on c-span. the president stumps for mike braun running against joe donnelly. president trump moves on to missouri for a rally. holds a slim lead over claire mccaskill. that rally is at 10:00. you can watch both rallies on c-span.org or listen on our free rate -- c-span radio app. >> c-span's "washington journal" live every day with news and policy issues that impact you. coming up sunday morning, university of michigan computer science and engineering professor joins us to discuss voting machine security and sean trendy talks about key races to watch on election night. he sure to watch c-span's "washington journal" live at 7:00 eastern on monday morning. join the discussion.

now, a look at how state and federal officials are working to secure the midterm elections from cyber threats. in response to russian hacking in 2016, millions in federal funds were given to states for election security. the federal government began to share more information about cyber attacks. differentar from four secretaries of state. but first, we hear from christopher krebs. >> one of the things i want to today is-- touch on not just what homeland security has done. to ensure that the 2018 elections lead up to be the most secure election in the modern era. i have talked over the last few

months about the way i see the world today in terms of anniversaries. one is september 11, one was two years ago with the russian interference of the elections, and the third is the launch of sputnik. what is the context? that was a failure of intelligence. a failure of imagination. fuse thed not information together to understand what was going on. the second was a failure of imagination. adversariesat our could do in terms of using our own infrastructure against us. what does that mean to now? 15 years ago, the department of homeland security was created.

my organization was created a few years after that. our responsibility is core knitting federal efforts to protect critical infrastructure. two years ago, when the russians attempted to interfere, and in some cases, did interfere in the a16 election, that was galvanizing moment. historically, up until then, the american public had an about cyber security from an intellectual property perspective. that is the first time across government and the public that we recognized that cyber security could be used to destabilize government, our democratic institutions. as a result, the department of homeland security designated elections as a critical infrastructure infrastructure subsection. there were some challenges in

the partnerships. but in terms of where we are today, i want to walk through three quick buckets. where we are today, the work we have made as a community over the last two years. the second is given we are three weeks out, 21 days from the midterm election, what do we think might happen? what are we seeing in the ecosystem? dhs released a report last week that talked about what we are seeing. third is what we can do together. it is important to recognize and underscore the same local election officials are responsible for administering the elections. the responsibility on the federal government is to provide technical resources, support, and information. one of those things with can do uniquely, including intelligence, to help state and local officials secure their networks. in terms of the progress we have made, two years ago, there was

no good way for the department of homeland security to reach out and communicate and share threat intelligence with any state election official, whether it is the secretary of state or the election director for a large city or county. dhs did not have those mechanisms. would probably did not understand there was such a thing as the election assistance commission. there was not a strong relationship between the two. now, we have governance mechanisms, which is a bad bureaucracy way of saying we all work together closely now. two years ago, we did not. we had communications protocol. if i need to get information to a single state, i can do it quickly. if it is classified, if they have a clearance, we can get it to them.

if it is actionable, we will deal with it later. we will get the information to them. we are providing assistance across the board. we have done about 35 vulnerability assessments for large jurisdiction states and counties. that is compared to about one prior to the 2016 election. again, there was not a strong relationship. i think the two most significant areas of progress, one is information sharing and analysis sensors -- centers exist so network defenders and security officials can share information on current threats. as of february of this year, there was no election-related information sharing and analysis center. as of today, it has participation from all 50 states

and over 13 counties or local jurisdictions. that is one of the fastest-growing across the 16 sectors. that shows the commitment not just of dhs but of the election officials. they take this seriously. they have dedicated resources and are participating in seeing this as a team sport. the second significant amount of progress we have made is in terms of an intrusion detection sensor that we push out to state partners. it is another information sharing analysis center. prior to the 2016 election, less than 30% of state election officials and their networks were behind this intrusion detection system. as of today in the run-up to the election in three weeks, over 92% of state election officials

and their networks will be behind these intrusion detection sensors. that is a significant amount of progress. we will be there by 2020. this gets us the ability to push the same indicators that protect federal networks out to state networks. that is a significant amount of progress. we are not going to stop there. we will continue to increase partnerships and the ability of technical resources. whether a state or local official takes a dhs service, as long as they take some service whether in-house or from a partner, that is what matters. it is contributing to the overall network defense of elections. with that in mind, where are we right now from what we are

seeing in the threat ecosystem? there was reporting yesterday about a dhs he learned -- alert issued last week. this is another sign of progress. the report seems to intake -- indicate there is an uptick in activity. there is not. we are getting an increase in reporting from state and local partners to dhs of what was happening anyway. two years ago, there was no flow of reporting. that reporting was staying in the state networks. now it is flowing up to dhs so we have the bigger picture of what is happening, a more comprehensive threat picture, of what is going on across state and local networks. are we seeing an uptick? i don't know if we are. i think we are seeing a consistent and persistent level of activity, whether it is simple scanning looking for an open network, we continue to see phishing campaigns. in terms of increase over baseline, we don't have a good sense if there is a dedicated campaign.

from an perspective, we don't have indicators there is a significant campaign afoot as there was in 2016. what does that mean for us from a defensive and preparation perspective? we are planning and working with state and local partners to plan as if they will come back. that is covering the basics. in the cyber hygiene, 101 type stuff. making sure systems are configured the right way. we are issuing guidance. congress made a significant down payment of $380 million earlier this spring in the omnibus that allows states to invest in additional cyber security measures. we are not going to stop there. one of the things we did working with partners was issued guidance that drew from

vulnerability assessments over the last year or so and highlighted some things if states needed a wish list on how to develop an investment plan, provided some recommendations. given we are not seeing a real increase in activity, what do we think may have happened? keeping in mind that in 2016, there were three areas of activity. one was technical cyber security efforts to compromise state and local election infrastructure. the second piece was hacked and leak operations against campaigns and political candidates, and then leaking that information. hacking their email and releasing that via third

parties. the third is standard information operations across social media platforms. when i think about what may happen in the intervening three weeks, i think hacked and leak is still an opportunity for the adversary to continue to push guidance to political campaigns and working closely with a number of vendors. we also thank social media -- we have seen continued social media operations by the russians to push divisiveness across the american public. really find issues that have clear lines down the middle and amplifying the separation between the american voter. we continue to see that. we will continue to see that. when you think about it, the cost of investing those operations is fairly low. there is some preparation. is pretty effective -- it is pretty effective and it is low-cost, low risk. when it happens, they can hit it and leave.

from a technical cyber security perspective, it is more expensive to develop these operations, stand up the infrastructure, lay the groundwork for the attack. is certainly not as effective technically as an information operation, and the risk is significantly higher from being on networks and having presence. two buckets right there of attacking equipment of election infrastructure and information structures. the third piece is a hybrid attack, a combination of the two. think about two days before some sort of activity where there is a spearfishing campaign that leads to the compromise of a network and taking down voter

precinct checks, any information that a voter would need to check on voting. anything that would drive uncertainty across the voting public. that is probably the area we are going to see activity. it would not necessarily be in disrupting or compromising equipment in terms of changing the tally of votes. we have never seen them with access to actual vote tabulation. but it is undermining confidence in our democratic institutions, undermining the principle of the way we vote. that is the biggest opportunity. what can we do about that? the government can and will continue to push the basic cyber practices.

multifactor authentication, proper configuration, backups, backups, backups. we continue to see ransomware. good practices. we will stop hammering the basics when we all get the basics right. what can industry do? industry, recognizing this is a shared responsibility and everybody has a role in this fight, has stepped up over the last couple of months in terms of offering services, free services, to state and local election officials and campaigns. credit should go to industry on this. thing we have to do going forward is make sure we are offering these services in a rationalized manner, something election officials in the run-up to an election can get a good idea of the service i can compare and contrast across services in a way that does not

overwhelm them as they approach election day. last, what can the voting public do? when you go home tonight, check your voter registration. check to make sure you know where you are registered to vote so when november 6 rolls around, you know exactly where you are going. know what identification requirements may be. be prepared. the last thing, know your rights. every state does vote provisional ballots a little different. whether it is a technical glitch, they weather-related event, something always happens whether it is election day or primary day, something always happens. some curveball comes up. just know your rights. if something goes wrong, you have the right to request a provisional ballot. do that. everybody has a role to play

here. this goes back to my third anniversary, 1957 and sputnik. when sputnik went up, united states realized the russians have gotten an artificial satellite into lower orbit before we did. the technological might of the u.s. was put into question. but also given the icbm that launched a satellite into space, the american public now realized the russians could jump across those oceans, whether the atlantic or pacific, and everything was closer to home. the internet brings us the same realization in that other nation-states can influence the way we vote an attempt to undermine our confidence. as a result, there was a mobilization across government, industry, and the public to support that pushed to space. we are in the same place now.

government, industry, and the public have a role in securing the vote. looking forward to the rest of the conversation today. thank you for the opportunity to speak. make sure you know where you're going to vote. thank you. [applause] >> our program on securing the midterm elections continues with four secretaries of state. they appeared on "washington journal" in early october. >> secretary condos, you wrote about the cyber attack in 2016. what do you think the lesson was from those attacks? >> it is important to remember

there were 21 states attacked. it was only one state that was briefed according to the -- breached according to the department of homeland security. that means 20 states did their job and defended well against those attacks. if you look at where we are today in 2018, two years later, we are in better shape than we were in 2016. but i will say in 2016, i believe overall we were in pretty good shape. >> we are talking with secretaries of state from around the country today during the next two hours of "washington journal." we are asking them about election security. in your mind, when our voting machines most vulnerable? is it weeks or months before an election? is it on election day when people are voting? is it sometime after the votes are cast but before they are reported out? >> that is an interesting

question the way you posed it. i would say i don't believe the voting machines themselves, unless you're talking about touchscreen technology perhaps, the vote tabulators which are usually just scanners and tabulate results from the actual ballots, those are not in danger. i think it is portrayed in the media to say there is potential. when you think about it, there is a strict chain of command for these memory cards. memory cards are not sent to the town clerks. in vermont, we don't have county governments so we go directly from the state level down to the town level. the town clerks manage our elections. they have a strict chain of command with regards to the

memory cards which they do not receive until about two or three weeks before the election. they do an accuracy test. in many cases, they are checked the morning up and when they shut down. it is important to remember we are creating a fine balancing act between cyber security and opening up our elections process to the general public. i think it is important to remember we are constantly focused especially since 2016 on cyber security. >> how much more is the federal government involved in this process since 2016? what has changed on that level and your relationship from the state level to the federal level? >> let me back up to 2016.

when we first got the phone call, when the 50 secretaries of state were conference called with secretary jeh johnson, we were informed there was an attack that occurred and perhaps the federal government was considering creating a critical infrastructure designation for elections. we did not know what that meant. i think many red states and blue states, many states were opposed to the designation because we had no idea how it would affect our elections process. to say it was a rocky road in the beginning as far as communications, i think even dhs would agree to that. since then, we learned that critical infrastructure designation was designated in january of 2017. we did not find out what that meant to us until june or july of 2017. we have since set up a

coordinating council which i and others are members of. we have a lot of resources that the department of homeland security has provided to us. things like penetration tests, vulnerability assessments, cyber hygiene scans. in vermont, we do a weekly hygiene scan of our system through dhs currently. the communication level since last summer has increased, the summer of 2017, has increased tremendously. we have an election dashboard with dhs and the fbi. we will get real-time information as to any threats that might be on the horizon. we are constantly focused on how we can do this. i can go over the details.

i'm sure you will ask about the different things we have in place. >> a lot of the issues you talked about, a lot of the new aspects funded through the $380 million in federal funding that has gone out, vermont got about $3 million worth of the fund. how did you choose to use that? >> first, let's talk about the $380 million. i was working with senator leahy to try to get the money released. that was left over hanging chad money from 2002. it was the remaining portion of the $3.9 billion that were handed out or approved in 2002. this was money already approved. it needed to be appropriated. many secretaries were pushing our congressional delegation to try to move that as quickly as possible. most of us to not receive our

money until june. we have been focused on things we can do. for instance, many states including my own have put in multifactor authentication for anyone that accesses our system. we also have added a new acceptable voting system that is fully compliant. we have done a penetration test fairly recently in which we came out with a very good report that said we were a mature, well defended system. those are things we have been doing with it. we hope to use some of that money going forward to purchase new vote tabulators in the future, probably for 2020 or 2022. >> we mentioned your work as the president of the national association for secretaries of state. do you know how many different voting systems are in use across all 50 states in all jurisdictions? >> no, because it all varies.

in vermont, we have in statute it has to be the same system throughout the state. other states leave it up to the jurisdiction, whether county or local, to determine what units they have. it varies. there is a lot of different equipment out there. i believe every state, locality, county are working hard to make sure the systems are in good shape. as a best practice, and from my standpoint of vermont, i consider best practices to be voter-march ballot and a full election audit. voter registration databases are backed up on a daily basis.

if the worst were to happen, we could always go back 24 hours and reset our database. we would only lose 24 hours worth of data. i think the ultimate resilience we have is in vermont we have same-day voter registration so nobody coming to the polls will be denied the right to cast a ballot. >> you mentioned there are a lot of different machines available. how many different companies are making voting machines? are there a few big companies that lobby states to buy their voting machines? is there a lot of choice across the country? >> i don't know if i would call it lobbying. we all work through different procurement practices throughout the country. in vermont, we will generally do eight to 12 months worth of business analysis looking at our requirements. it may require us to go back to the legislature to make a change to a statute. i cannot speak for other states as far as that goes. we do have different procurement systems. it is not like walking into best buy and saying i want to hundred of those machines. you have to go through a very strong process to determine what the requirements are, what the analysis is, if there are process improvements needed, statute changes needed.

it is a constant battle to do this the correct way. we usually go out for an r.f.p. we look at those r.f.p.'s. we review them and match them up against each other to see which looks to be the best fit. then we make the choice. to say they are lobbying us, i don't think that happens. obviously, every company thinks theirs is the best. >> has the federal government ever considered coming up with a standard voting machine? >> i'm not aware of it. i know the election assistance commission at the federal level does certifications. in our state in vermont, that is one of the requirements i have, that any tabulator we pick must be adac certified or certified

by another state such as connecticut which uses the university of connecticut cyber security unit. >> joining us aboard the c-span bus is secretary of state denise merrill. we have learned since the 2016 election, connecticut was one of the states that had its voting systems targeted by russian hackers. what were the russians trying to do and how far did they get in connecticut? >> yes, good morning. they did not get anywhere, frankly. we turned them back at the perimeter of our system, as we do most of these kinds of attempted incursions into our

systems. but i have to tell you it is a very common occurrence. the difference here is it was identified as a russian agency ip address. that got everyone's attention. they did not get into our system at all. by the way, the system is the voter registry. it has nothing to do with the tabulation of ballots or any of that. i would say we don't know really what they were attempting to do. i was president of the national association in 2016 so i was pretty involved in all the different things that went on in all the different states. we still don't really know because it was turned back in all but one state to i personally think it is to sow

discord in the american public. i think if they were there to change the elections in any way, we would see it pretty quickly because we have paper backup lists. all the states have paper backup lists on the cloud and on the ground. on election day if someone said i'm supposed to be on the list, i'm not on the list, if that happened in any big number, we would know it immediately. >> was there any rhyme or reason to the states the russian address chose to attack? was there something about connecticut's and the other states voter rules that represented a juicier target? >> i don't think so. we are working with the department of homeland security who alerted us to this. it is very delicate. there is a certain amount of security involved. we don't want to be announcing exactly what happened because we don't want to encourage others to try it. most of them being turned away shows you we all have firewalls and protections for all our databases. this was no different. i don't think it was anything special to those 21 states. now we are hearing there may have been more. this is just a matter of monitoring the traffic that goes

in and out of the state. i am sure all states do that. >> the secretary of state of connecticut denise merrill is our guest on the c-span bus in hartford. we invite c-span viewers to join in on the segment. secretary of state merrill will be taking your calls as we continue this discussion. how much money did connecticut get from that federal fund to improve election security and how did you use it? >> our share is around $5 million. very welcome because we can always improve things. we are using it to bolster our existing firewalls and other systems.

we are doing the kinds of checks one does on electronic systems for the voter registry. our biggest concern is at the local level. connecticut is a little unusual. we don't have county systems. everything is done at the town level. we have 169 towns. mostly small towns. each of them has a router in their town that is the drop point for this closed loop system that is our voter registry. when you register to vote, you register at the town level. the only people able to put names on or take names off the list are the local election officials. we are worried about the routers in those towns. we want to make sure they are as secure as the state system is because we house the servers at the state level. we want to make sure local

officials have sufficient training and understand you have to change your password frequently. we are putting in other protections at the local level such as dual authentication, making sure everyone is logging in properly. another type of attack we have seen in some places in the country, not in connecticut, are phishing emails. we are all familiar with those. a message that looks valid and real, but if you go on it, they can get into our system. those are the kinds of things we are focusing on with our money. we are hiring personnel to go into the towns to check their systems, give training, and that sort of thing. we are also purchasing extra tabulators. the tabulators we bought in 2002 with the help america vote money are somewhat elderly, but they are also simple scanners. they are not connected to the internet. they are not connected to each other. i want to make sure people understand that. we vote on paper ballots. we audit the ballots afterwards.

the tabulators have little cards in them that program the ballots. we want to make sure everything is working properly and up-to-date so we are purchasing extra tabulators with some of the money in case some of them give out during or after the election. we will have some extras on hand. >> as we turn to a discussion with secretary paul pate, who supervises the mr. sena elections in iowa, 99 counties. he is also running for reelection this year. he will be on the ballot in iowa. i want to start there with you, mr. secretary. are there any special rules that apply to you as someone running for and supervising elections? >> just good common sense. clearly, i don't have the opportunity to be doing politicking or campaigning at

polling sites during election day. it is the county auditors who do the actual implementation and operating. our office is a collection point. my job is focusing on making sure iowans understand the pathway to be a voter and assuring them of the integrity. >> how are you assuring them of the integrity? >> we have a series of roundtables across the state that involve coworkers, county auditors, the media, and other stakeholders in helping promote elections so they have the tools to help us spread the word to the community that we have taken all the necessary steps both from a cyber security standpoint and a normal process. we vote with paper ballots. everybody gets one vote.

reminding them of what an eligible voter is. reminding them of all the options they have for voter registration. we have quite a few. we have same-day voter registration. we have 29 days of early voting. we are aggressive on our voting. we make sure everybody has the information. >> i understand iowa received about $4.8 million from the federal funds to help improve election security. how are you using it in your state? >> over 62% of it we are putting back into the county cyber area. that has been a big step. i have worked for a hard on the state level to upgrade our cyber side, partnering with our state i.t. people and the homeland security, fbi, various other experts and specialists. we wanted to make sure it got to the county level as well so we focused the majority of the money to make sure they have the malware and sensors and training. we also partnered to make sure we got those systems installed in the counties before this november election.

that was the biggest piece. we have added staff internally to make sure we have a cyber navigator and others internally to assist these counties to be successful. >> explain what an albert sensor is. >> it is a monitoring system to alert the office and homeland security if any unwanted bad actors are trying to probe or gain entrance into any of our systems without authorization. that is a crucial step. we have other measures. i can go into all the internal security measures. but let me assure you we are putting everything homeland is recommending in place. >> the albert sensor, is that something you can react to immediately? is it more of a monitoring so we can understand how to fix it next time? >> no, it is immediate. an alarm goes off. we stopped them immediately. we don't wait for any follow-up. we say no interest rate -- we

say no entrance. clients have options. we have told them to stop them immediately. we will turn it over for full investigation by the fbi and homeland security. >> we've talked already this morning about the $380 million the federal government has pushed out this year to improve election security. how much of that went to west virginia and how did you use those funds? >> great question. about $3.5 million came to us from the federal government. we had $2.9 million left over from the hanging chad timeframe

of the 2002 election after congress appropriate money for the states to buy new machines. our legislature at the time set that up as a loan program. over the years, the loan program switched to the point where a lot of the vendors were providing better financing than the state loan program. that $2.9 million that unused. the legislature got that changed from a loan program to a grant program so we added that to the $3.5 million. that gave us about $6.5 million worth of buying power. we leveraged that further. we went to the counties and said

if you want to match 50/50 on buying new equipment or any cyber security we would offer 80% in the county had to come up with 15%. you gave us about $12 million worth of buying power in the state of west virginia. we pushed that out to the counties. instead of a centralized program, we pushed it out to the counties. we model that after the federal government. we appreciate the federal government not putting strings on the $3.5 million. they left it up to us as secretaries to determine how that would be used. we used the same principle with the county clerks. they are where the rubber meets the road in all the elections. we let the county clerks determine how best to use that money. we had about 27 clerks who went for the voting equipment. we had about an equal number that went towards cyber security. each county has their own situations that they want to deal with, and we pushed that out. the counties are already using it. one of our larger counties is buying a new express-code system, the most modern voting equipment, they are going to try that out in the general

election. we are moving up in the express vote, the most modern equipment in the 2016 election. only 16% of the state was using those. in this election we are hitting about 43% with this modern equipment. in 2020, we are going to be 60%, 65%. so we are making progress. we are taking money from the federal government and putting it to good use. >> what does it mean for the number of different kinds of voting machines in use across west virginia. do you know my many different kinds of machines are >> it is mainly two voting machines and the paper ballots. you have the express vote, and that is what most of the people -- that equipment is starting to

reach the end of its useful life span. many are moving toward the express vote system or something similar. so we have express boat, vote tronics and vote by paper. >> how many people in west virginia are still voting by paper? >> another county, completely, another county, half and half, and then you have absentee ballots. so it is not a great number but everyone is backed up by ed auditable paper trail. that's a key component in election security. an actual paper ballot. and that's what vote tronics and the express vote systems provide. >> what is their argument holding onto the vote by paper? >> simply a voter preference. it is a more senior county, with senior citizens.

they have expressed it to the county clerk over and over again. the county clerk has wanted to try the express vote system and over time, we will get there, setting up displays and letting people use it and get comfortable with it. once we get to 50% of the state, the message will be out it but i had lunch with the county clerk this last week, and she reiterated that her voters still want to vote by paper. announcer: president trump was briefed on security up to the midterms and talked to reporters afterwards, saying "there will hopefully be no meddling, no tampering, know nothing." abc news reports that fewer than half of states have allowed the dhs to test their voting systems for vulnerabilities. in the latest statement from the agency released in october, dhs says it has no evidence of any attack on election systems that

would prevent voting, change vote counts, or disrupt the ability to tally votes. president today, trump campaigns for republican candidates at a rally in fort wayne, indiana. live coverage at 6:05 p.m. on c-span. he. for house candidates running against joe donnelly. kohl's show a very close race. president trump then moves to missouri for a rally with josh holly, who holds a slim lead over claire mccaskill. that rally starts live at 10:00 p.m. eastern. you can watch both on c-span.org or listen on our free radio app. c-span, your primary source for campaign 2018. announcer: which party will control the house and senate? watch c-span's live election night coverage starting tuesday at 8:00 p.m. eastern as the results come in from house, senate, and governor races

around the country. hear victory and concession speeches from the candidates. then, wednesday morning at 7:00 a.m. eastern, he will get your reaction to the election, taking your phone calls live during wash." c-span, your primary source for campaign 2018. announcer: c-span's cities tour is exploring the american story in cities across the country. during a recent stop in lawrence, kansas, we asked voters in the state's second district which issue is most important to you for this november midterm election. >> i believe that not enough people in my generation are voting. the concern is that will be coming up within 10 years, 30 years. that's not a concern for the baby boomers taking over the majority of the voting. i believe my generation should take initiative, because the future is ours. we should put in politicians that will adhere to our needs. >> the issue that concerns me the most is our lack of

addressing medicare and social security insolvency. i haven't heard one person talk about how they are going to fix and or what their plan is, i feel that's an issue many older americans are really concerned about. no one says anything about it. >> i'd say the two issues that concern me the most are environmental protection and informed electorate. unfortunately, we have a lot of people in my generation, my peers, that have basically based a lot of their opinions on sound bytes instead of research and reflection. >> the most important issue to me in the midterm election is making sure that people are able to vote. alabama, the state of it's really hard for people of color to get to their voting polls, because they are not allowed to bring their public housing id, they have to have a

drivers license, and the nearest dmv is 50 miles away, and if you don't have a drivers license, how are you supposed to drive? there is no bus. it is important to me that we get access to people of color to vote. announcer: c-span cities tour travels the country to profile american cities. join us the first and third weekends of each month as we explore the american story. today and joining us now is someone with the independent florida alligator, university of florida, serving as their digital managing editor. good morning. guest: good morning, how are you? host: good, thank you for asking, what are you seeing about engagement in this midterm election? guest: the issue on our campus is early voting locations, for four years, it was not