both that it won't be settled on you.ion night, thank >> thank you, susan. >> which party will control the house and the senate? watch live election night coverage starting tuesday as the results come in from house, senate, and governors races around the country. here the victory and the concessions speeches from the candidates. wednesday morning to your reaction to the election, taking your phone calls live during "washington journal." your primary source for campaign 2018. and now, look at how state and federal officials are working to secure the 2018 midterm elections from cyber threats. in response to russian hacking, millions in federal funds were given to states.

the federal government began showing more information about cyber attacks. we will hear from four secretary best secretaries of state about their efforts. but first, remarks by christopher krebs, homeland security undersecretary for national protection and programs. >> one of the things i want to touch on today is not just getting justice done, but to emphasize the work over the last couple of years to ensure 2018 midterms lead up to being the most secure election in the modern era. i will explain what i mean by that in a minute. we have increasingly talked about the way that i see the world today in terms of significant anniversaries. i have rolled it down to about three right now. one is september 11, 17 years ago. two, two years ago with the russian attempts to enter there with the election, and the third anniversary is

1957 and the russians launching sputnik. so what's the context? where am i going with this? that was aon 9/11, failure of intelligence and a failure of imagination in that we did not fuse all the information together to truly understand what was going on and take the appropriate action. the second was the failure of imagination. it's what our adversaries could do to use our infrastructure against us to undermine the very are as a people and confidence in the government possibility to protect us. so what does that mean now? first and foremost 15 years ago, , two years after 9/11, the department of homeland security was created. my organization was created a few years after that. we will get the name changed hopefully in a couple of weeks. our responsibility is coordinating federal efforts to protect critical infrastructure. two years ago when the russians attempted to interfere with the 2016 election, that was a

galvanizing moment. historically up to then, the american public had been thinking about cyber security from an intellectual property perspective, from a financial crime perspective. that was the first time across government and the public that we recognize cyber security could be used to destabilize government. as a result, the department of homeland security designated elections a critical infrastructure subsection. there were some challenges in the partnerships. but in terms of where we are today, i want to walk through three quick buckets. where we are today, the work we

have made as a community over the last two years. the second is given we are three weeks out, 21 days from the midterm election, what do we think might happen? what are we seeing in the ecosystem? dhs released a report last week that talked about what we are seeing. third is what we can do together. it is important to recognize and underscore the same local election officials are responsible for administering the elections. the responsibility on the federal government is to provide technical resources, support, and information.

one of those things with can do uniquely, including intelligence, to help state and local officials secure their networks. in terms of the progress we have made, two years ago, there was no good way for the department of homeland security to reach out and communicate and share threat intelligence with any state election official, whether it is the secretary of state or the election director for a large city or county. dhs did not have those mechanisms. would probably did not understand there was such a thing as the election assistance commission. there was not a strong relationship between the two. now, we have governance mechanisms, which is a bad bureaucracy way of saying we all work together closely now. two years ago, we did not. we had communications protocol. if i need to get information to a single state, i can do it quickly.

if it is classified, if they have a clearance, we can get it to them. if it is actionable, we will deal with it later. we will get the information to them. we are providing assistance across the board. we have done about 35 vulnerability assessments for large jurisdiction states and counties. that is compared to about one prior to the 2016 election. again, there was not a strong relationship. i think the two most significant areas of progress, one is information sharing and analysis sensors -- centers exist so network defenders and security officials can share information on current threats. as of february of this year, there was no election-related information sharing and analysis center. as of today, it has participation from all 50 states and over 13 counties or local jurisdictions. that is one of the fastest-growing across the 16 sectors. that shows the commitment not just of dhs but of the election

officials. they take this seriously. they have dedicated resources and are participating in seeing this as a team sport. the second significant amount of progress we have made is in terms of an intrusion detection sensor that we push out to state partners. it is another information sharing analysis center. prior to the 2016 election, less than 30% of state election officials and their networks were behind this intrusion detection system. as of today in the run-up to the election in three weeks, over 92% of state election officials and their networks will be behind these intrusion detection sensors. that is a significant amount of progress.

we will be there by 2020. this gets us the ability to push the same indicators that protect federal networks out to state networks. that is a significant amount of progress. we are not going to stop there. we will continue to increase partnerships and the ability of technical resources. whether a state or local official takes a dhs service, as long as they take some service whether in-house or from a partner, that is what matters. it is contributing to the overall network defense of elections. with that in mind, where are we right now from what we are seeing in the threat ecosystem? there was reporting yesterday

about a dhs he learned -- alert issued last week. this is another sign of progress . the report seems to intake -- indicate there is an uptick in activity. there is not. we are getting an increase in reporting from state and local partners to dhs of what was happening anyway. two years ago, there was no flow of reporting. that reporting was staying in the state networks. now it is flowing up to dhs so we have the bigger picture of what is happening, a more comprehensive threat picture, of what is going on across state and local networks. are we seeing an uptick? i don't know if we are. i think we are seeing a consistent and persistent level of activity, whether it is him simple scanning looking for an open network, we continue to see phishing campaigns. in terms of increase over baseline, we don't have a good sense if there is a dedicated campaign. from an perspective, we don't have indicators there is a significant campaign afoot as there was in 2016.

what does that mean for us from a defensive and preparation perspective? we are planning and working with state and local partners to plan as if they will come back. that is covering the basics. in the cyber hygiene, 101 type stuff. making sure systems are configured the right way. we are issuing guidance. congress made a significant down payment of $380 million earlier this spring in the omnibus that allows states to invest in additional cyber security measures. we are not going to stop there. one of the things we did working with partners was issued guidance that drew from vulnerability assessments over the last year or so and highlighted some things if states needed a wish list on how to develop an investment plan,

provided some recommendations. given we are not seeing a real increase in activity, what do we think may have happened? keeping in mind that in 2016, there were three areas of activity. one was technical cyber security efforts to compromise state and local election infrastructure. the second piece was hacked and leak operations against campaigns and political candidates, and then leaking that information. hacking their email and releasing that via third parties. the third is standard information operations across social media platforms. when i think about what may happen in the intervening three weeks, i think hacked and leak is still an opportunity for the adversary to continue to push guidance to political campaigns and working closely with a number of vendors. we also thank social media -- we have seen continued social media operations by the russians to push divisiveness across the american public. really find issues that have

clear lines down the middle and amplifying the separation between the american voter. we continue to see that. we will continue to see that. when you think about it, the cost of investing those operations is fairly low. there is some preparation. is pretty effective -- it is pretty effective and it is low-cost, low risk. when it happens, they can hit it and leave. from a technical cyber security perspective, it is more expensive to develop these operations, stand up the infrastructure, lay the groundwork for the attack. is certainly not as effective technically as an information operation, and the risk is significantly higher from being on networks and having presence. two buckets right there of attacking equipment of election infrastructure and information structures. the third piece is a hybrid attack, a combination of the two. think about two days before some sort of activity where there is a spearfishing campaign that leads to the compromise of a network and taking down voter precinct checks, any information that a voter would need to check on voting.

anything that would drive uncertainty across the voting public. it's certainly not as effective, technically, as an information operation of the risk and effectively higher from actually being on network and having some presence. two buckets right there of attacking equipment of election infrastructure and information operations. the third piece that i think about right now is something that happens, a hybrid attack, a combination of the two. think about two days before some sort of activity where there is a spearfishing campaign that leads to the compromise of a network and taking down voter precinct checks, any information that a voter would need to check on voting. anything that would drive uncertainty across the voting public. that is probably the area we are going to see activity.

it would not necessarily be in disrupting or compromising equipment in terms of changing the tally of votes. we have never seen them with access to actual vote tabulation. but it is undermining confidence in our democratic institutions, undermining the principle of the way we vote. that is the biggest opportunity. what can we do about that? the government can and will continue to push the basic cyber practices. multifactor authentication, proper configuration, backups, backups, backups. we continue to see ransomware. good practices. we will stop hammering the basics when we all get the basics right.

what can industry do? industry, recognizing this is a shared responsibility and everybody has a role in this fight, has stepped up over the last couple of months in terms of offering services, free services, to state and local election officials and campaigns. credit should go to industry on this. thing we have to do going forward is make sure we are offering these services in a rationalized manner, something election officials in the run-up to an election can get a good idea of the service i can

compare and contrast across services in a way that does not overwhelm them as they approach election day. last, what can the voting public do? when you go home tonight, check your voter registration. check to make sure you know where you are registered to vote so when november 6 rolls around, you know exactly where you are going. know what identification requirements may be. be prepared. the last thing, know your rights. every state does vote provisional ballots a little different. whether it is a technical glitch, they weather-related event, something always happens

whether it is election day or primary day, something always happens. some curveball comes up. just know your rights. if something goes wrong, you have the right to request a provisional ballot. do that. everybody has a role to play here. this goes back to my third anniversary, 1957 and sputnik. when sputnik went up, united states realized the russians have gotten an artificial satellite into lower orbit before we did. the technological might of the u.s. was put into question. but also given the icbm that launched a satellite into space, the american public now realized the russians could jump across those oceans, whether the atlantic or pacific, and everything was closer to home. the internet brings us the same realization in that other nationstates can influence the way we vote an attempt to undermine our confidence.

as a result, there was a mobilization across government, industry, and the public to support that pushed to space. we are in the same place now. government, industry, and the public have a role in securing the vote. looking forward to the rest of the conversation today. thank you for the opportunity to speak. make sure you know where you're going to vote. thank you. [applause] >> our program on securing the midterm elections continues with four secretaries of state. they appeared on "washington journal" in early october. >> we're joined now by tim kondo. appreciate that with us today, on the same day that your op-ed page,ning on the opinion we begin by looking back on the department of homeland security , electionof state systems attacked back in 2016, what do you think the lesson was from the attacks? guest: it is important to remember there were 21 states attacked. it was only one state that was briefed according to the -- breached according to the department of homeland security. that means 20 states did their job and defended well against those attacks.

if you look at where we are today in 2018, two years later, we are in better shape than we were in 2016. but i will say in 2016, i believe overall we were in pretty good shape. host: we are talking with secretaries of state from around the country today during the next two hours of "washington journal." we are asking them about election security. in your mind, when our voting machines most vulnerable? is it weeks or months before an election? is it on election day when people are voting? is it sometime after the votes are cast but before they are reported out?

guest: that is an interesting question the way you posed it. i would say i don't believe the voting machines themselves, unless you're talking about touchscreen technology perhaps, the vote tabulators which are usually just scanners and tabulate results from the actual ballots, those are not in danger. i think it is portrayed in the media to say there is potential. when you think about it, there is a strict chain of command for these memory cards. memory cards are not sent to the town clerks. in vermont, we don't have county governments so we go directly from the state level down to the town level.

the town clerks manage our elections. they have a strict chain of command with regards to the memory cards which they do not receive until about two or three weeks before the election. they do an accuracy test. in many cases, they are checked the morning up and when they shut down. it is important to remember we are creating a fine balancing act between cyber security and opening up our elections process to the general public. i think it is important to remember we are constantly focused especially since 2016 on cyber security. host: how much more is the federal government involved in this process since 2016? what has changed on that level and your relationship from the state level to the federal level? guest: let me back up to 2016. when we first got the phone call , when the 50 secretaries of state were conference called

with secretary jeh johnson, we were informed there was an attack that occurred and perhaps the federal government was considering creating a critical infrastructure designation for elections. we did not know what that meant. i think many red states and blue states, many states were opposed to the designation because we had no idea how it would affect our elections process. to say it was a rocky road in the beginning as far as communications, i think even dhs would agree to that. since then, we learned that critical infrastructure designation was designated in january of 2017. we did not find out what that meant to us until june or july of 2017. we have since set up a coordinating council which i and others are members of. we have a lot of resources that the department of homeland security has provided to us.

things like penetration tests, vulnerability assessments, cyber hygiene scans. in vermont, we do a weekly hygiene scan of our system through dhs currently. the communication level since last summer has increased, the summer of 2017, has increased tremendously. we have an election dashboard with dhs and the fbi. we will get real-time information as to any threats that might be on the horizon. we are constantly focused on how we can do this. i can go over the details. i'm sure you will ask about the different things we have in place. host: a lot of the issues you talked about, a lot of the new

aspects funded through the $380 million in federal funding that has gone out, vermont got about $3 million worth of the fund. how did you choose to use that? guest: first, let's talk about the $380 million. i was working with senator leahy to try to get the money released. that was left over hanging chad money from 2002. it was the remaining portion of the $3.9 billion that were handed out or approved in 2002. this was money already approved. it needed to be appropriated. many secretaries were pushing our congressional delegation to try to move that as quickly as possible. most of us to not receive our money until june. we have been focused on things

we can do. for instance, many states including my own have put in multifactor authentication for anyone that accesses our system. we also have added a new acceptable voting system that is fully compliant. we have done a penetration test fairly recently in which we came out with a very good report that said we were a mature, well defended system. those are things we have been doing with it. we hope to use some of that money going forward to purchase new vote tabulators in the future, probably for 2020 or 2022. host: we mentioned your work as the president of the national association for secretaries of state. do you know how many different voting systems are in use across all 50 states in all jurisdictions? guest: no, because it all

varies. in vermont, we have in statute it has to be the same system throughout the state. other states leave it up to the jurisdiction, whether county or local, to determine what units they have. it varies. there is a lot of different equipment out there. i believe every state, locality, county are working hard to make sure the systems are in good shape. as a best practice, and from my standpoint of vermont, i consider best practices to be voter-march ballot and a full election audit. voter registration databases are backed up on a daily basis. if the worst were to happen, we could always go back 24 hours and reset our database. we would only lose 24 hours worth of data. i think the ultimate resilience we have is in vermont we have same-day voter registration so

nobody coming to the polls will be denied the right to cast a ballot. host: you mentioned there are a lot of different machines available. how many different companies are making voting machines? are there a few big companies that lobby states to buy their voting machines? is there a lot of choice across the country? guest: i don't know if i would call it lobbying. we all work through different procurement practices throughout the country. in vermont, we will generally do eight to 12 months worth of business analysis looking at our requirements. it may require us to go back to the legislature to make a change to a statute. i cannot speak for other states as far as that goes. we do have different procurement systems. it is not like walking into best

buy and saying i want to hundred of those machines. you have to go through a very strong process to determine what the requirements are, what the analysis is, if there are process improvements needed, statute changes needed. it is a constant battle to do this the correct way. we usually go out for an r.f.p. we look at those r.f.p.'s. we review them and match them up against each other to see which looks to be the best fit. then we make the choice. to say they are lobbying us, i don't think that happens. obviously, every company thinks theirs is the best. host: has the federal government ever considered coming up with a standard voting machine? guest: i'm not aware of it. i know the election assistance commission at the federal level does certifications. in our state in vermont, that is

one of the requirements i have, that any tabulator we pick must be adac certified or certified by another state such as connecticut which uses the university of connecticut cyber security unit. host: joining us aboard the c-span bus is secretary of state denise merrill. we have learned since the 2016 election, connecticut was one of the states that had its voting systems targeted by russian hackers. what were the russians trying to do and how far did they get in connecticut? guest: yes, good morning. they did not get anywhere, frankly. we turned them back at the perimeter of our system, as we do most of these kinds of

attempted incursions into our systems. but i have to tell you it is a very common occurrence. the difference here is it was identified as a russian agency ip address. that got everyone's attention. they did not get into our system at all. by the way, the system is the voter registry. it has nothing to do with the tabulation of ballots or any of

that. i would say we don't know really what they were attempting to do. i was president of the national association in 2016 so i was pretty involved in all the different things that went on in all the different states. we still don't really know because it was turned back in all but one state to i personally think it is to sow discord in the american public. i think if they were there to change the elections in any way, we would see it pretty quickly because we have paper backup lists. all the states have paper backup lists on the cloud and on the ground.

on election day if someone said i'm supposed to be on the list, i'm not on the list, if that happened in any big number, we would know it immediately. host: was there any rhyme or reason to the states the russian address chose to attack? was there something about connecticut's and the other states voter rules that represented a juicier target? guest: i don't think so. we are working with the department of homeland security who alerted us to this. it is very delicate. there is a certain amount of security involved. we don't want to be announcing exactly what happened because we don't want to encourage others to try it. most of them being turned away shows you we all have firewalls and protections for all our databases. this was no different. i don't think it was anything special to those 21 states. now we are hearing there may have been more. this is just a matter of monitoring the traffic that goes in and out of the state. i am sure all states do that.

host: the secretary of state of connecticut denise merrill is our guest on the c-span bus in hartford. we invite c-span viewers to join in on the segment. secretary of state merrill will be taking your calls as we continue this discussion. how much money did connecticut get from that federal fund to improve election security and how did you use it? guest: our share is around $5 million. very welcome because we can always improve things. we are using it to bolster our existing firewalls and other systems. we are doing the kinds of checks one does on electronic systems for the voter registry. our biggest concern is at the local level. connecticut is a little unusual. we don't have county systems. everything is done at the town level. we have 169 towns. mostly small towns. each of them has a router in their town that is the drop point for this closed loop system that is our voter registry. when you register to vote, you register at the town level. the only people able to put names on or take names off the list are the local election officials. we are worried about the routers in those towns. we want to make sure they are as secure as the state system is because we house the servers at the state level. we want to make sure local officials have sufficient training and understand you have to change your password frequently.

we are putting in other protections at the local level such as dual authentication, making sure everyone is logging in properly. another type of attack we have seen in some places in the country, not in connecticut, are phishing emails. we are all familiar with those. a message that looks valid and real, but if you go on it, they can get into our system. those are the kinds of things we are focusing on with our money. we are hiring personnel to go into the towns to check their systems, give training, and that sort of thing. we are also purchasing extra tabulators. the tabulators we bought in 2002 with the help america vote money are somewhat elderly, but they are also simple scanners. they are not connected to the internet. they are not connected to each other. i want to make sure people understand that. we vote on paper ballots. we audit the ballots afterwards. the tabulators have little cards in them that program the

ballots. we want to make sure everything is working properly and up-to-date so we are purchasing extra tabulators with some of the money in case some of them give out during or after the election. we will have some extras on hand. host: as we turn to a discussion with secretary paul pate, who supervises the mr. sena elections in iowa, 99 counties. he is also running for reelection this year. he will be on the ballot in iowa. i want to start there with you, mr. secretary. are there any special rules that apply to you as someone running for and supervising elections? guest: just good common sense. clearly, i don't have the opportunity to be doing politicking or campaigning at polling sites during election day. it is the county auditors who do the actual implementation and operating. our office is a collection point. my job is focusing on making sure iowans understand the pathway to be a voter and assuring them of the integrity. host: how are you assuring them of the integrity? guest: we have a series of

roundtables across the state that involve coworkers, county auditors, the media, and other stakeholders in helping promote elections so they have the tools to help us spread the word to the community that we have taken all the necessary steps both from a cyber security standpoint and a normal process. we vote with paper ballots. everybody gets one vote. reminding them of what an eligible voter is. reminding them of all the options they have for voter registration. we have quite a few. we have same-day voter registration. we have 29 days of early voting. we are aggressive on our voting. we make sure everybody has the information. host: i understand iowa received about $4.8 million from the federal funds to help improve election security. how are you using it in your state? guest: over 62% of it we are putting back into the county cyber area. that has been a big step. i have worked for a hard on the state level to upgrade our cyber side, partnering with our state i.t. people and the homeland security, fbi, various other

experts and specialists. we wanted to make sure it got to the county level as well so we focused the majority of the money to make sure they have the malware and sensors and training. we also partnered to make sure we got those systems installed in the counties before this november election. that was the biggest piece. we have added staff internally to make sure we have a cyber navigator and others internally to assist these counties to be successful. host: explain what an albert sensor is. guest: it is a monitoring system to alert the office and homeland security if any unwanted bad actors are trying to probe or gain entrance into any of our systems without authorization. that is a crucial step. we have other measures. i can go into all the internal security measures. but let me assure you we are putting everything homeland is recommending in place.

host: the albert sensor, is that something you can react to immediately? is it more of a monitoring so we can understand how to fix it next time? if any unwanted bad actors are trying to probe or gain entrance into any of our systems without authorization. that is a crucial step. we have other measures. i can go into all the internal security measures. but let me assure you we are putting everything homeland is recommending in place. host: the albert sensor, is that something you can react to immediately? is it more of a monitoring so we can understand how to fix it next time? guest: no, it is immediate. an alarm goes off. we stopped them immediately. we don't wait for any follow-up. we say no interest r -- we say no entrance. clients have options.

we have told them to stop them immediately. we will turn it over for full investigation by the fbi and homeland security. host: we've talked already this morning about the $380 million the federal government has pushed out this year to improve election security. how much of that went to west virginia and how did you use those funds? guest: great question. about $3.5 million came to us from the federal government. we had 2.9 million dollars left over from the hanging chad timeframe of the 2002 election after congress appropriate money for the states to buy new machines.

our legislature at the time set that up as a loan program. over the years, the loan program switched to the point where athn program to a grant program, so we added that to the three half-million dollars, to give us about $6.5 million worth of buying power. we leverage that even further. 50-50 with to match us, that sort of thing, or in the cyber security arena, we would offer an 85% grant if the county comes up at 15%. 10.5 million dollars worth of buying power. west virginia. centralized program, -- what we did is we modeled after the federal government. we appreciated the federal government not putting strings on the $3.5 million that they

give to us. they didn't tell us how to use it. we used the same principle with county clerks. that is when the rubber meets the road in the elections for it the county clerk clerks determined how to best use the money. -- we had about -- figured irks had to use the voting agreement. it would tour the cyber security. we had 17 or 18 that went toward fiscal security. each county had their own situation they wanted to deal with. out because the county is already using it. one of our counties is buying a brand-new code system, brand-new voting agreement. up in the express vote to the most modern

equipment. in the 2016 election, only a small percentage of the state was using those. in this election, 43% will be using this modern equivalent. by 2020, will probably be at 60%. we are making progress. we are certainly appreciative of the money they gave us. we are putting it to good use. host: what does that mean for the number of voting machines that are in use across west virginia? it is mainly two voting machines and paper ballots. you have the express vote, which is the most modern we spoke up. that is what most of the people bought with the money 16 years ago. that equipment is starting to use the end of its useful life span. -- movings are using toward this express vote system or something similar.

in terms of photo by paper, how we people are still voting by paper in west virginia? county thatve one doesn't completely, and one county that is about half and half. it is not a great number. every one of ours is backed by a paper trail, and audible paper trail. that is a big part of integrity. recount, youver a can go back to an actual paper ballot. host: for the paper vote counting that you're talking about, what is their argument for holding onto the vote by paper? guest: simply a voter preference. -- that is within your citizens, they have expressed -- expressed to the county clerk over and over again. i think over time we will get there with setting up displays

and letting people use it and get counsel with it. once we get over 50% in the state, the message will be out. i messaged with a county clerk last week, she reiterated that some still do vote by paper. >> president trump was briefed on election security hitting up to the midterms. he spoke with reporters afterward. he said hopefully there will be no tampering, though nothing. than halfeports fewer of states has allowed the department of homeland security to test their voting systems for vulnerabilities. in the latest statement from the agency released in october, it says it has no evidence of any attack on election systems that would prevent voting, change vote counts or disrupt the ability to tally votes. which party will control the house and senate? election --'s life live election night coverage,

starting tuesday at 8:00 p.m. eastern. here speeches from the candidates. a.m.sday morning at 7:00 eastern, we will get your reaction to the election, taking your calls on washington journal. c-span, your primary source for elections in 2018. >> now, steve bannon and david frum debate the rise of populism in the biannual munk debate, held in toronto. this is 90 minutes. >> you don't know which of your fax will be demolished. you don't know which of your arguments will be totally destroyed. you are not rattled, are you shaken up? you don't