VOTING VILLAGE - State, Local Perspectives on Election Security

Video thumbnail (Frame 0) Video thumbnail (Frame 1778) Video thumbnail (Frame 6370) Video thumbnail (Frame 11481) Video thumbnail (Frame 24330) Video thumbnail (Frame 37179) Video thumbnail (Frame 50027) Video thumbnail (Frame 53508) Video thumbnail (Frame 62849) Video thumbnail (Frame 71239) Video thumbnail (Frame 73538) Video thumbnail (Frame 78206)
Video in TIB AV-Portal: VOTING VILLAGE - State, Local Perspectives on Election Security

Formal Metadata

VOTING VILLAGE - State, Local Perspectives on Election Security
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Email Information Hacker (term) Operator (mathematics) Single-precision floating-point format Electronic mailing list Staff (military) Office suite Mereology System call Local ring Wave packet
Service (economics) Open source State of matter Multiplication sign 1 (number) Virtual machine Set (mathematics) Shape (magazine) Computer programming Goodness of fit Hacker (term) Authorization Energy level Information security Traffic reporting Task (computing) Vulnerability (computing) Physical system Cybersex Uniqueness quantification Planning Bit Voting Process (computing) Personal digital assistant Self-organization Quicksort Arithmetic progression Local ring
State observer Dynamical system State of matter INTEGRAL Confidence interval Logistic distribution Multiplication sign System administrator Mereology Computer programming Programmer (hardware) Strategy game Encryption Software framework Data conversion Office suite Information security Position operator Physical system Vulnerability (computing) Cybersex Collaborationism Boss Corporation Email Touchscreen Software developer Electronic mailing list Coordinate system Staff (military) Inflection point Arithmetic mean Data management Process (computing) National Institute of Standards and Technology Right angle Quicksort Resultant Navigation Row (database) Spacetime Point (geometry) Link (knot theory) Firewall (computing) Real number Data recovery Tape drive Virtual machine Online help Login Wave packet Goodness of fit Crash (computing) Latent heat Term (mathematics) Internetworking Operator (mathematics) Energy level Analytic continuation Binary multiplier Punched card Form (programming) Condition number Capability Maturity Model Domain name Focus (optics) Information Chemical equation Forcing (mathematics) Content (media) Line (geometry) System call Voting Personal digital assistant Statement (computer science) Local ring
Purchasing State of matter Multiplication sign Decision theory Workstation <Musikinstrument> Image registration Data analysis Mereology Perspective (visual) Event horizon IP address Field (computer science) Formal language Heegaard splitting Goodness of fit Centralizer and normalizer Bit rate Term (mathematics) Core dump Software testing Office suite Series (mathematics) Endliche Modelltheorie Einsteckmodul Information security Physical system Vulnerability (computing) God Cybersex Collaborationism Email Discrete element method Key (cryptography) Coordinate system Physicalism Planning Incidence algebra Word Voting Process (computing) Spring (hydrology) Commitment scheme Personal digital assistant Moving average Quicksort Local ring
State observer Context awareness State of matter 1 (number) Design by contract Image registration Public key certificate Computer programming Mathematics Mechanism design Different (Kate Ryan album) Analogy Office suite Data conversion Information security Physical system Vulnerability (computing) God Cybersex Email Electric generator Feedback Physicalism Maxima and minima Staff (military) Commercial Orbital Transportation Services Entire function Type theory Process (computing) Chain Data logger Quicksort Point (geometry) Trail Backup Service (economics) Computer file Open source Connectivity (graph theory) Wave packet Number 2 (number) Product (business) Goodness of fit Term (mathematics) Authorization Software testing Standard deviation Focus (optics) Key (cryptography) Line (geometry) Contingency table Word Voting Software Personal digital assistant Video game Table (information) Local ring
Point (geometry) Group action State of matter System administrator Image registration Mass Perspective (visual) Latent heat Software framework Information security Physical system Collaborationism Addition Dependent and independent variables Standard deviation Information Software developer Physical law Moment (mathematics) Database Voting Process (computing) Personal digital assistant National Institute of Standards and Technology Quicksort
Cybersex Dependent and independent variables Pattern recognition System administrator Volume (thermodynamics) Mereology Perspective (visual) Demoscene Word Message passing Commitment scheme Oval Representation (politics) Right angle Office suite Quicksort Information security Position operator Physical system
in starting or kicking off this panel one thing I want to make sure everybody knows is that we actually in advance so a bunch of volunteer hackers which is what we are right this is this is a volunteer operation none of us make a dime off this we actually lose money so we raised our own money to pay some interns these poor souls to spend three months building a list of every election official in the country over almost 7,000 people we got contact information for we then paid to do a snail mail u.s. post office mailing to every single election official in the country we then followed that up with two emails and did 3,500 live phone calls to local election officials to invite them to come here and let their staff take part in the training lowness aloneness equipment if they want research done on it and so on and because of that our attendance from local election officials is up you know several hundred percent from last year and what we're really excited about is that we have some people here today who
are truly great Americans who are deeply committed to protecting the votes of their constituents and citizens and have been spending the last two years and for many of you even before that really thinking deeply about how to better secure our elections and by the way showing up here well you know we're not the answer to this problem but we're hopefully a piece of it and we are really appreciative to have the election officials in homeland security here to try and you know learn from what the hackers figure out and and each other so with that let me just do some quick introductions and then we'll turn it over to them because I'm very interested in what you all have to say so to start secretary Padilla it's the secretary of state of the largest state in the country California is here today I want to get round [Applause] he's been working on this issue for years deeply committed to it as has been involved in election security issues well before the Russians came at us amber McReynolds is from Denver Colorado she is actually working on a whole host of interesting things including auditing an open source technology that we're really excited about we know that this community loves open source Jeannette Manfred is the assistant secretary at Homeland Security we are incredibly appreciative to have Homeland Security here we've got a bunch of homeland security guys in the room as well so thank you guys for showing up you know as as we've been saying for years well for two years you know this is uh this is in no way shape or form some sort of like criticism on election officials frankly it's not election officials job to fight off existential threats to the United States that is the national security industry's job and the national security industry is represented here by homeland security they're the ones who kind of have taken the the mantle and being assigned the task to work with state and locals to help secure their elections no apprai 'it's from Cook County Illinois he put out I believe I think the first kind of revamped election security plan after 2016 he actually was one of our few RSVPs last year from local election officials and braved the DEFCON for the first time last year and we're deeply thankful to him for for coming and then Neal from Orange County is here he also we were talking last night actually has put out a incredibly impressive election security program for Orange County California which we're going to be
highlighting this weekend at the village and then later when we release our report of all the vulnerabilities so with that I will shut up and turn it to assistant secretary Manfred I'll be really brief I talked a lot this morning so I just first of all thank you for coming for hearing us and you know I just I've I've learned a lot about our electoral process over the last couple of years things that I didn't didn't fully understand we have worked for a long time with things that you might more traditionally think of critical infrastructure whether that's our electric grid our financial systems emergency services those sorts of things which are just as complicated and tricky to defend as our election systems but you know I guess I would say just a couple of things is it's for DHS we really see ourselves as sitting at the intersection between you know individuals and organizations that participate in things like DEFCON the academia the the private sector state and locals and other federal agencies and we sort of have the set of unique authorities that allows us to sit in this place and and be a convener and in drive progress on reducing risk across our countries across our country and frankly been working internationally and you know the elections challenge has has been I think fascinating and I'm challenging but what I would ask it for for you all is a lot of the questions I get is you know well just now the elections community is thinking that about cyber security and you know the Russians woke us up that we need to secure our elections this is just not a fact these folks and many of those who have not are not represented here have been thinking about this for a long time and and they do a lot with not a lot of resources and and now they're now there on the frontlines trying to deal with with a lot of these issues and they can't do it alone we all have to work together and I think this is incredible that we can bring the different communities a sort of maybe a community folks who aren't used to working with government like you all and in folks from federal state and local working together to figure out how to address challenges collectively because we're all in this together so a challenge you all tap listen and learn from them they're here to also learn from you but really try to understand a little bit more it's a little bit more than just a voting machine there's a lot more that goes on in an election process at the state and local level than just the individual voting machines so challenge you to learn a little bit and with that I will pass it on to the secretary so we have to like they're just yelling at us we actually have to take all the chairs out of here so can we break for like five minutes these chairs can stay and then we got to move the chairs sorry where it's good news everybody cares about democracy so our room is overcrowded okay now we're
back so Jeanette here you go I don't have to say my remarks again to secretary Padilla everyone [Applause] well thank you good afternoon everybody I am excited to be here I really ramped this is my first Def Con I confess but I am here to listen and I am here to learn but I also understand that some of my colleagues signed off on some statement that went out yesterday the National Association of secretaries of states it's the first question I got when I walked into the hotel so let me just acknowledge that up front and then tell you just a couple of other thoughts that hopefully inform that this panel and the conversation like I I kind of get where they're coming from for as much attention and emphasis there is on cybersecurity and election integrity a big piece of that for us as secretaries and local elections officials too is making sure that voters and the public in general have the appropriate confidence in the systems when people go vote right if it gets into the mind of anybody that may be my vote it's not going to matter so why should I go vote that in and of itself is a form of voter suppression if you look at it that way so just trying to strike the right balance of cybersecurity and integrity with confidence in the system some of my colleagues and I'll admit I - sometimes they're still a little traumatized from the headlights from last year's conference right voting systems hacked voting systems hacked voting systems hacked well my background is in engineering I'm not a programmer I'm not a coder but I think I have a proficiency for technical stuff and like any good engineer right you always start with your knowns and your unknowns you want to understand methodology and if there's distinctions between what's happening downstairs and real world conditions that doesn't mean that there's nothing to learn from a convening like this but it does mean let's be informed about what the takeaways are so that's that's where I think some of my colleagues are coming from now that being said like I said you know I'm here to listen and to learn because like a good engineer you want to gather all your information get your knowns and your unknowns identified if you're seeking to problem solve another initial observation this is sort of a good handoff right from their part and security to a Secretary of State because if you look at General Dynamics from the last couple of years the whole coordination and collaboration that we are now participating in is relatively new I remember vividly when the buzz first came out and my first call from the Department of Homeland Security under the Obama administration came out in the late summer of 2016 and the initial conversation about whether or not to declare our election systems as quote/unquote critical infrastructure what we have experienced since then is to kind of simplify it the intelligence community with all their expertise having to take a crash course on how elections are administered in the United States of America on the flip side elections administrators at the state and at the local level and you have some of the best from across the country here the panel having to take a crash course on cybersecurity right doesn't mean how the intelligence community wasn't looking at the election space before doesn't mean that the elections administrators weren't thinking about cybersecurity before but boy if there's never been such a spotlight and emphasis as there has been since 2016 through today through this November onto 2020 and beyond it's our new reality so so that being said I do want to just offer a couple points maybe tee up some questions and conversations later I mentioned I'm here to learn mentioned you know our comprehensive look at cybersecurity it's not just replacing equipment upgrading firewalls and what's the latest encryption technology for us it's also about professional development and training you can have the best protections in place but if you still have state or county employees clicking on a link sent by that long-lost uncle who just won the lottery right what's it all for it all gets compromised right so training at cyber hygiene is an important part of our comprehensive strategy how we not just secure our elections infrastructure and our processes but counter misinformation and disinformation that's a big part of what we're grappling with in this comprehensive look so much more than that but just to give you a flavor of how it's a much more comprehensive approach and strategies that we're taking in California and I think across the country if I can speak for my counterparts for a second and last but not least in my opening remarks while I think the United States Congress for appropriating 340 million dollars last month let me be abundantly clear we need more resources but all the things that we know we have to do all the things that I'm gonna learn and observe because I'm going down to the village after this panel to implement and act on all these findings recommendations and discoveries we need additional resources so the money that came to States by Congress last month is not new money it's the remaining help America Vote Act dollars that were just appropriated last month but authorized 15 years ago in the wake of Florida 2000 I call that money after I say thank you that's butterfly about hanging Chad money not cyberthreats 2016 2018 2020 money we need more regular more consistent support for a constant increasing of our cyber defenses if we're going to be serious about this conversation cybersecurity and election integrity is not something that we should invest in only once every 15 years and so again I thank you for last month's appropriation but we need more in on that front I do speak for all of my colleagues across the country both Democrat and Republican and local County elections officials throughout the country as well so we're gonna need your support in that we're gonna have some enlightenment going on some lessons learned going on today but when we all leave this gathering this convenient we go home I need you all to be advocates for more investments in election systems and integrity at the county at the state and especially at the federal level thank you very much Thank You secretary Padilla and with that Noah pray it's a cookout all right hey good morning everybody all right so thanks for doing this our community's trying to figure out how how best to engage I I was asked yesterday wat why are we here and sure we can learn some specific technical stuff but I think more importantly I think about four years ago when when a couple guys from here took over a jeep wirelessly and then they went to work to help Chrysler make sure that those X points aren't possible anymore we cannot pay in our community for the expertise that they you all bring and so we're going to mature a strong relationship between the voting community and the security researchers so we're in the beginning stages of that I'm excited to see how far we've come in the last year the the folks that are here and anyway we're all committed to the same goal so anyway my name's Noah I'm the director of Elections in suburban Cook County like secretary padilla said we've been securing votes voter records for a long long time it's it's not our first rodeo all right prior to how many of you guys were around doing this stuff before 2000 okay so back then I'd like to say we were logistics managers mostly it was a
wedding planner era of election administration we bring together a list of people put them in the put them in a place on one day hold an election and it's done now obviously 2000 exposed serious flaws with punch card technology there was a significant disparate impact in some communities and the federal government got involved for the first time in elections spending significant something like three and a half billion dollars and it does it in a whole new era of Technology some of which is problematic now touch screens without without paper trails certainly but we all had to switch from logistics managers to become IT managers legal compliance managers 2016 was another sort of inflection point because now given the the probability of attack we've got to become cybersecurity managers so it spurred by the need to defend our systems against foreign actors that the federal government and in the States and many of us locals have been sort of negotiating a relationship secretary Lawson likes to say it was an arranged marriage and it's going as well as any arranged marriage could be but the states have zealously guarded what has traditionally been their their domain of managing elections so and they've been very helpful secretary padilla is a great spokesperson in the run up to the 2016 election my my boss is a Democrat pointed a lot to secretary Hughes said from Ohio because he was out front saying these systems aren't rigged it's important in elections that we're able to maintain a nonpartisan approach to what we're doing so the secretaries of state state election directors certainly deserve a lot of credit for their efforts and at the risk of being a little overly broad though local election officials like myself there's 108 in Illinois 8,800 around the country we bear the brunt of running elections we lock the warehouses we program the machines we repeated the tapes and the logs we push the equipment out program it audit it count the votes and release them and it's tough somebody said we're like with a nation state actor coming at a small County it's kind of like Andy and Mayberry being sent out sent out to defend against a foreign attack these are shadowy adversaries that we're facing and we're all coming to terms with how best to partner with with the states and with DHS as sort of force multipliers for us to help us in our efforts in Cook County we we've studied this a lot we as Jake said we put out after last year's Def Con a white paper we've we focus our efforts around three things it's defend detect and recover it lines up pretty closely with the NIST cybersecurity framework but it's easier to remember three and three instead of five points we partner with the Center for Internet Security to when they publish their election handbook we worked with the Belfer Center a lot of great contents being made I sit on the government Coordinating Council it's a construct of the Homeland Security of the critical infrastructure there eight secretaries of state eight state election directors and nine locals the chair of the election assistance Commission and we're working hard to sort of help DHS prioritize the investments that they're making that they're making in our space so what's become clear to me as we study this is that each election office needs somebody to own security there are eighty eight hundred of us we're one of the biggest we've got one and a half million voters one hundred employees twenty million dollar budget and we're able to sort of specialize some resources and even even we decided that we needed to make another position and hired an InfoSec officer in our in our office we partnered with the Chicago Board of Elections to do that as a shared resource and we've been pitching this idea about pitching it to the secretaries of state in the state election directors that this money that was just given that you know the leftover butterfly ballot hanging hanging Chad money it does not it's not nearly enough to do a technology refresh but what it can do is if it's employed right is the states can hire staff to go partner with local election officials with this expertise I mean we're just we're not yet cybersecurity managers most most election officials have one or two people in their office they outsource most of the work they do and it's really difficult to conceive of the idea that we can absorb the 20 emails we get from the AIESEC every week with listing every vulnerability the idea that we can dig deeply into the Bell for recommendations or the Center for Internet Security without a partner focused specifically on this so it's interesting to see some of the states stepping up in Illinois our legislature required half of our hava funds so about seven million dollars be spent on a they call it a cyber navigator program so we're putting ten or fifteen people on the street in the next few weeks partnering with like adopting five counties and going in there helping them increase their defenses not by creating sort of new material there's plenty of great material out there CIS bail for specific DHS recommendations but to help us defend our systems help ensure we've got the best detection techniques so that when a successful breach occurs we're able to find it and to make sure that we've got the most mature disaster recovery our business continuity plans so that's I think a big focus in our industry right now obviously defense is very difficult I mean you can ask Buber or Equifax HBO Sony it's just a very very difficult thing to do so the key for for us as elections administrators to make sure we're resilient that that we can overcome any successful attack obviously that's pretty easy and most of the contrary because they're paper ballots or vpats increasingly there are great auditing techniques which would indicate when something went wrong and established the ability to put out results that are trusted and true so anyway you all are on the floor I will I'll pass this along to tambour but I really appreciate your focus on this and appreciate the sort of maturing sense of nuance that there is you know elections it's security it's not a binary binary question we're wrestling with our ability to provide accessible ballots to everybody and that that isn't always line up with the easiest systems to defend so anyway appreciate your time and amber McReynolds now hi well I'm super excited to be here this is again my first Def Con I couldn't come last year I have a five and a seven year old so I'm gonna I need to ask somebody to get another one of these badges because I cannot go home with only one very cool I'm gonna need two I'm gonna need to take one for both so I've been director of Elections in Denver for seven years I've been in the office for 13 I started as an Operations Coordinator that oversaw the mail ballot process and then I moved to a management role and then I was deputy director starting in 2008 and then director starting in 2011 so 13 years I've been administering elections and touched various points in the process and the one thing that when I came into to Denver Denver was not known for running
good elections most of the systems were completely outdated pretty backwards in a lot of ways and as a 26 year old coming into the office at that time now you know how old I am I I kept asking why to all of the people that had been there and the answer was always we've done it this way for 15 years or we've done it this way for 20 years so we're going to keep doing it this way and I'd also come in kind of after Florida 2000 and the one thing that is that I always say is about elections as elections are about people and process people and process throughout technology supports a lot of those things but it's ultimately about people and process and the problem that happened sort of after 2000 is nobody asked questions about what how do voters want to vote what should the voting model look like what should we do to change policy to make it easier it was just a basically a money dump into various systems that now nobody is using anymore because there's various issues that were identified with that so there was this Court sort of this rush if you will to purchase equipment and deploy systems that actually do not have any benefit to the voter or respect voters in terms of what they want to do so in asking all those questions and for many many years I'll it every day I'd go home from work thinking how can we make this better for people and so we've tried that's been our mission in Denver is to try to redesign the process and make it more effective for voters so a couple things about Colorado we deliver a ballot proactively to every voter that's on the rolls prior to the election we have same-day registrations you can literally come in on Election Day to a vote center any one of them and you can if you're not registered to vote you can get registered to vote right that day so this your name not being on the poll book or you not knowing where to go with your polling place or any of that is is eliminated so since we've done a lot of those reforms that also means that more than 99% of our ballots in most cases are a paper ballot that the voter hand marked and then the remainder are our marks at vote centers on a ballot marking device but still a paper ballot so every ballot in Colorado is counted in a central place we don't tell you anything at vote centers we don't tell anything at polling places we don't have cartridges we don't have USBs we don't have equipment moving around in the field we literally transport all the paper ballots that are cast in the field on ballot marking devices if it's at a vote center or if it's using the mail ballot we mail to the voter everything is a piece of paper we had the fourth highest turnout in the country in 2016 we have the highest we have the highest voter registration rate as a percentage of population as well so Colorado has a lot of from a policy perspective doing things very well the other policy that we just implemented and we were the first state to do this and I'm going to call out to people from Colorado that are in this that had a lot to do with it Dwight Shulman I don't know where he worked oh there you see he's way over here Dwight Shulman is from the Secretary of State's office and and the risk limiting audit that we deployed as a state would never have happened without Dwight Shulman so Dwight Shulman is you want to know about a risk limine audit process or anything with that he's he's here and he's amazing and then Jennifer Morell who was the director in Arapahoe County and then now has gone to be a risk limiting audit senior advisor at democracy fund so she's now helping everyone else deploy audits across the country both of them are Coloradans both of them were leaders in terms of getting this policy deployed for us so we have all these great things that are happening in Colorado and a lot of it has been literally organically driven by voters voters started requesting their ballots by mail they started asking us for that and so we got to 2012 and we were 80% plus people requesting to get their ballot by mail and so then we decided okay let's let's just deliver about it to everyone because the 20% are all calling us asking us why we didn't send them one because their friends got one so we did that and it was all designed and centered around the voting process and making the process better it wasn't a technology decision but there's outcomes that have benefited technology but it was about people and process and making that better in terms of cybersecurity and making sure the elections secure cybersecurity is not our only vulnerability in the election process we have had to defend against physical security threats bomb threats all kinds of other things that that election offices face we have challenges that happen all the time whether it be fires at polling stations or vote centers and then we have to move everybody or any of these sorts of disasters this one is one that election officials and that you heard this there's 8,000 local election officials across the country cyber and technology is not a strength that most of them have so in Denver I and I don't either I mean that's not my that is not my graduate work but in Denver where a city in a County as a whole we have a centralized technology services department with a security team and so four or five years ago I went to them and I said look I want you to help us figure this out and we've been part of kind of that jurisdictional security plan the elections doing penetration testing doing all this prior to the election way before 2016 but we've collaborated with with our technology services department and the and the chief security officer for the city and that collaboration and that commitment and that coordination are all keys to making this better and then the final sort of C word that I'll throw out there in terms of ways to make this better is continuous improvement and when I came into Denver 13 years ago and I was asking why it struck me that no one was curious or creative about solving problems and we were not at all in a model where we could continuously improve what we were doing and that's exactly what we have to be doing as election officials to make this better over time because the threats we face today as you all know are gonna be very different tomorrow and are going to be very different five years from now so we have got to get to a place where the elections world is agile and can adjust as different things come up and get in this mindset of continually improving and having curiosity about how to make things better and we've got a lot of good examples of that in in Colorado and it's been an honor and a pleasure to be the director of elections there and you know election officials are committed to doing this they work extremely hard to make sure that you get your vote delivered to you in some way whether that's at a polling place or mail ballots but they're not technologists and they need people in this room and there needs to be collaboration and coordination amongst everyone that's involved it's a community effort and voting should be a community voting voting is the quintessential community effort and so it does take a broad community of people committed to to make this better so with that I'm going to turn it over to Neil Kelly he's amazing from Orange Tony you should visit his website he's got all kinds of data analytic tools and he's done a whole bunch of awesome things in Orange County to make it better it does not look today like it did when he got there so he's one of the premier election officials in the country and always happy to share a panel with him likewise Thank You member first of all I'm gonna sit here not because I'm very proud to be in California undersecretary Padilla's leadership which I am but the venetians a lot further away than it looks and I would advise not running here because the last headline I want is election official passes out of DEFCON so I'm gonna sit right here yeah a little bit about Orange County and 1.6 million registered voters I've been the election official there for 14 years the average tenure I think of election officials in large counties is not generally 14 years so I'm glad to say I
think we're doing some things right in Orange County we're more diverse than I think a lot of people think the stereotype of Orange County is that it's heavy Republican we're actually kind of split between Dems and Republicans now in Orange County so the Reagan era of what you thought about you know long ago in the 70s and 80s it's it's much more diverse we support seven languages in Orange County in the election office so definitely a diverse office and women by the way registered at higher rates in Orange County than men and they turnout at higher rates in Orange County than men and I thought well maybe that's because men tend to not live as long as women but it's the opposite in some other counties so it's interesting to me I think it was teed up very nicely by the way and I just do want to say thank you to secretary padilla because under his leadership he really has been focused on elections in California and and I'm very proud to be a part of that partnership like secretary padilla said I was contacted like he was in spring summer of 2016 and everything changed for us as amber said we were focused on security before that we were hyper focused on security after that because things definitely change and I'm kind of wanting to walk you through some nuts and bolts of what we're doing Orange County related to the security side so previously you would think of big events and incidents in elections would be acts of God and and some other things but not necessarily of the security side and that certainly changed overnight for us prior to 2016 you would think of fires and we're dealing with that in Orange County right now we've lost a polling place because of the fire that's going on right now so those things do happen but after that springtime of 2016 we saw a voter data theft phishing attacks certainly were on the rise daxing and political campaigns and then scanning of systems the scanning of systems as I'm preaching the choir here it goes on all the time thousands of times a day so that really wasn't news for us what was news for us is where they were coming from and looking at those IP addresses very closely I sit on the government Coordinating Council with no and I'm proud of the work that DHS has been doing in this space and and looking forward to continuing that effort so specifically for us on the physical side
we've changed a lot of our physical security can't talk completely about that but you think of the building and and how ballots are transported and the Chain of Custody side of this we have really enhanced that on the cyber side we essentially have a three layer approach to that security in the county and Orange County I think as a whole does very well at that but there's no finish line to this process it's ongoing and and we're going to continue to to work on that and the one that I'm concerned most about is the social aspect because the phishing campaigns are a big concern and like secretary padilla said you can have one individual in one office can click on something and can cause problems so the training side has increased tremendously for our employees and yet we still see on the social side employees doing things that we need to continually train against because this is going to be an ongoing struggle for us we have added and I know many of you're aware of the sensors Albert Center to our system I believe the voting systems definitely there are tremendous vulnerabilities there and we need to keep plugging those but also the voter registration systems are a concern because you know I'm that's one of the things I lose sleep about is what can we do to continue to protect the voter registration system so that Albert census is something that we have put in place recently and that end user training and awareness I think just has to continue because that's going to be a problem this the second is third-party review and I want to talk about auditing in just a second but the third-party review I think is also very important because it I can't sit up here and say I think our data is great and take my word for it we need that third-party auditing and review and so we've partnered with Cal Tech in California and they're going to have a year-long partnership with us to scrutinize our data and to look at what we're doing and to have a third party review that I'm not afraid to be transparent I think we need to open it up I think all election officials need to open it up to be more transparent and as Jake said earlier we recently released a cyber well no it's not cyber it's election security playbook and that election security playbook is on our website I'm put it out there for the public to the things that we can talk about publicly here's what we are doing to protect your vote because I will tell you one of the biggest questions that I get is what are you doing to protect our votes and I'm going to be forthcoming and transparent in that process so just real quick the auditing I think is the biggest piece to this can I use this analogy on you just for a second so the commercial aviation industry the systems are both people and technical if the system fails god forbid you can have a disaster but there's auditing in that component which is the flight data recorder and you can go back and figure out what happened what did occur same thing on the auditing side there is a bill in California right now I'm sorry I don't remember the bill number but that bill thank you very much that bill is moving forward I I suspect continuing to move forward it's gonna be I think scheduled for a Senate vote pretty pretty soon to allow rissalah me audits in california not mandate it but to allow it in lieu of the one percent audit that we currently do which is one percent of the precincts that we audit by hand I still think that's helpful because you're physically auditing those ballots but RIS limbing audits like they are they were doing in Colorado they are doing I hope to have that in California we just did a pile in June and the rissalah audit I think is one of the most important tools that we can do because at the end of the day if we do all the things that were supposed to be doing on physical and cyber security enhancements and we still have a problem how do you detect it we need to be able to detect that and so I am an advocate for auditing I'm an advocate for transparency we need to continue this process and finally paper is very important so we in Orange County are maybe there's two counties still left in Orange in California that are running electronic systems in the polling places and we have paper backup on that system which I think is absolutely critical and we have about a million vote-by-mail voters that are using paper there are debates in the industry about whether paper vote by mail is the right way to go from a security standpoint I happen to believe it is but still you have that paper back up and that audit trail so I just want to share with you again I'm here to learn and I appreciate the invite Jake very much and I believe in transparency and I think we need to continue to improve that process thank you very much [Applause] all right thank you very much and thank all of you for you know a coming here first of all like Woody Allen says half a life is showing up and so the fact you guys showed up I think is important and then also I think you know these talks were very informative and shows I think you know that people are taking it that you know many election officials have taken this stuff incredibly seriously so with that I want to open it up to questions anybody yes sir does anybody want to take that so the question was it was noted that the vendors weren't are not up here and not present and do we think that the vendors are taking this seriously I can speak to
one vendor and that's the one that that I know my observation and sort of the way that I've approached things in Denver is we were rely very little on the vendor so we don't have them program any of our any of our files we don't have them involved in anything we've purchased software and we use their system and it's all cots it's a ballot marking device and we constantly give them feedback and they actually listen to us and make changes and so we've had a very good kind of relationship in that way I am not easy on them which is one of the things that I think is important for election officials like we you know you have got a hold vendors accountable for four year needs our vendor that we use came to me five years ago and and kind of showed me what they were thinking in terms of their next generation of their system and I told them that I wouldn't buy most of it and so they actually went and worked with us and redesigned some things to be cots so I the vendor community is critical to this not every local election office like Orange County or like Cook County or like Denver because we all program our own stuff we probably rely very little on vendors to do anything but that is not the case for most of the local election offices across the country and they are reliant on vendors and the one thing that has been sad for me to see especially in small counties they don't most rural counties if you have a thousand people in your county or you have you know even ten thousand people often don't have full-time County attorneys to help them with contracts they don't have full-time technology staff so I I believe the vendors some vendors have probably unfairly targeted many of those election officials and sort of kind of gotten them into very expensive contracts are very expensive services it's hard for those local election officials to get accountability so that's really where you know local election officials are the ones actually doing all the the process of the election but this is really where the states can really help and a lot of the secretaries of state have done that especially in California especially in Colorado and other places but that's really where the state can can get involved with certification or how testing happens to make sure that those kinds of things don't happen to local election officials so vendors key I'm Jake mentioned this I we've started to look at some different open-source types of systems not necessarily for just voting but other things that we're doing the r-la tool the risk limine audit tool that Colorado now has is open source so I think that is a that is something that we as a community need to continue to engage on and figure out what the best path is forward so I wanted to just add one piece we've talked a lot about some folks mentioned the government coordinating council which is just the mechanism that the Department uses to to bring everybody together on the the state and local side we've also established a sector Coordinating Council which is our term for bringing industry together and so we have these these authorities that allow us to have non-public conversations with industry our focus was it and frankly still remains you know the priority of state and local but it is also important we think to bring the the vendors together we they are all now together they've you know they've signed their charter this in which is I know that sounds like bureaucratic but that's actually really important to to be able to bring a bunch of different companies together that are competitors and and being able to say look we're all committed to working with each other working with our federal state and local partners it's it's very important so so yes they take it seriously and and I know many of them are here but but yes there is a lot more work to do and you know similar to the work that we do with other industries whether they're in the electric sector or the medical device sector we need to continue to work with them we need to make sure that they have information that that the government might have that have better protect their systems but we also you know we need to continually challenge vendors across the entire critical infrastructure community to improve the security of their products so it will continue to build it there at the table so that to me shows me that they're committed but that's you know that's just the first step just that briefly I agree that can be helpful and should be helpful there's a lot of expertise and experience to tap there but it's clear in my mind that it's contingent upon states and counties hold firm on the line of what security standards are what they need to be including in there by the way paper valves paper boughs and at a minimum a voter verified paper audit trail so I just hope that the vendor community here is that loudly and clearly and comes forward with products that reflects what we are sharing as best practices and and standards but that's the point of all
this collaboration on a related note I will call attention to a new law in California enough where the only still or for the first in addition to you know all the notice we take to help protect our voter registration database which is different by the way than the online voter registration availability in California many states have online voter registration separate apart from that for you know that there's been a big mr. sessions especially when there was his brief commission that the administration set up to look into massive voter fraud which does not exist whether or not voter the voter database is public information the voter database is not public information some voter information is made available for certain uses like campaigns for the outreach journalistic uses research academia etc we now have in place in California a requirement upon third parties if they have access to some of those what information and their systems are breached or they're compromised somehow to notify us that wasn't the case before and they're now required not just to notifies but to cooperate with us in any sort of investigation or audit to figure out what happened if there's an exposure there so I know that's not vendor specific but I think pointing to an example of the third party responsibility here which we have quickly gained an appreciation for okay
anybody else right now really hard to okay and if we can be quick with our answers because the fire marshal is mad at us again and I'll take one more question after this but yeah ditto but we've worked with NIST for years no we have not we were not previously involved in the voluntary voting standard guidelines but yes we're very involved in providing security expertise the the concept is to like much of the standards development process where you're you're looking for expertise you're the working group is trying to understand different perspectives but then there will be a review process and in sort of coming together and we will work very closely we're supporting EAC and and NIST and we have folks a lot of whom are here will actively be involved in that review process just real quickly I came in on the tail end of the approval of VPS g20 on the committee for the AC and so not only am i involved but where the rubber is really going to meet the road and I think you you've touched on it really well is the requirements right you have that framework now with EVs g20 but you've got to make sure the requirements are are adequately established and so I am very involved in that and and I think your points moment well we'll go with the guy by the door since we all need to leave after this um given that we know that Russia's interfered in some elections recent they probably will do again do you think that the trunk
administration should declare it as a active wall to meddle in elections and then put immediately put Russia and notice as a representative of the Trump administration I will say I active war I think it is and I didn't know I don't think it's an act of war you know I think again remember is this is not new other nations have been trying to undermine our democracy for four decades and this is just a new way of doing it and and then I would say I believe we have we have issued many sanctions and you know we continue to look for all the tools that we've got in our deterrents toolbox but sort of what I talked about earlier is I'm still a believer that you know defense a stronger defense can be the strongest deterrence and it's it's not easy you know we can continue to use our the tools that are unique to the government and we will continue to do that but you know that's that's why we're here because we've got to make it harder for them and we have to do that together so so hopefully that that answers your question okay how much temper again so look I appreciate the question and while that you know and while you know cyber warfare is different than traditional physical warfare I think a threat if not an outright attack on our democracy needs to be recognized for what it is respectfully we're working together but I am NOT a representative of the Trump administration but one of the things that you and your all of your colleagues will say it takes what we face in 2016 and our continued to face now requires a whole-of-government response right that's that's not classified you've been saying publicly requires a whole-of-government response last I checked the person who sits in the Oval Office is a part of our government and as great as we're working together we still need the right words to come out of the mouth of the sitting president of the United States of America and it has not and when he comes close he always equivocates and that sends the wrong message so yes we're working behind the scenes to buttress our defenses I leave it to those with the appropriate clearances to figure out what we're doing in a response or proactively etc but I think from an elections officials perspective winning three things an unequivocal recognition by the president on what happened in 2016 we need ongoing resources and commitment to constantly invest in election systems and security and it would go a long way to hire to designate a well respected coordinator out of the White House on cybersecurity because that position is currently vacant and that vacancy speaks volumes all right with that thank you to everybody who came we really appreciate your participation thank you for everybody who asked questions and now we have to get out of here because the fire marshal is pissed off at us