to
we're
just
taking
that
piece
out
of
the
puzzle.
If
you
can
leave
just
so
much
space
to
just
go,
do
work
cuz.
The
fact
is,
we
just
need
to
get
to
work
anyway.
Thank
you
for
having
us
here
and
welcome
to
welcome
to
LA
well.
B
It's
been
fun
to
be
here.
It
does
strike
me
that
election
security
is
something
that
can
be
done
on
a
bipartisan
basis
because
it
doesn't
seem
to
fall
out
on
the
left
or
the
right.
From
my
perspective,
has
that
been
your
experience,
yeah
and
that's
yours
as
well,
and
yours
too?
Okay.
So
let's
take
some
questions
from
the
floor.
We
don't
have
a
microphone
to
walk
around
somebody
I
shout
him
out
and
I'll
repeat
them
for
the
people
who
are
watching
the
live
stream.
So
who's
got
questions.
I'm
gonna
go
over
here.
First.
B
C
So
I
I
don't
know
that
one
I've
never
not
been
heard
so
I
think
I'll
be
loud
enough,
but
I'll
talk
into
the
microphone
so
risk
limiting
audits
are
and
Maurice
can
certainly
speak
to
this,
as
well
are
a
type
of
post-election
audit,
and
this
is
an
area
of
growth,
maturity
that
I
see
in
elections
in
my
career.
That
has
really
come
about
quickly.
So
when
I
started
in
this
space,
post-election
auditing
in
general
was
resisted
and
generally
not
a
common
practice.
C
Now
we're
up
to
30
plus
States
right
that
have
some
sort
of
post
election
audits.
It
depends
what
they're
doing
and
risks
limiting
audits
are
the
new
push
and
the
basics
behind
a
risk.
Limiting
audit
are
to
provide
a
level
of
confidence
that
the
winner
is
the
winner
essentially,
and
so
you
establish
a
confidence
interval.
C
The
state
of
Colorado
just
did
the
first
statewide
risk
limiting
audits,
the
state
of
Rhode
Island,
New
Mexico
has
been
doing
I,
don't
know
if
Senator
Ivy
Soto
is
here,
but
New
Mexico
actually
wrote
into
their
law
confidence
intervals
and
and
has
been
doing
this
for
some
time,
and
the
idea
is
that,
then
you
can
go
and
there's
a
variety
of
ways
to
do
these
audits,
but
essentially
pull
the
actual
artifact.
So
the
actual
ballot
compare
it
to
how
the
voting
system
counted
it.
C
Now
that
we
have
digital
scanners
that
take
essentially
images
of
the
bouts,
you
can
look
and
see
how
did
they
count
it?
How
was
this
artifact
that
actually
mat
marked
and
do
they
match?
And
at
that
point
and
it's
based
on
in
in
most
cases
how
wide
the
margin
of
victory
was?
You
only
have
to
look
at
a
small
number
of
artifacts
in
order
to
give
yourself
very
high
confidence
that
you
know
the
winner
is
the
winner
essentially,
and
the
count
is
accurate.
I
will
say
that
understanding
within
your
state
how
ballots
are
processed?
C
How
ballots
are
handled
is
it's
a
major
challenge
as
we
work
to
understand
risk
living
audits,
it
doesn't
make
it
at
all
impossible,
but
it's
really
important
to
understand
that,
because
Colorado,
for
instance,
is
of
centrally
counted,
vote-by-mail,
State
and
so
their
ability
to
control
the
physical
ballots
is
incredible.
They
literally
in
in
many
counties
in
Colorado.
They
can
tell
you
where
any
ballot
is
in
any
part
of
the
process
at
any
point
in
time,
whether
it's
prepped
for
County,
whether
it's
counted,
whether
it's
you
know
what
not.
C
That
is
not
the
case
yet
and
part
of
this
is
the
technology
maturing
to
support
this
type
of
auditing,
but
we're
getting
there
and
again
I
audited
now,
post
election
auditing
now
is
not
a
question
of
if
we
should
be
doing
it,
it's
how
we
should
be
doing
and
how
we
get
better
and
I.
Think
we're
gonna
see
improvements
in
the
post
election
auditing
increase
exponentially
as
we
look
at
this
I.
B
Want
to
take
some
other
questions,
but
I
also
want
to
add
that
Dylan
wrote
about
post
election
audits
in
the
canvass
recently
the
canvases
NCSL
elections
newsletter
and,
if
you're
not
on
the
distribution
list,
speak
to
either
me
or
to
Dylan
afterwards
and
we'll
get
you
on
that.
We
also
have
a
webpage
that
is
written
for
legislators
on
what
is
a
post-election
audit
and
what
is
a
risk
limiting
audit
just.
E
Real
quickly,
the
and
the
bill
I
was
talking
about,
is
it's
Assembly
Bill
21
25
in
California,
but
there
are
many
other
approaches,
but
it
we've
we've
been
doing.
One
percent
manual
tally,
that's
what
we've
been
on
and
a
lot
of
other
states.
Are
there
too
it's
just
it's
clunky
and
outdated
and
yeah
and.
B
B
Okay,
so
the
question
is
in
Ohio:
the
counties
are
really
making
their
own
decisions
about
technology,
and
the
question
is
whether
that's
the
right
way
to
go
about
it,
or
would
it
be
preferred
by
the
panelists
to
have
one
system
chosen
by
the
state?
Did
I
get
the
question
about
right?
Do
you
want
to
answer
that?
Maryse.
F
Sure
I
would
advocate
that
it's
the
state
that
should
be
making
the
purchases
or
making
the
purchase
with
the
input
from
the
counties,
I
think
you're
able
to
leverage
the
larger
dollar
amount
and
the
expertise
from
the
procurement
side.
If
the
state
were
handling
it
and
then
I
also
think
when
it
comes
to
being
able
to
support
it
in
the
field
and
have
backup
devices
available
throughout
the
state
on
Election,
Day
or
prior
to
election
day,
that
there's
definitely
the
advantage
to
having
the
the
counties
look
to
the
state
to
make
those
purchases
I'll.
C
D
I
would
I
would
have
to
know
what
Matt
just
said
that
it
depends
on
each
state.
You
definitely
get
the
buying
power
at
the
state
level,
but
the
can
you
know
my
County,
my
state,
it's
39
counties,
some
of
you
have
hundreds
of
counties
and
those
election
officials
want
that
control
because
at
the
end
of
the
day,
they're
the
ones
are
on
the
hook.
Not
all
of
you
legislators
are
not
even
the
Secretary
of
State
I'd,
also
like
to
go
back
to
a
comment
that
Maurice
made
during
his
presentation.
D
Remember
that
there
is
a
mechanism
for
voting
system
standards
nationally
and
it
was
put
in
place
by
hava.
It
rests
with
the
EAC
and
it's
a
voting
system
standard
guidelines
committee-
probably
butchered
that,
but
it's
made
up
of
all
50
states.
Representatives
of
all
50
states
sit
down,
they've
worked
through
it.
The
problem
we
have
right
now
is:
we
don't
have
a
quorum
on
the
Commission
to
pass
it
into
actual
law
and
are
at
least
being
a
binding
requirement,
and
that's
what
we
need
to
do.
B
All
right,
I'm
gonna,
try
to
repeat
that
question.
This
will
be
a
test,
it's
hard
to
feel
good
when
you've
heard
everything
we've
heard
here
today
and
when
you
read
the
newspaper
how-to
and
it's
hard
to
feel
good
when
very
small
counties,
and
sometimes
large
counties
don't
have
the
expertise
to
manage
a
cybersecurity.
So
how
can
we
have
confidence
to
go
back
to
tell
our
constituents
that
we've
got
it
under
control
and
I
can
see
Matt's
chomping
at
the
bit?
Sorry.
C
And
secretary
Wyman
will
have
a
very
valuable
point
of
view
on
this,
so
let
me
I
I
was
only
asked
to
present
that
the
sort
of
threat
perspective
right
normally
when
I
talk
about
this,
then
we
get
to
the
good
part
about
the
progress
that's
been
made
and
what
I
could
tell
you
is
having
been
in
this
space
for
over
a
decade
now.
I
have
never
seen
this
amount
of
resources,
support
and
information
sharing
that
I
see
right
now.
C
So
some
of
the
facts
on
the
ground
right
now
in
February
DHS
worked
with
election
officials
to
create,
what's
called
an
elections,
information
sharing
and
analysis
center.
We
went
from
zero
to
a
thousand
members
in
in
virtually
no
time.
That
means
real-time.
Information
is
being
shared
with
state
and
county
election
officials
that
was
never
shared
with
them
before
to
help
them
manage
risks
and
protect
their
systems.
C
To
is
the
amount
of
counties
and
states
that
are
taking
advantage
of
our
services
that
we
provide
at
DHS,
whether
it's
remote
cyber
hygiene
scanning
phishing
assessments
of
county
or
state
officials.
Even
on-site
assessments,
the
states
are
engaged
we're
working
with
all
50
states.
In
some
way,
shape
or
form
think
about
from
2016
when
it
was
oh,
my
god,
DHS
is
showing
up
to
take
over
and
it
was
incumbent
on
us
to
to
reinforce
what
we
know.
Our
role,
states
and
locals
run
elections
and
here's
how
we
can
help
support
you.
C
The
engagement
has
been
unbelievable
in
the
progress
folks
at
DHS.
Tell
me
all
the
time.
They've
never
seen
a
sector
grow
and
mature
this
quickly,
and
so,
just
from
a
technical
standpoint,
the
amount
of
insight
we
have
into
election
infrastructure.
So
the
networks
and
what
not,
through
a
monitoring
system
that
we
work
the
states
to
deploy,
is
quadruple
what
we
had
in
2016
quadruple.
That
means
we
have
more
information
to
work
off
more
information
to
share.
That's
just
the
federal
side.
Harvard's
got
involved,
CD
T's,
gotten
involved.
I'm,
sorry
maurices
folks
have
gotten
involved.
C
There
are
so
many
partners
with
so
much
information
now
that
we
basically
we
know
what
the
challenges
in
the
problem
are,
and
now
it's
just
a
question
of
working
with
the
counties
in
particular.
I
have
yet
to
visit
a
state
that
isn't
taking
this
seriously.
They
are
taking
it,
all
of
them
are
taking
it
seriously,
and
we
know
if
we
can
just
address
known
vulnerabilities
patch
systems,
upgrade
operating
systems,
replace
outdated
machinery,
train
our
people,
two-factor
authentication.
There
are
simple
steps
that
make
us
more
hardened
targets
and
folks
are
doing
that.
D
And
I
would
just
go
back
to
my
earlier
comments
about.
Remember
the
strength
of
American
elections
is
decentralization
and
what
I
know
that
we've
just
scared
you
and
that's
why
I'm,
assuming
you're
a
legislator,
correct
I,
guess
my
question
back
to
you
would
be:
do
you
think
that
Congress
should
take
over
you
guys's
role?
D
There
you
go
and
in
elections
is
no
different.
You
know
have
have
confidence
that
having
independently
elected
officials
in
all
of
your
jurisdictions,
running
elections
or
are
appointed
by
elected
officials
serves
your
constituents
better
than
anything.
The
federal
government
can
do
and
I'm
not
trying
to
be
disparaging
of
the
federal
government.
D
I
think
they
have
a
very
important
role
and
I
think
I
said
the
partnerships
that
were
forging
are
really
positive
and
are
moving
in
a
great
direction,
but
the
last
thing
I
think
anyone
in
this
room
or
anyone
this
country
really
wants-
is
the
federal
government
to
have
singular
control
or
authority
or
influence.
Is
that
makes
us
more
vulnerable?
You
know
think
about
it.
D
Right
now,
we've
got
a
vendor
who
is
coming
under
a
little
bit
of
attack
because
of
the
way
that
they
manage
patches
and
things,
and
imagine
if
that
was
the
only
vendor
who
counted
ballots
across
the
country.
The
whole
country
would
lose
confidence
in
our
system
and
that's
what
that's
what's
at
risk.
That's
why
I
would
strongly
say:
let's
this
up
and
slow
down
and
think
about
it,
I'm.
B
That
was
well
done.
I
do
have
to
repeat
it,
because
we've
got
the
people
listening
on
the
outside,
so
here
we
go
so
some
of
you
might
not
know
about
online
ballot
marking.
This
is
when
a
person
who
is
not
able
to
go
to
the
polling
place
receives
a
ballot
by
email
and
they
use
their
computer
to
mark
it,
and
then
it
is
printed
out
and
mailed
or
somehow
delivered
back.
B
So
there's
this
ballot
marking
that
goes
on
online
and
one
of
the
questions
is
whether
those
can
be
infiltrated
that
system
that
is
sending
those
ballots
back
and
forth,
and
so,
if
you
want
to
control
those
for
security
purposes,
then
you
come
up
against
access
questions
for
people
who
might
otherwise
not
have
an
easy
way
to
vote,
and
these
people
might
be
people
with
disabilities.
They
might
also
be
your
overseas
voters.
So
how
do
we
balance?
Those
two.
Is
that
good
enough.
F
That's
a
really
tough
question:
it's
fundamentally,
the
u.s.
election
system
works
in
a
way
that
the
expectation
is
absolute
anonymity
and
absolute
accountability
and
those
are
just
diametrically
opposed,
and
that's
why
we're
all
up
here
talking
about
how
very
interestingly
complicated
our
system
is
and
how
there
are
plenty
of
vulnerabilities
that
need
to
be
addressed.
I'll
say
that
for
the
you
akava
voters,
so
the
military
oversees
the
communication
piece
is
taken
care
of,
because
those
votes
can
be
delivered
securely.
F
I
definitely
have
faith
in
those
methods,
but
I
think
if
we
were
to
try
to
broaden
out
the
sort
of
online
distribution
of
ballots
and
the
online
return
of
ballots
that
we're
not
there
yet
from
a
technical
standpoint
to
make
sure
that
those
votes
are
encrypted
all
along
the
way.
In
a
way,
that's
also
accountable.
F
Blockchain
is
not
the
answer
here.
I
know
it's
very
tempting
to
go
down
that
path,
but
eventually
the
those
records
will
be
decrypted,
and
so
for
some
folks.
They
may
not
mind
that
in
20
years
their
votes
become
absolutely
identifiable
back
to
them.
Other
folks
might
have
some
bigger
concerns
about
that,
either
on
principle
or
specifically
so
we're
not
there.
B
E
So,
in
other
words,
you're,
not
you're,
not
actually
transferring
the
ballot
itself,
but
a
QR
code
that
then
you
can
either
bring
to
the
place
of
administration
on
your
phone
or
print
out
there
sort
of
there's
different
systems
that
we're
looking
at
in
terms
of
actually
encrypting
that
ballot
and
finding
out
a
way
to
transmit
it.
But
we're
not
going
beyond
you
a
Coppa
on
the
on
the
actual
ballot
itself
and
the
like,
faxing
or
emailing
it
so
far
where
there
hasn't
been
I
mean
people
have
been
trying
to
expand
on
it.
G
D
Right
so
so
state
so
for
the
people
that
are
watching
this,
so
I'm
Maryland,
it's
being
done
right
now,
but
the
ballots
that
come
back
they
have
to
manually
duplicate
so
I.
Remember
in
that
process,
the
election
officials
should
have
controls
in
place
that
no
one
person
is
doing
it.
You
also
have
dual
control:
it's
two
people
doing
it
all
of
those
things
but
you're,
hitting
on
the
the
balance
that
election
officials
have
to
get
to.
D
You
always
have
to
balance
security
and
access
so
that
my
most
ardent
critic
believes
that
we
did
things
well
and
did
it
right
and
did
it
honestly
so
I've
been
talking
about
online
voting
since
2000
and
there's
two
things:
I
did
a
white
paper
back
then
on
it,
and
the
two
conclusions
I
came
to
haven't
changed.
One
is
that
the
internet
was
not
a
secure
transmission
system.
D
So,
no
matter
how
encrypted
no
matter
good
the
technology
is
people
don't
necessarily
believe
it
because
Bill
Gates's
credit
card
can
get
hacked,
but
the
second
one
is
harder
and
that's
how
much
you
trust
electronic
transmission
and
having
been
through
a
recount
that
was
133
votes
out
of
2.7
million
cast
I
can
tell
you
that
going
back
to
paper
is
really
what
you
need
to
do
to
instill
confidence
and
with
in
our
state.
We
actually
do
allow
electronic
return
by
email
and
right
now.
D
That
is
an
administrative
code
in
my
state
and
I'm,
actually
thinking
about
changing
that
for
the
general
election
and
because
because,
whereas
we
get
into
all
the
cybersecurity
things,
I
can't
defend
it.
The
way
that
I
can
paper
and
and
it's
it's
got
problems
potentially
at
my
League
of
Women
Voters-
has
shown
me
how
that
an
email
attachment
can
be
altered.
I
can't
defend
against
that,
but
more
to
the
point.
D
It's
great
access
for
that
that
person-
that's
in
the
middle
of
you,
know,
New
York,
on
a
vacation
and
then
they
realize
haven't
voted
and
it's
a
good
service
print
out
that
download
it
print
it
and
mail
about
back
the
hardcopy
to
the
election
officials.
So
they
can
can
do
that
and
then,
like
said
you,
you
have
the
controls
on
the
back
end
to
make
sure
that
that's
not
tampered
with.
But
but
electronic
return
is
problematic.
C
I
have
not,
except
for
you
all,
should
be
aware
that
every
state,
under
a
change
to
the
new
akava
statute
called
the
move
act
requires
every
state
to
be
able
to
distribute
ballots
electronically
to
military
and
overseas
voters.
So
all
of
your
states
are
doing
some
sort
of
electronic
distribution
of
ballots
out
to
military
and
overseas
voters,
and
it's
going
to
depend
sort
of
how
they
do
it
state-by-state,
and
this
goes
to
a
larger
point-
that
that
Maurice
did
a
very
good
job.
Summing
up,
this
is
all
about
making
good
risk-based
decisions.
C
So,
to
your
point
about
recreate,
there
are
actually
technical
solutions
that
would
allow
someone
to
scan
a
barcode
that
prints
a
ballot
on
demand
that
is
already
marked,
but
there's
some
security
controls
and
considerations
there,
and
so
you
have
to
make
good
risk-based
decisions
based
on
the
process
of
procedures
and
controls.
You
have,
like
secretary
Wyman,
said
having
a
Republican
and
a
Democrat
that
recreate
all
of
those
ballots.