months building a list of every election official in the country, over almost 7,000 people we got contact information for. We then paid to do a snail mail, US post office, mailing to every single election official in the country.

We then followed that up with two emails and did 3,500 live phone calls to local loan us equipment if they want research done on it, and so on. And because of that, our attendance from local election officials is up, you know,

several hundred percent from last year. And what we're really excited about is that we have some people here today who are truly great Americans, who are deeply committed to protecting the votes of their constituents

and citizens, and have been spending the last two years, and for many of you even before that, really thinking deeply about how to better secure our elections. And by the way, showing up here, well you know, we're not the answer to this problem, but we're hopefully a piece of it, and we are really appreciative to have the election

officials in Homeland Security here to try and, you know, learn from what the hackers figure out, and each other. So with that, let me just do some quick introductions, and then we'll turn it over to them, because I'm very interested in what you all have to say.

So to start, Secretary Padilla is the Secretary of State of the largest state in the country. California is here today. I want to give him a round of applause for showing up, thank you. He's been working on this issue for years, deeply committed to it, has been involved

in election security issues well before the Russians came at us. Amber McReynolds is from Denver, Colorado. She is actually working on a whole host of interesting things, including auditing and open source technology that we're really excited about.

We know that this community loves open source. Jeanette Manfra is the Assistant Secretary at Homeland Security. We are incredibly appreciative to have Homeland Security here. We've got a bunch of Homeland Security guys in the room as well, so thank you guys for showing up. You know, as we've been saying for years, well, for two years, you know, this is in

no way, shape, or form some sort of like criticism on election officials. Frankly, it's not election officials' job to fight off existential threats to the United States.

That is the national security industry's job, and the national security industry is represented here by Homeland Security. They're the ones who kind of have taken the mantle and been assigned the task to work with state and locals to help secure their elections. Noah Praetz from Cook County, Illinois, he put out, I believe, I think the first kind

of revamped election security plan after 2016. He actually was one of our few RSVPs last year from local election officials and braved the DEF CON for the first time last year, and we're deeply thankful to him for coming.

And then Neil from Orange County is here. He also, we were talking last night actually, has put out an incredibly impressive election security program for Orange County, California, which we're going to be highlighting this weekend at the Village and then later when we release our report of all the vulnerabilities.

So with that, I will shut up and turn it to Assistant Secretary Manfred to say a few words. Great. I'll be really brief. I talked a lot this morning. So I just, first of all, thank you for coming, for hearing us.

And you know, I just, I've learned a lot about our electoral process over the last couple of years, things that I didn't fully understand. We have worked for a long time with things that you might more traditionally think of critical infrastructure, whether that's our electric grid, our financial systems, emergency

services, those sorts of things, which are just as complicated and tricky to defend as our election systems. But you know, I guess I would say just a couple of things is it's for a DHS, we really see ourselves as sitting at the intersection between, you know, individuals

and organizations that participate in things like DEF CON, the academia, the private sector, state and locals, and other federal agencies. And we sort of have this set of unique authorities that allows us to sit in this place and be a convener and drive progress on reducing risk across our countries, or across our

country, and frankly, even working internationally. And you know, the elections challenge has been, I think, fascinating and challenging. But what I would ask for you all is a lot of the questions I get is, you know, well,

just now the elections community is thinking that about cybersecurity and, you know, the Russians woke us up that we need to secure our elections. This is just not a fact. These folks and many of those who have not are not represented here have been thinking about this for a long time.

And and they do a lot with not a lot of resources. And and now they're now they're on the front lines, trying to deal with what with a lot of these issues and they can't do it alone. We all have to work together. And I think this is incredible that we can bring the different communities, a sort of

maybe a community of folks who aren't used to working with government like you all and folks from federal, state and local working together to figure out how to address challenges collectively, because we're all in this together. So I challenge you all to listen and learn from them.

They're here to also learn from you, but really try to understand a little bit more. It's a little bit more than just a voting machine. There's a lot more that goes on in election process at the state and local level than just the individual voting machines. So challenge you to to learn a little bit.

And with that, I will pass it on to the secretary. So we have to like they're just yelling at us. We actually have to take all the chairs out of here. So can we break for like five minutes? These chairs can stay and then we got to move the chairs. Sorry. We're it's good news. Everybody cares about democracy. So our room is overcrowded. So, OK, now we're back.

So, Jeanette, here you go. I don't have to say my remarks again. So, no, I think we were just about to introduce Secretary Padilla. So Secretary Padilla, everyone.

Well, thank you. Good afternoon, everybody. I am excited to be here. I really am. This is my first DEFCON. I confess, but I am here to listen and I am here to learn. But I also understand that some of my colleagues signed off on some statement that went out yesterday. The National Association of Secretaries of States.

That's the first question I got when I walked into the hotel. So let me just acknowledge that upfront and then tell you just a couple of other thoughts that hopefully informed this panel and the conversation. Like I kind of get where they're coming from. For as much attention and emphasis there is on cybersecurity and election integrity, a big piece of that for us.

As secretaries and local elections officials, too, is making sure that voters and the public in general have the appropriate confidence in the systems when people go vote. Right. If it gets into the mind of anybody that maybe my vote's not going to matter, so why should I go vote? That in and of itself is a form of voter suppression, if you look at it that way.

So just trying to strike the right balance of cybersecurity and integrity with confidence in the system. Some of my colleagues, and I'll admit, I too sometimes are still a little traumatized from the headlines from last year's conference, right? Voting systems hacked, voting systems hacked, voting systems hacked.

Well, my background's in engineering. I'm not a programmer. I'm not a coder, but I think I have a proficiency for technical stuff. And like any good engineer, right, you always start with your knowns and your unknowns. You want to understand methodology. And if there's distinctions between what's happening downstairs and real world conditions, that doesn't mean that there's nothing

to learn from a convening like this, but it does mean let's be informed about what the takeaways are. So that's where I think some of my colleagues are coming from. Now, that being said, like I said, you know, I'm here to listen and to learn because like a good engineer, you want to gather all your information, get your knowns and your unknowns identified if you're seeking to problem solve.

Another initial observation, this is sort of a good handoff, right, from the Department of Homeland Security to a secretary of state, because if you look at general dynamics from the last couple of years, the whole coordination and collaboration that we are now participating in is relatively new.

I remember vividly when the buzz first came out and my first call from the Department of Homeland Security under the Obama administration came out. In the late summer of 2016 and the initial conversation about whether

or not to declare our election systems as quote unquote critical infrastructure. What we have experienced since then is to kind of simplify it, the intelligence community, with all their expertise, having to take a crash course on how elections are administered in the United States of America.

On the flip side, elections administrators at the state and at the local level, and you have some of the best from across the country here, the panel, having to take a crash course on cyber security.

Doesn't mean the intelligence community wasn't looking at the election space before, doesn't mean that the elections administrators weren't thinking about cyber security before, but boy, there's never been such a spotlight and emphasis as there has been since 2016, through today, through this November, on to 2020 and beyond. It's our new reality.

So that being said, I do want to just offer a couple of points, maybe tee up some questions and conversations later. I mentioned I'm here to learn. Mentioned, you know, our comprehensive look at cyber security. It's not just replacing equipment, upgrading firewalls. And what's the latest encryption technology for us?

It's also about professional development and training. You can have the best protections in place. But if you still have state or county employees clicking on a link sent by that long lost uncle who just won the lottery. Right. What's it all for? It all gets compromised, right? So training and cyber hygiene is an important part of our comprehensive strategy, how

we not just secure our elections infrastructure and our processes, but counter misinformation and disinformation. That's a big part of what we're grappling with in this comprehensive look. So much more than that. But just to give you a flavor of how it's a much more comprehensive approach and strategies that we're

taking in California and I think across the country, if I can speak for my counterparts for a second. And last but not least, in my opening remarks, while I thank the United States Congress for appropriating three hundred and forty million dollars last month, let me be abundantly clear, we need more resources.

All the things that we know we have to do, all the things that I'm going to learn and observe because I'm going down to the village after this panel to implement and act on all these findings, recommendations and discoveries, we need additional resources. So the money that came to states by Congress last month is not new money.

It's the remaining Help America Vote Act dollars that were just appropriated last month, but authorized 15 years ago in the wake of Florida 2000. I call that money after I say thank you, that's butterfly ballot hanging chad money, not cyber threats, 2016, 2018, 2020 money.

We need more regular, more consistent support for a constant increasing of our cyber defenses if we're going to be serious about this conversation. Cyber security and election integrity is not something that we should invest in only once every 15 years.

And so, again, a thank you for last month's appropriation, but we need more. And on that front, I do speak for all of my colleagues across the country, both Democrat and Republican and local county elections officials throughout the country as well. So we're going to need your support in that. We're going to have some enlightenment going on, some lessons learned going on today.

But when we all leave this gathering, this convening and we go home, I need you all to be advocates for more investments in election systems and integrity at the county, at the state, and especially at the federal level. Thank you very much.

Thank you, Secretary Padilla. And with that, we'll turn it over to Noah Prance at Cook County. All right. Hey, good morning, everybody. Right. So thanks for doing this. Our community is trying to figure out how how best to engage. I was asked yesterday, why are we here? And sure, we can learn some specific technical stuff.

But I think more importantly, I think about four years ago when when a couple of guys from here took over a Jeep wirelessly and then they went to work to help Chrysler make sure that those exploits aren't possible anymore.

We cannot pay in our community for the expertise that you all bring. And so we're going to mature a strong relationship between the voting community and the security researchers. So we're in the beginning stages of that. I'm excited to see how far we've come in the last year.

The folks that are here. And anyway, we're all committed to the same goal. So anyway, my name is Noah. I'm the director of elections in suburban Cook County. Like Secretary Padilla said, we've been securing votes, voter records for a long, long time. It's it's not our first rodeo.

All right. Prior to how many of you guys were around doing this stuff before 2000? OK, so back then, I like to say we were logistics managers mostly. It was a wedding planner era of election administration. We bring together a list of people, put them in the put them in a place on one day, hold an election, and it's done.

Obviously, 2000 exposed serious flaws with punch card technology. There was a significant disparate impact in some communities. And the federal government got involved for the first time in elections spending significant something like three and a half billion dollars.

And it ushered in a whole new era of technology, some of which is problematic now. Touchscreens without paper trails, certainly. But we all had to switch from logistics managers to become IT managers, legal compliance managers.

2016 was another sort of inflection point, because now, given the probability of attack, we've got to become cybersecurity managers. So spurred by the need to defend our systems against foreign actors, the federal government and the states and many of us locals have been sort of negotiating a relationship.

Secretary Lawson likes to say it was an arranged marriage, and it's going as well as any arranged marriage could be. But the states have zealously guarded what has traditionally been their their domain of managing elections.

So, and they've been very helpful. Secretary Padilla is a great spokesperson in the run up to the 2016 election, my, my boss is a Democrat pointed a lot to Secretary Huse said from Ohio, because he was out front saying these systems aren't rigged.

It's important in elections that we're able to maintain a non partisan approach to what we're doing. So the secretaries of state, state election directors certainly deserve a lot of credit for their efforts. And at the risk of being a little overly broad, though, local election officials like myself, there's 108 in Illinois, 8800 around the

country, we bear the brunt of running elections, we lock the warehouses, we program the machines, we review the tapes and the logs. We push the equipment out, program it, audit it, count the votes, and release them. And it's tough. Somebody said we're like, with a nation state actor coming at a small county,

it's kind of like Andy and Mayberry being sent out, sent out to defend against a foreign attack. These are shadowy adversaries that we're facing, and we're all coming to terms with how best to partner with, with the states and with DHS as sort of force multipliers for us to help us in our efforts.

In Cook County, we've studied this a lot. As Jake said, we put out after last year's DefCon a white paper. We focus our efforts around three things. It's defend, detect, and recover. It lines up

pretty closely with the cybersecurity framework, but it's easier to remember. Three instead of five points. We partner with the Center for Internet Security. When they published their election handbook, we worked with the Belfer Center. A lot of great contents being made.

I sit on the Government Coordinating Council. It's a construct of the homeland security of the critical infrastructure. There are eight secretaries of state, eight state election directors, nine locals, the chair of the Election Assistance Commission. And we're working hard to sort of help DHS prioritize the investments that they're making, that they're making in our space.

So what's become clear to me as we study this is that each election office needs somebody to own security. There are 8,800 of us. We're one of the biggest.

We've got one and a half million voters, 100 employees, $20 million budget, and we're able to sort of specialize some resources. And even we decided that we needed to make another position and hire an infosec officer in our office.

We partnered with the Chicago Board of Elections to do that as a shared resource. And we've been pitching this idea, I've been pitching it to the secretaries of state and the state election directors, that this money that was just given, you know, the leftover butterfly ballot, hanging chad money, it's not nearly enough to do a technology refresh.

But what it can do is, if it's employed right, is the states can hire staff to go partner with local election officials with this expertise. I mean, we're just, we're not yet cybersecurity managers. Most election officials have one or two people in their office.

They outsource most of the work they do. And it's really difficult to conceive of the idea that we can absorb the 20 emails we get from the ISAC every week with listing every vulnerability. The idea that we can dig deeply into the Belfer recommendations or the Center for Internet Security without a partner focused specifically on this.

So it's interesting to see some of the states stepping up. In Illinois, our legislature required half of our HAVA funds, so about $7 million be spent on a, they call it a cyber navigator program. So we're putting 10 or 15 people on the street in the next few weeks, partnering with, like,

adopting five counties and going in there, helping them increase their defenses, not by creating sort of new material. There's plenty of great material out there, CIS, Belfer, specific DHS recommendations, but to help us defend our systems, helping ensure we've got the best detection techniques so that when a successful breach occurs, we're able to find it.

And to make sure that we've got the most mature disaster recovery or business continuity plans. So that's, I think, a big focus in our industry right now. Obviously, defense is very difficult. You can ask Uber or Equifax, HBO, Sony. It's just a very, very difficult thing to do.

So the key for us as elections administrators is to make sure we're resilient, that we can overcome any successful attack. Obviously, that's pretty easy in most of the country because there are paper ballots or VPATs.

Increasingly, there are great auditing techniques, which would indicate when something went wrong and establish the ability to put out results that are trusted and true. So, anyway, you all are on the floor. I'll pass this along to Amber, but I really appreciate

your focus on this and appreciate the sort of maturing sense of nuance that there is in elections. It's security. It's not a binary question. We're wrestling with our ability to provide accessible ballots to everybody. And that isn't always lined up with the easiest systems to defend. So, anyway, appreciate your time. And Amber McReynolds now.

Hi. Well, I'm super excited to be here. This is, again, my first DEF CON. I couldn't come last year.

I have a five and a seven-year-old, so I need to ask somebody to get another one of these badges because I cannot go home with only one. It's very cool. I'm going to need to take one for both. So I've been director of elections in Denver for seven years.

I've been in the office for 13. I started as an operations coordinator that oversaw the mail ballot process. And then I moved to a management role. And then I was deputy director starting in 2008 and then director starting in 2011. So 13 years I've been administering elections and touched various points in the process.

And the one thing that when I came into Denver, Denver was not known for running good elections. Most of the systems were completely outdated, pretty backwards in a lot of ways. And as a 26-year-old coming into the office at that time, now you know how old I am, I kept asking why to all of the people that had been there.

And the answer was always, we've done it this way for 15 years or we've done it this way for 20 years, so we're going to keep doing it this way. And I had also come in kind of after Florida 2000. And the one thing that I always say is about elections is elections are about people and process, people and process throughout.

Technology supports a lot of those things, but it's ultimately about people and process. And the problem that happened sort of after 2000 is nobody asked questions about how do voters want to vote, what should the voting model look like,

what should we do to change policy to make it easier. It was just basically a money dump into various systems that now nobody's using anymore because there's various issues that were identified with that. So there was sort of this rush, if you will, to purchase equipment and deploy systems that actually

do not have any benefit to the voter or respect voters in terms of what they want to do. So in asking all those questions, and for many, many years, every day I'd go home from work thinking, how can we make this better for people? And so we've tried, that's been our mission in Denver, is to try to redesign the process and make it more effective for voters.

So a couple things about Colorado, we deliver a ballot proactively to every voter that's on the rolls prior to the election. We have same-day registrations. You can literally come in on election day to a vote center, any one of them, and you can, if you're not registered to vote, you can get registered to vote right that day.

So your name not being on the poll book or you not knowing where to go with your polling place or any of that is eliminated. So since we've done a lot of those reforms, that also means that more than 99 % of our ballots in most cases are a paper ballot that the voter hand-marked, and then the remainder are marked at vote centers on a ballot marking device but still a paper ballot.

So every ballot in Colorado is counted in a central place. We don't tally anything at vote centers, we don't tally anything at polling places, we don't have cartridges, we don't have USBs, we don't have equipment moving around in the field. We literally transport all the paper ballots that are cast in the field on ballot marking devices

if it's at a vote center or if it's using the mail ballot we mail to the voter. Everything is a piece of paper. We had the fourth highest turnout in the country in 2016. We have the highest voter registration rate as a percentage of population as well.

So Colorado has a lot of, from a policy perspective, doing things very well. The other policy that we just implemented, and we were the first state to do this, and I'm going to call out two people from Colorado that are in this room that had a lot to do with it. Dwight Shelmon, I don't know where he, oh there he is, see? He's way over here.

Dwight Shelmon is from the Secretary of State's office and the risk limiting audit that we deployed as a state would never have happened without Dwight Shelmon. So Dwight Shelmon is, if you want to know about a risk limiting audit process or anything with that, he's here and he's amazing. And then Jennifer Murrell, who was the director in Arapahoe County,

and then now has gone to be a risk limiting audit senior advisor at Democracy Fund, so she's now helping everyone else deploy audits across the country. Both of them are Coloradans, both of them were leaders in terms of getting this policy deployed for us. So we have all these great things that are happening in Colorado and a lot of it has been literally organically driven by voters.

Voters started requesting their ballots by mail. They started asking us for that. And so we got to 2012 and we were 80% plus people requesting to get their ballot by mail. And so then we decided, okay, let's just deliver a ballot to everyone because the 20%

are all calling us asking us why we didn't send them one because their friends got one. So we did that and it was all designed and centered around the voting process and making the process better. It wasn't a technology decision, but there's outcomes that have benefited technology, but it was about people and process and making that better.

In terms of cyber security and making sure the election is secure, cyber security is not our only vulnerability in the election process. We have had to defend against physical security threats, bomb threats, all kinds of other things that election offices face. We have challenges that happen all the time, whether it be fires at polling stations or

vote centers and then we have to move everybody or any of these sorts of disasters. This one is one that election officials, and you heard this, there's 8,000 local election officials across the country. Cyber and technology is not a strength that most of them have.

So in Denver, and I don't either, I mean that is not my graduate work, but in Denver we're a city and a county as a whole. We have a centralized technology services department with a security team. And so four or five years ago I went to them and I said, look, I want you to help us figure this out.

And we've been part of kind of that jurisdictional security plan, the elections, doing penetration testing, doing all this prior to the election, way before 2016. But we've collaborated with our technology services department and the chief security officer for the city. And that collaboration and that commitment and that coordination are all keys to making this better.

And then the final sort of C word that I'll throw out there in terms of ways to make this better is continuous improvement. And when I came into Denver 13 years ago and I was asking why, it struck me that no one was curious or creative about solving problems.

And we were not at all in a model where we could continuously improve what we were doing. And that's exactly what we have to be doing as election officials to make this better over time. Because the threats we face today, as you all know, are going to be very different tomorrow and are going to be very different five years from now. So we have got to get to a place where the elections world is agile and can adjust as different things come up

and get in this mindset of continually improving and having curiosity about how to make things better. And we've got a lot of good examples of that in Colorado. And it's been an honor and a pleasure to be the director of elections there.

And, you know, election officials are committed to doing this. They work extremely hard to make sure that you get your vote delivered to you in some way, whether that's at a polling place or mail ballots. But they're not technologists. And they need people in this room and there needs to be collaboration and coordination amongst everyone that's involved.

It's a community effort and voting should be a community. Voting is the quintessential community effort. And so it does take a broad community of people committed to make this better. So with that, I'm going to turn it over to Neil Kelly. He's amazing from Orange County.

You should visit his website. He's got all kinds of data analytic tools and he's done a whole bunch of awesome things in Orange County to make it better. It does not look today like it did when he got there. So he's one of the premier election officials in the country and always happy to share a panel with him.

Likewise. Likewise. Thank you, Amber. First of all, I'm going to sit here, not because I'm very proud to be in California under Secretary Padilla's leadership, which I am, but the Venetian's a lot further away than it looks. And I would advise not running here because the last headline I want is election official passes out of DEF CON.

So I'm going to sit right here. A little bit about Orange County, 1.6 million registered voters. I've been the election official there for 14 years. The average tenure, I think, of election officials in large counties is not generally 14 years.

So I'm glad to say I think we're doing some things right in Orange County. We're more diverse than I think a lot of people think. The stereotype of Orange County is that it's heavy Republican. We're actually kind of split between Dems and Republicans now in Orange County. So the Reagan era, what you thought about long ago in the 70s and 80s, it's much more diverse.

We support seven languages in Orange County in the election office, so definitely a diverse office. And women, by the way, are registered at higher rates in Orange County than men, and they turn out at higher rates in Orange County than men. And I thought, well, maybe that's because men tend to not live as long as women, but it's the opposite in some other counties, so it's interesting to me.

I think it was teed up very nicely, by the way, and I just do want to say thank you to Secretary Padilla, because under his leadership, he really has been focused on elections in California, and I'm very proud to be a part of that partnership. Like Secretary Padilla said, I was contacted like he was in the spring, summer of 2016,

and everything changed for us. As Amber said, we were focused on security before that. We were hyper-focused on security after that, because things definitely change. And I kind of want to walk you through some nuts and bolts of what we're doing in Orange County related to the security side. So previously, you would think of big events and incidents in elections would be acts of God

and some other things, but not necessarily the security side. And that certainly changed overnight for us. Prior to 2016, you would think of fires, and we're dealing with that in Orange County right now. We've lost a polling place because of the fire that's going on right now,

so those things do happen. But after that springtime of 2016, we saw voter data theft, phishing attacks certainly were on the rise, doxxing of political campaigns, and then scanning of systems. The scanning of systems, as I'm preaching to the choir here, goes on all the time, thousands of times a day,

so that really wasn't news for us. What was news for us is where they were coming from, and looking at those IP addresses very closely. I sit on the government coordinating council with NOAA, and I'm proud of the work that DHS has been doing in this space, and looking forward to continuing that effort. So specifically for us, on the physical side,

we've changed a lot of our physical security. Can't talk completely about that, but you think of the building and how ballots are transported, and the chain of custody side of this, we have really enhanced that. On the cyber side, we essentially have a three-layer approach to that security in the county, and Orange County, I think,

as a whole does very well at that, but there's no finish line to this process. It's ongoing, and we're going to continue to work on that. And the one that I'm concerned most about is the social aspect, because the phishing campaigns are a big concern. And like Secretary Padilla said, you can have one individual

in one office can click on something and can cause problems. So the training side has increased tremendously for our employees, and yet we still see, on the social side, employees doing things that we need to continually train against, because this is going to be an ongoing struggle for us.

We have added, and I know many of you are aware of these sensors, Albert sensor, to our system, because I believe the voting systems definitely are tremendous vulnerabilities there, and we need to keep plugging those, but also the voter registration systems are a concern, because that's one of the things I lose sleep about,

is what can we do to continue to protect the voter registration system, so that Albert sensor is something that we have put in place recently. And that end-user training and awareness, I think, just has to continue, because that's going to be a problem. The second is third-party review, and I want to talk about auditing in just a second,

but third-party review, I think, is also very important, because I can't sit up here and say, I think our data is great, and take my word for it. We need that third-party auditing and review, and so we partnered with Caltech in California, and they're going to have a year-long partnership with us to scrutinize our data and to look at what we're doing and to have a third-party review of that.

I'm not afraid to be transparent. I think we need to open it up. I think all election officials need to open it up to be more transparent. And as Jake said earlier, we recently released a cyber... Well, no, it's not cyber. It's election security playbook. And that election security playbook is on our website.

I've put it out there for the public to... The things that we can talk about publicly, here's what we are doing to protect your vote, because I will tell you, one of the biggest questions that I get is, what are you doing to protect our votes? And I want to be forthcoming and transparent in that process. So just real quick, the auditing, I think, is the biggest piece to this.

Can I use this analogy on you just for a second? So the commercial aviation industry, the systems are both people and technical. If the system fails, God forbid, you can have a disaster. But there's auditing in that component, which is the flight data recorder. And you can go back and figure out what happened, what did occur.

Same thing on the auditing side. There is a bill in California right now. I'm sorry, I don't remember the bill number. But that bill... Thank you very much. That bill is moving forward, I suspect, continuing to move forward. It's going to be, I think, scheduled for a Senate vote pretty soon.

To allow risk limiting audits in California, not mandate it, but to allow it in lieu of the 1% audit that we currently do, which is 1% of the precincts that we audit by hand. I still think that's helpful because you're physically auditing those ballots. But risk limiting audits, like they were doing in Colorado,

I hope to have that in California. We just did a pilot in June. And the risk limiting audit, I think, is one of the most important tools that we can do. Because at the end of the day, if we do all the things that we're supposed to be doing on physical and cyber security enhancements, and we still have a problem, how do you detect it? We need to be able to detect that.

And so I am an advocate for auditing. I'm an advocate for transparency. We need to continue this process. And finally, paper is very important. So we in Orange County are... Maybe there's two counties still left in California that are running electronic systems in the polling places.

And we have paper backup on that system, which I think is absolutely critical. And we have about a million vote-by-mail voters that are using paper. There are debates in the industry about whether paper, vote-by-mail, is the right way to go. From a security standpoint, I happen to believe it is.

But still you have that paper backup and that audit trail. So I just want to share with you, again, I'm here to learn. And I appreciate the invite, Jake, very much. And I believe in transparency, and I think we need to continue to improve that process. Thank you very much.

All right. Thank you very much. And thank all of you for, you know, A, coming here. First of all, like Woody Allen says, half a life is showing up. And so the fact that you guys showed up, I think, is important. And then also, you know, these talks were very informative and shows, I think, that people are taking...

You know, many election officials are taking this stuff incredibly seriously. So with that, I want to open it up to questions. Anybody? Yeah, sir. Does anybody want to take that?

So the question was, it was noted that the vendors are not up here and not present. And do we think that the vendors are taking this seriously? I can speak to one vendor, and that's the one that I know. My observation, and sort of the way that I've approached things in Denver,

is we rely very little on the vendors. So we don't have them program any of our files. We don't have them involved in anything. We've purchased software, and we use their system. And it's all COTS. It's a ballot marking device.

And we constantly give them feedback, and they actually listen to us and make changes. And so we've had a very good kind of relationship in that way. I am not easy on them, which is one of the things that I think is important for election officials. Like, you know, you have got to hold vendors accountable for your needs.

Our vendor that we use came to me five years ago and kind of showed me what they were thinking in terms of their next generation of their system. And I told them that I wouldn't buy most of it. And so they actually went and worked with us and redesigned some things to be COTS. So the vendor community is critical to this.

Not every local election office like Orange County or like Cook County or like Denver, because we all program our own stuff. We probably rely very little on vendors to do anything. But that is not the case for most of the local election offices across the country. And they are reliant on vendors.

And the one thing that has been sad for me to see, especially in small counties, most rural counties, if you have 1,000 people in your county or you have even 10,000 people, often don't have full-time county attorneys to help them with contracts.

They don't have full-time technology staff. So I believe the vendors, some vendors, have probably unfairly targeted many of those election officials and sort of gotten them into very expensive contracts or very expensive services. It's hard for those local election officials to get accountability.

So that's really where local election officials are the ones actually doing all the process of the election. But this is really where the states can really help. And a lot of the Secretaries of State have done that, especially in California, especially in Colorado and other places.

But that's really where the state can get involved with certification or how testing happens to make sure that those kinds of things don't happen to local election officials. So vendor's key. Jake mentioned this. We've started to look at some different open source types of systems,

not necessarily for just voting, but other things that we're doing. The RLA tool, the risk-limiting audit tool that Colorado now has is open source. So I think that is something that we as a community need to continue to engage on and figure out what the best path is forward.

So I wanted to just add one piece. We've talked a lot about, some folks mentioned the government coordinating council, which is just the mechanism that the department uses to bring everybody together on the state and local side. We've also established a sector coordinating council, which is our term for bringing industry together.

And so we have these authorities that allow us to have non-public conversations with industry. Our focus was, and it frankly still remains, the priority is state and local. But it is also important, we think, to bring the vendors together.

They are all now together. They've signed their charter, which I know that sounds like bureaucratic, but that's actually really important to be able to bring a bunch of different companies together that are competitors and being able to say, look, we're all committed to working with each other

and working with our federal, state, and local partners. It's very important. So yes, they take it seriously, and I know many of them are here, but yes, there is a lot more work to do. And similar to the work that we do with other industries, whether they're in the electric sector or the medical device sector,

we need to continue to work with them. We need to make sure that they have information that the government might have to better protect their systems. But we also need to continually challenge vendors across the entire critical infrastructure community to improve the security of their products.

So we're continuing to build it. They're at the table, so that to me shows me that they're committed. But that's just the first step. Just to add briefly, I agree they can be helpful and should be helpful. There's a lot of expertise and experience to tap there. But it's clear in my mind that it's contingent upon states and counties to hold firm on the line

of what security standards are, what they need to be, including in there, by the way, paper ballots, paper ballots, and at a minimum, a voter-verified paper audit trail. So I just hope that the vendor community hears that loudly and clearly and comes forward with products that reflect what we are sharing

as best practices and standards. That's the point of all this collaboration. On a related note, I will call attention to a new law in California. I don't know if we're the only still or if we're the first.

In addition to all the measures we take to help protect our voter registration database, which is different, by the way, than the online voter registration availability in California. Many states have online voter registration. Separate and apart from that, there's been a big misperception,

especially when there was this brief commission that the administration set up to look into massive voter fraud, which does not exist, on whether or not the voter database is public information. The voter database is not public information. Some voter information is made available for certain uses, like campaigns for their outreach, journalistic uses, research, academia, et cetera.

We now have in place in California a requirement upon third parties if they have access to some of this voter information and their systems are breached or they're compromised somehow to notify us. That wasn't the case before, and they're not required not just to notify us

but to cooperate with us in any sort of investigation or audit to figure out what happened, if there's any exposure there. So I know that's not vendor specific, but I think pointing to an example of the third party responsibility here, which we have quickly gained an appreciation for.

Okay, anybody else? Yeah, go ahead.

Okay, and if we can be quick with our answers because the fire marshal is mad at us again. And I'll take one more question after this, but whoever wants to. Yeah, ditto.

We've worked with NIST for years now. We were not previously involved in the Voluntary Voting Standard Guidelines, but yes, we're very involved in providing security expertise. The concept is to, like much of the standards development process

where you're looking for expertise, the working group is trying to understand different perspectives, but then there will be a review process in sort of coming together, and we will work very closely. We're supporting EAC and NIST, and we have folks, a lot of whom are here,

will actively be involved in that review process. Just real quickly, I came in on the tail end of the approval of VVSG 2.0 on the committee for EAC, and so not only am I involved, but where the rubber is really going to meet the road, and I think you've touched on it really well, is the requirements, right? You have that framework now with VVSG 2.0,

but you've got to make sure the requirements are adequately established, and so I am very involved in that, and I think your point's well made. Great. Well, we'll go with the guy by the door since we all need to leave after this.

Given that we know that Russia's interfered in some elections recently, probably will do again, do you think that the Trump administration should declare it as an active war to meddle in elections and then immediately put Russia on notice? As a representative of the Trump administration, I will say, active war,

I think it is, no, I don't think it's an active war. I think, again, remember, this is not new. Other nations have been trying to undermine our democracy for decades, and this is just a new way of doing it, and then I believe we have.

We have issued many sanctions, and we continue to look for all the tools that we've got in our deterrence toolbox, but sort of what I talked about earlier is I'm still a believer that defense,

a stronger defense, can be the strongest deterrence, and it's not easy. We can continue to use the tools that are unique to the government, and we'll continue to do that, but that's why we're here

because we've got to make it harder for them, and we have to do that together. So hopefully that answers your question. Okay, so with that, well, okay, did you want to go ahead? Oh yeah, how much time we got? So look, I appreciate the question, and while cyber warfare is different

than traditional physical warfare, I think a threat, if not an outright attack on our democracy, needs to be recognized for what it is. Respectfully, we're working together, but I am not a representative of the Trump administration. One of the things that you and all of your colleagues will say,

it takes what we faced in 2016 and continue to face now, requires a whole of government response. That's not classified. You've been saying it publicly. It requires a whole of government response. Last I checked, the person who sits in the Oval Office is a part of our government, and as great as we're working together,

we still need the right words to come out of the mouth of the sitting President of the United States of America, and it has not. And when he comes close, he always equivocates, and that sends the wrong message. So yes, we're working behind the scenes to buttress our defenses. I leave it to those with the appropriate clearances

to figure out what we're doing in response or proactively, et cetera. But I think from an elections official's perspective, we need three things. An unequivocal recognition by the President on what happened in 2016. We need ongoing resources and commitment to constantly invest

in election systems and security, and it would go a long way to hire, to designate, a well-respected coordinator out of the White House on cybersecurity because that position is currently vacant, and that vacancy speaks volumes. All right. Thank you. All right, with that, thank you to everybody who came.

We really appreciate your participation. Thank you for everybody who asked questions, and now we have to get out of here because the fire marshal is pissed off at us. All right.