The Senate Rules Committee is starting its second election security hearing: rules.senate.gov/hearings/elect…
Not a lot of senators present yet. Blunt and Klobuchar are here and getting things started now. 
In her opening statement, Klobuchar says of voting vendors: “Given the threats we face and the billions of federal and state tax dollars that go to these companies, oversight is vital to ensure that they are providing secure and reliable voting machines and services.”
Sen. Wyden is joining the hearing for an introductory statement. He's speaking from the witness table and touting his election security bill (congress.gov/bill/115th-con…).
“I wrote this bill in spite of this campaign of ducking and bobbing and weaving — really stonewalling — from the major voting machine companies,” Wyden says.
Wyden: “It is clear to me, Mr. Chairman, that these companies want to be gatekeepers of our democracy, but they seem completely uninterested in safeguarding it.”
Wyden on EAC Commissioner McCormick casting doubt last year on the IC's Russia assessment: "I can’t for the life of me figure out why the No. 2 official at the Election Assistance Commission is dismissing the analysis of the administration’s intelligence experts."
Sen. Lankford, co-sponsor with Klobuchar of the Secure Elections Act, is also guest-speaking at this hearing.
Lankford on the goal of his bill: “It’s not so much about the next election. … It’s, what is the election [structure] 20 years from now? … Will the focus not be there?”
Sens. King, Cortez Masto, and Hyde-Smith are here now. Most seats still empty though.
First panel of witnesses — two @EACgov commissioners, head of IT Lab at technical standards agency NIST, and @mastersonmv of DHS — taking their seats now.
Thomas Hicks, the EAC chairman, says the commission has received requests for more than 97 percent of the federal funds received approved for election technology upgrades.
Hicks: "That’s a remarkable percentage and demonstrates the EAC’s responsiveness and the states’ urgency … [to] make election systems more resilient."
EAC vice chair Christy McCormick (whom Wyden criticized just a few minutes ago for dismissing the IC report on Russian hacking) is now delivering her opening statement. We'll see if she responds to Wyden's comments.
McCormick is giving examples of how states and territories are using their federal funds. SD upgrading voting machines, NY implementing risk assessment program, WV developing plan for cyber assessments.
Next up with an opening statement is Dr. Charles Romine, director of @usnistgov's IT Lab, which works with the EAC to develop voluntary guidelines for voting machine standards.
Now we're hearing from DHS election security adviser @mastersonmv, former EAC commissioner and chair. "Today's hearing is timely," he says, noting that DHS will meet with state election officials later this week in Philadelphia.
Masterson says that DHS has yet to see anything like the sustained cyber campaign that Russia mounted in 2016, but noted that the IC continues to see them using similar techniques.
Masterson says DHS has “quadrupled our awareness” of what's happening in state election systems since February 2018.
Correction: Earlier I said Sen. Cindy Hyde-Smith was here. I was wrong. I've never seen most of these people in person before, so I mixed up faces. It's Sen. Shelley Moore Capito.
Capito asked how today's voting machines are more secure than ones bought a decade ago. Hicks and Romine talk about the importance of the updated federal guidelines for certifying new machines. (New guidelines aren't finalized yet though.)
Cortez Masto asks the EAC commissioners about the impact of the commission not having a quorum (they need 3). McCormick says that they can do almost everything except vote on new policies, like the new voting system standards.
In response to a question from Cortez Masto, Masterson says DHS has performed 17 risk and vulnerability assessments for states, out of the 18 requested so far.
King asks EAC Chairman Hicks if he'd agree that every state should have a paper backup. Hicks won't say it.
"It depends on the state. ... Paper is interesting because everyone can’t use paper. If you have a disability … it’s hard to do that paper piece of" the voting process.
"It depends on the state. ... Paper is interesting because everyone can’t use paper. If you have a disability … it’s hard to do that paper piece of" the voting process.
King asks whether the government should be authorized to proactively red-team states' systems to try to penetrate them and discover vulnerabilities.
Masterson says DHS offers services like this to states and praises red-teaming in general as a great tool.
Masterson says DHS offers services like this to states and praises red-teaming in general as a great tool.
Udall: How is the communication between states and DHS/EAC?
Hicks: “We are working a lot better than we did in 2016.”
Hicks: “We are working a lot better than we did in 2016.”
Blunt: Do states have to meet any standards to get their federal money?
Hicks: Under HAVA, they do have to meet some requirements.
Blunt: What about requiring an auditable ballot trail?
Hicks: That’s not required.
Hicks: Under HAVA, they do have to meet some requirements.
Blunt: What about requiring an auditable ballot trail?
Hicks: That’s not required.
Sens. Warner and Wicker have arrived.
Warner: It’s hard for any entity to evaluate the promises made by cybersecurity firms and their products’ effectiveness. Does the EAC offer guidance for how states should do this?
Hicks: We don’t advise on that specifically. States have to be vigilant about unreliable firms.
Hicks: We don’t advise on that specifically. States have to be vigilant about unreliable firms.
Warner: 2016 showed how potent social media manipulation can be. Are states looking at how social media platforms may be fueling miscommunication about voting processes?
Hicks: The EAC has talked to tech firms, and they’ve given us some assurances.
Hicks: The EAC has talked to tech firms, and they’ve given us some assurances.
Sen. Cruz is here.
Cruz: What practical effects has the 2016 designation of elections as critical infrastructure had?
Masterson explains DHS's goals, including sharing information with states quickly and providing scanning and assessment services on-site.
Masterson explains DHS's goals, including sharing information with states quickly and providing scanning and assessment services on-site.
Cruz: How significant is the threat of vote tallies being directly hacked?
McCormick: "It would be very, very difficult to do that, given the dispersed character of our election infrastructure. … Each machine would have to be hacked individually."
McCormick: "It would be very, very difficult to do that, given the dispersed character of our election infrastructure. … Each machine would have to be hacked individually."
"That said," McCormick adds, "every system is vulnerable, and it can happen."
The first panel of the hearing has ended.
Panel two starting now, with representatives of the voting technology industry.
Peter Lichtenheld, exec at voting giant Hart, responds to Wyden's criticisms of voting vendors at the start of this hearing: “We have been open. We don’t stonewall. We did answer the letter that Senator Wyden sent to voting system providers."
Lichtenheld: "Our core values, at Hart, are candor and … integrity, which we feel is very important. And really one of our basic tenets is that we’re election geeks. We love elections. And we feel like we’re helping America vote.”
Blunt asks how Scott Leiendecker's company, KNOWiNK, assesses vulnerabilities in its products. Leiendecker says they rely a lot on the security of the iPad, on which their PollPad is based.
Leiendecker: “We leverage security from security experts. We’re not trying to be security experts at our organization, although we do have individuals that are security experts on staff.”
But Leiendecker adds that KNOWiNK has stepped up its penetration testing activities. The company knows that security is “on everybody’s mind, so we want to be responsible.”
Klobuchar: Is it responsible to sell paperless voting machines, given what we know?
All three industry reps say yes.
All three industry reps say yes.
Leiendecker: "My experience, as a former election director — I don’t see a reason not to. I think it’s responsible to have the paper attachment to it."
Leiendecker: "I understand some of the concerns that Chairman Hicks had brought up. But I think that there’s things in places, with the [HAVA], that secure that. I don’t see why they wouldn’t be."
Lichtenheld: “We at Hart, we support local choice. And if local choice is for paperless voting systems, then we do provide that, and it’s based on state certification guidelines. … Electronic voting systems can be audited.”
Finney: Congress shouldn’t see paper as a “panacea.” There are people who can’t vote on paper.
Warner is lighting into the Hart rep. When Virginia examined its electronic voting machines in 2016, Hart refused to provide the state with a test unit. Warner wants a commitment that it will do so in the future.
Lichtenheld, from Hart, says he'll promise to provide test units in the future. He claims that Hart saw the issue as moot in 2016 because Virginia was moving to a different type of unit from the one it requested for testing.
And the hearing has ended.
I talked to @MarkWarner briefly after the hearing ended. Stay tuned to hear what he thought of his interaction with the Hart rep, and what he wants to do next about voting vendors.
@MarkWarner "When you’ve got a 90 percent [market] concentration [and] three vendors controlling the back end of our voting systems, that’s a vulnerability," @MarkWarner told me today after an election security hearing.
My story on Warner's concerns, for Pros: subscriber.politicopro.com/cybersecurity/…
My story on Warner's concerns, for Pros: subscriber.politicopro.com/cybersecurity/…
“This is a problem that’s not going away,” Warner told me. “And I’m fearful that [vendors are] sending a message that may not be fully accurate when they kind of chest-thump” about their security.
