States are now free to claim their shares of the hundreds of millions of dollars Congress set aside to secure election systems across the country.
But for many states, getting their hands on the money – and deciding how to spend it – is easier said than done.
In Minnesota, Secretary of State Steve Simon (D) told me he wants to use part of the $6.6 million in federal funds his state was awarded to hire three coders to immediately upgrade the state's aging voter registration system.
The clock is ticking: Minnesota was one of the 21 states that had election systems targeted by Russian hackers during the 2016 presidential race. With U.S. intelligence agencies warning the midterm elections are likely to be hit by another wave of cyberattacks, states are scrambling to secure their voting infrastructure by November.
But Simon says he might not get the funds he needs in time. Under Minnesota law, only the Republican-controlled legislature can release that money -- and local politics have left lawmakers in a stalemate over how to proceed. Right now, language to approve the funds is tucked in a spending bill the Democratic governor has threatened to veto for an array of unrelated issues.
Simon told me he’s worried that Minnesota might not find a way through the impasse before the legislative session ends this weekend, meaning the money could remain frozen until next year. What's more, there's a primary coming in August.
“All we need is a couple sentences from our state legislature allowing us to tap into those funds,” Simon told me. “Without that authorization, there will be $6.6 million dollars that's available for our use just sitting there.”
Congress approved the $380 million to be distributed across all 50 states as part of the massive spending bill President Trump signed in March. The money was divvied up into shares for each state based on the size of their voting age populations.
To get a hold of the cash, states have to submit a written request -- just a couple pages is enough -- to the Election Assistance Commission, the agency that manages the money. Within 90 days, the states must submit a more detailed explanation of how they plan to spend it.
So far, the EAC told me, 12 states have submitted requests for the money -- and another 17 are expected to do so by the end of the month.
But even some states who can use federal money right away, without input from their legislatures, are finding this process daunting.
The fact that Congress actually agreed to send financial help their way came as a surprise to many state officials I talked to – and it landed right as primary season was getting underway. Some state officials are too busy running their elections to start planning the upgrades they want to make.
“It may have been a quick fix if the money had been allocated a year ago, but we’re already in the middle of a midterm year,” said Tammy Patrick, senior adviser at the bipartisan advocacy group Democracy Fund. “It’s coming in close to the elections, when you don’t necessarily have time to figure out how to use it in the most impactful and effective way.”
That's the case for Colorado. The state has been particularly ahead of the curve in securing its elections. But Colorado is set to hold a primary on June 26, and officials there say they won’t have time to draw up and submit spending plans to claim the federal money until after that happens.
“We just don’t have time,” Lynn Bartels, a spokeswoman for the secretary of state, told me. “We’re waiting until after the primary because we’re so tied up with that.”
For other states, the delay comes down to figuring out how to secure their systems at all. Out of a dozen state officials I talked to, most said they were just starting to weigh their options about how to use the federal money. Some offered no indication that they'd put any of the cash toward election security upgrades this year.
In Florida, for instance, officials said they were on the fence about what to do with a potential $19 million influx. But a spokeswoman for Secretary of State Ken Detzner said the state has already taken steps to boost network security and share information about threats with other states. In Tennessee, officials said they're working out plans to pay for cybersecurity training for local election authorities, but major equipment upgrades aren't on the table right now.
And some may not even want to take the money. Georgia, which signaled last fall it opposed federal assistance for its voter systems, stands to claim some $10.3 million. But officials there tell me that they haven't made any decisions about the cash. “We are still evaluating our options,” said Candice Broce, a spokeswoman for Secretary of State Brian Kemp.
Kemp was among a handful of state election officials who told Politico in September they opposed financial assistance from Congress. He also accused the Department of Homeland Security last year of hacking state voting systems around the 2016 election (the DHS inspector general later said there was no such attack).
Another possible hold-up in submitting a plan: An abundance of caution.
The federal money comes from unused funds under the "Help America Vote Act" or HAVA, passed originally after the 2000 election debacle. The law, which took effect in 2002, set aside more than $3 billion for states to replace punch-card voting machines and other outdated equipment that caused chaos in Florida, and otherwise bring their voting systems into the 21st century.
At the time, many states rushed to purchase digital voting machines on the assumption that they’d provide a more accurate vote count than the old paper-based systems. But those are exactly the types of machines that cybersecurity experts and federal officials now want to scrap because they’re prone to hacking and don’t produce reliable audit trails.
Patrick, of the Democracy Fund, says state officials are being more careful about how they use this new round of funding.
“People are being far more deliberate with this process,” she told me. “They are going out and setting their priorities by speaking with local election officials to find out the best use of these funds.” Knowing that foreign governments could mount cyberattacks, she added, “is giving people great pause. They want to make sure they’re moving forward in the right way.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The federal government wanted a piece of software to handle President Trump's "extreme vetting" of foreign visitors, but then decided that humans should do the job instead.
"Immigration and Customs Enforcement officials told tech-industry contractors last summer they wanted a system for their 'Extreme Vetting Initiative' that could automatically mine Facebook, Twitter and the broader Internet to determine whether a visitor might commit criminal or terrorist acts or was a 'positively contributing member of society,' " The Washington Post's Drew Harwell and Nick Miroff report.
The project, now called Visa Lifecycle Vetting, later "shifted from a technology-based contract to a labor contract" after the agency received input from private companies and government agencies, ICE spokeswoman Carissa Cutrell told Harwell and Miroff. The agency concluded that no "out-of-the-box" system could come up to expectations, an ICE official said.
PATCHED: Eight House Democrats urged Trump in a letter not to terminate the position of White House cybersecurity coordinator.
"Whether it is coordinating an international response to an outbreak of ransomware, fighting Distributed Denial of Service attacks, or protecting American companies from the theft of trade secrets and intellectual property, the role the Cyber Security Coordinator plays in these cannot be overstated," the letter says. "A strong and coordinated whole of government response to these issues will ensure American leadership in the continually changing landscape of cyberspace."
The letter was signed by Democratic Reps. Debbie Dingell (Mich.), Dina Titus (Nev.), Jim Himes (Conn.), Sheila Jackson Lee (Tex.), Stephen F. Lynch (Mass.), Denny Heck (Wash.), Jacky Rosen (Nev.) and Derek Kilmer (Wash.).
Today we're urging @POTUS to reverse his decision to eliminate role of Cyber Security Coordinator. At a time when we face increased #cyber threats to our election systems & infrastructure, we must build on our capacity to combat these threats, not take needless steps backwards. pic.twitter.com/JVTf2bicos— Rep. Debbie Dingell (@RepDebDingell) May 17, 2018
PWNED: Former CIA employee Joshua Adam Schulte, the suspect in the leaking of CIA hacking tools to WikiLeaks last year, was rather careless with the information he uploaded online, according to Motherboard's Jason Koebler. Schulte is being held in jail in Manhattan on unrelated charges of child pornography, The Post's Shane Harris reported earlier this week.
"The amount of sensitive personal information he uploaded to a publicly available website while employed by the CIA is mind-boggling," Koebler writes. In addition to posting CIA software code on a public site, Schulte also uploaded personal information through which he could be easily identified, according to Koebler.
"Schulte also uploaded screenshots of his Gmail inbox, which have his name as well as emails that show information about his bank, his OKCupid account, his cell phone provider, his friends' and families' names, and more," Koebler reports.
Often it's difficult to discern who uploaded things to a server, or to confirm that someone's online pseudonyms are actually that person. Schulte made it easy: He uploaded screenshots of his gmail inbox that tied his name to specific accounts all over the internet— Jason Koebler (@jason_koebler) May 17, 2018
— More cybersecurity news:
— The Senate voted to confirm Gina Haspel as CIA director on Thursday. "Lawmakers approved Haspel’s nomination 54 to 45, with six Democrats voting yes and two Republicans voting no, after the agency launched an unprecedented public relations campaign to bolster Haspel’s chances," The Post's Harris and Karoun Demirjian report. "She appears to have been helped, too, by some last-minute arm-twisting by former CIA directors John Brennan and Leon Panetta, who contacted at least five of the six Democrats to endorse her bid to join President Trump’s Cabinet, according to people with knowledge of the interactions."
— Congress strikes back on ZTE. The House Appropriations Committee passed an amendment by Reps. C.A. Dutch Ruppersberger (D-Md.) and Rosa L. DeLauro (D-Conn.) that aims to prevent the Trump administration from alleviating sanctions that were previously imposed on the Chinese tech giant. In a statement, Ruppersberger said the amendment would "prevent a foreign company that is beholden to its government — and that ignores embargoes — from infiltrating the devices and networks that are now indispensable to American life."
— Sen. Patrick J. Leahy (D-Vt.) had a few words for Federal Communications Commission Chairman Ajit Pai during a Senate Appropriations subcommittee hearing yesterday: “I disagree with many of the decisions you’ve made at the FCC," Leahy said. “I also am concerned about the tone you’ve adopted. I think you’ve shown contempt for the public through your decisions. You ignored the overwhelming public support — I mean, I’ve never seen such overwhelming public support — for net neutrality.”
— Nancy Berryhill, acting commissioner of the Social Security Administration, told lawmakers Thursday that the theft of Social Security numbers continues to increase. “As long as the SNN remains key to assessing things of value, particularly credit, the SSN itself will have commercial value and will continue to be targeted by fraudsters for misuse,” Berryhill told the House Ways and Means Committee.
— More cybersecurity news about the goverment:
— The company LocationSmart made the location of cellphones of major mobile carriers available for anyone to look up in real time without the consent of customers, the computer security blog KrebsOnSecurity.com reported Thursday.
"LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site," wrote Brian Krebs, the author of the blog and a former Post reporter. "LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower."
Robert Xiao, a PhD candidate at Carnegie Mellon University, told Krebs that the service had a vulnerability that made it possible to look up the location of other cellphones, too. "This is something anyone could discover with minimal effort," Xiao said. "And the gist of it is I can track most [people's] cell phone without their consent."
Krebs writes that LocationSmart took that service offline after he contacted the company.
— More private sector cybersecurity news:
— Research from cybersecurity company McAfee shows North Korean hackers have been targeting the Android cellphones of defectors through phishing attempts on Facebook and malware on Google Play, Forbes's Thomas Fox-Brewster reports.
"It appears to be the first example of North Korean hackers breaking through the security on Google’s market and a sign of increasing sophistication by the nation-state’s hackers," Fox-Brewster writes.
"Once the malware is installed, it copies sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors," McAfee's Jaewon Min wrote in the company's report. "We have seen no public reports of infections. We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play."
— As more financial transactions move online, so does money laundering. "The rapid expansion of fintech, e-commerce and mobile app services has made doing business and transferring money faster and more seamless than ever before," Mattha Busby writes in the Guardian. "But it has also opened the floodgates to cyberlaunderers who are now finding ways to co-opt legitimate sites and platforms for their own means."
— More international cybersecurity news:
- House Energy Committee hearing on quantum computing.
- BSides Knoxville conference.
- NolaCon conference today through May 20.
- HackMiami 2018 Hackers Conference today through May 20.
- Ignite '18 Cybersecurity Conference in Anaheim, Calif., from May 21 through May 24.
- House Energy Committee hearing on Internet of Things legislation on May 22.
- Senate Armed Services subcommittee on cybersecurity closed markup of the National Defense Authorization Act for fiscal 2019 on May 22.
- Security Through Innovation Summit in Washington on May 22.
- GMU-AFCEA Symposium 2018 in Fairfax on May 22 and May 23.
"I have no apologies." Kent State graduate explains why she posed with AR-10:
Are city scooters as fun as they look? D.C. weighs in:
Spider-Man spotted hanging out on Boston train: