The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Here's an early look at how states are spending federal election security cash

Placeholder while article actions load

with Bastien Inzaurralde


Nearly four months have passed since Congress set aside $380 million for states to upgrade their election systems, and we’re just now seeing concrete details about how states plan to spend that money.

California will immediately make more than $3 million available to county officials to help them protect voter rolls from cyberthreats and improve accessibility at polling places, according to figures provided to The Cybersecurity 202. And Hawaii will spend more than $400,000 ahead of the November midterms to upgrade computers, hire staff and conduct cybersecurity training, the secretary of state's office says. 

California and Hawaii are among 13 states that, as of Monday, have submitted their detailed plans to the Election Assistance Commission about how they intend to spend their share of the federal cash ahead of the July 16 deadline. Their plans offer an early indication that states are taking recommendations from federal officials and election security experts seriously as the midterms approach and intelligence officials warn of a new wave of election interference from the Russian government. 

“The bottom line is that the plan that we put together reflects all the cyber best practices from both the private and the public sector,” California Secretary of State Alex Padilla told me. “It’s vitally important not just for the cybersecurity of our elections but for the confidence the public deserves to have as well.” 

We're about to see more proposals from across the country: The EAC tells me it expects to receive budgets from all 50 states and five territories before next Monday. Any states that don’t submit their budgets by then could apply for an extension, but they risk losing their cut of the $380 million if they don’t have a plan turned in before the end of the fiscal year. 

There's been no shortage of input about how states should use their awards, which Congress approved as part of the massive government spending bill President Trump signed in March. Guidelines laid out by Congress, the Department of Homeland Security and the EAC recommend the money be put toward replacing outdated voting equipment, conducting cybersecurity training for election workers, patching vulnerabilities in computer networks and implementing post-election audits. Election security experts from private groups have offered similar advice, some focusing on getting states to switch to paper ballot systems

California and Hawaii’s budgets show they intend to get started on much of that over the next few years.

The Golden State received $34.5 million from Congress, the most of any state. In addition to the money it intends to make available immediately, California plans to spend:

  • $7 million for improvements to VoteCal, California’s voter registration database, between 2019 and 2021
  • $3 million for county cybersecurity training between 2019 and 2021
  • $400,000 for county efforts to implement risk-limiting audits between 2019 and 2021
  • $1 million for personnel costs over the next three years

Additionally, California will spend a substantial chunk of cash — $20 million — over the next two years to cover special priorities, including equipment costs involved with setting up vote centers, a new election project in the state that will allow voters to cast ballots early, and a transition to a vote-by-mail system. While not directly tied to election cybersecurity, early voting is favored by some election security experts and state officials who say it can help officials detect voting anomalies with enough time to fix them before Election Day.

“Making sure we’re cyber secure doesn’t mean just investing in the latest firewall or encryption technology,” Padilla said. “We’re covering all bases.”

In addition to $410,000 it plans to spend immediately, Hawaii will use its total $3.1 million award for: 

  • $75,000 on new computers for election offices this year
  • $510,000 annually from 2019 through 2022 on hardware and software upgrades, new staff and cybersecurity training
  • $607,000 on new voting equipment 

“Currently, the State does not have the ideal amount of dedicated staff monitoring the elections environment,” state election officials wrote in the document. “The State will hire contractors with senior security expertise who are familiar with software solutions to set up and optimize the environment.”

“Elections in Hawaii are secure,” they added. “However, with the continued threat to the security of elections nationwide, the State will utilize these funds to further enhance the security of our environments to protect the integrity of the elections.”


PINGED: “Top Republican lawmakers on the House Energy and Commerce Committee sent letters Monday asking Apple and Google for more information on how extensively their smartphones track people’s locations and record snippets of their conversations,” The Washington Post's Hayley Tsukayama and Tony Romm reported. The GOP lawmakers told Apple chief executive Tim Cook and Larry Page, the chief executive of Google's parent company Alphabet, that the panel is examining “business practices that may impact the privacy expectations of Americans.” Rep. Greg Walden (Ore.), the committee's chairman, as well as Reps. Gregg Harper (Miss.), Marsha Blackburn (Tenn.) and Robert E. Latta (Ohio) signed the two letters.

The lawmakers inquired about whether and how Apple and Android phones gather information on users' location including after they have removed the SIM card from the device or when the phone is set to “airplane mode,” Tsukayama and Romm reported. “Members of Congress also asked for more information on what audio data may be collected by smartphone voice assistants, even when they have not been 'triggered' with a phrase such as 'Hey Siri' or 'Okay Google,' " my colleagues wrote. The House lawmakers requested that Apple and Alphabet reply to their list of questions by July 23.

PATCHED: Timehop said hackers breached data such as names and email addresses of 21 million of the app's usersTechCrunch's Natasha Lomas reported. Additionally, 4.7 million of those 21 million users also had their phone numbers stolen in the security breach, according to a statement from Timehop. “The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached,” Lomas wrote. 

Timehop said in its statement that the cyberattack happened “because an access credential to our cloud computing environment was compromised.” Timehop had not set up a multifactor authentication process to access that cloud account, but the company has since moved to install this security feature “on all accounts,” the statement said. “It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital 'memories' was affected,” Lomas reported.

PWNED: Facebook has high hopes for its facial-recognition technology, and that worries privacy advocates on both side of the Atlantic Ocean, the New York Times's Natasha Singer reported Monday. The social network's implementation of facial recognition has drawn scrutiny from authorities in Europe, and residents in Illinois have sued the company over its use of the technology, according to the Times. “Already, more than a dozen privacy and consumer groups, and at least a few officials, argue that the company’s use of facial recognition has violated people’s privacy by not obtaining appropriate user consent,” Singer wrote.

Jennifer Lynch, a senior staff attorney at the Electronic Frontier Foundation, told Singer that the tech giant isn't being transparent about the way it uses facial recognition on its users. “Facebook tries to explain their practices in ways that make Facebook look like the good guy, that they are somehow protecting your privacy,” Singer told the Times. “But it doesn’t get at the fact that they are scanning every photo.”

Singer also reported that Facebook's ambitions for facial recognition go even further. “One patent application, published last November, described a system that could detect consumers within stores and match those shoppers’ faces with their social networking profiles,” Singer wrote. “Then it could analyze the characteristics of their friends, and other details, using the information to determine a 'trust level' for each shopper.”

President Trump announced July 9 that Brett M. Kavanaugh will be the Supreme Court nominee to fill Justice Kennedy's vacant seat. (Video: Monica Akhtar/The Washington Post)

— Federal judge Brett M. Kavanaugh, whom Trump nominated Monday to replace retiring Justice Anthony M. Kennedy in the Supreme Court, has expressed opposition to net neutrality, Motherboard’s Kaleigh Rogers writes. “‘Just like cable operators, Internet service providers deliver content to consumers,’ Kavanaugh wrote in a 2017 dissent on an appeal to have the court reconsider federal net neutrality protections,” Rogers reports. “‘Internet service providers may not necessarily generate much content of their own, but they may decide what content they will transmit, just as cable operators decide what content they will transmit.’”

— At least two Democratic municipal campaigns have suffered distributed denial-of-service attacks during the primary season this year, according to two sources, CyberScoop's Chris Bing reported on Monday. “The sources, who spoke on condition of anonymity to discuss privately held information, say that news of the incidents has already reached the Democrats’ largest campaigning bodies, the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC),” Bing wrote. “Sources said they were told about the attacks by campaign officials and not cybersecurity experts, leaving a gap in their understanding of the events.” Sources declined to identify the candidates or tell CyberScoop in which states the campaigns were located, Bing wrote.

— Orlando’s police is not giving up on’s facial-recognition tool, the Orlando Sentinel’s Ryan Gillespie reported Monday. “The Orlando Police Department plans to continue its test of Amazon’s facial recognition software, despite outcry from civil rights groups concerned that the technology could be abused,” Gillespie wrote. “City and police officials informed Orlando Mayor Buddy Dyer and the city council of the decision in a memo Friday, explaining more time was needed to make a 'thoughtful, precise and comprehensive recommendation' to Dyer on whether or not the city should eventually purchase the technology.” (Amazon founder and chief executive Jeffrey P. Bezos is also the owner of The Post.)

— “Congress is weighing a ban on federal agencies using video surveillance equipment from two large Chinese companies, the latest sign of concerns about foreign espionage among lawmakers,” the Hill’s Katie Bo Williams and Morgan Chalfant report. But it is unclear whether one of those two companies, Hickvision, is in fact a spying tool for the Chinese government. “Hikvision’s U.S.-based business touts its compliance with American laws,” Bo Williams and Chalfant write. “It worked with the Department of Homeland Security to patch a security vulnerability it uncovered in May 2017. It also recently opened a transparency center in California to allow law enforcement to view the source code for its products.”

— More cybersecurity news from the public sector:

Top State Department cyber official 'optimistic’ of deal with Russia, China (CyberScoop)

Is it the IRS, or a scam? Government issues fraud warnings (The Associated Press)

The Pentagon Wants to Automate Some Classification Decisions (Nextgov)


— Twitter’s massive purge of bots and trolls seems to have spooked Wall Street. The company had its worst day since March after The Post reported that Twitter had suspended 70 million accounts in recent months, my colleague Elizabeth Dwoskin writes.

“The Post story, which published Friday, said that the suspensions could have some impact on the company’s tally of monthly active users, a key growth metric that is closely monitored by Wall Street investors,” according to Elizabeth. “Twitter’s stock was trading down nearly 10 percent Monday before closing the day down 5.4 percent.”

"Twitter’s largest single-day percentage dip since March comes on the heels of a positive run for Twitter," she continued. "Overall, its share price has more than doubled over the past 12 months, and it posted its first profit ever in February. The number of monthly users, called MAU, also jumped to 336 million in April, from 330 million in the previous quarter."

— More cybersecurity news from the private sector:

Apple releases iOS 11.4.1 and blocks passcode cracking tools used by police (The Verge)

Cellebrite's newest target: Your IoT-infested home (CyberScoop)

YouTube aims to crack down on fake news, support journalism (Associated Press)


— As 2018 is halfway through, Wired's Lily Hay Newman looks back at some of the most significant security breaches and other cybersecurity milestones so far this year. They include the Trump administration's decision to name Russia as responsible for the 2017 NotPetya cyberattack and for a campaign to infiltrate the U.S. energy grid, the indictment of Iranian hackers over cyberattacks on universities and other security incidents such as the breach of Under Armour's fitness app, according to Wired. “Corporate security isn't getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated,” Hay Newman writes.

— More news about security breaches:

Ticketmaster breach was part of a larger credit card skimming effort, analysis shows (ZDNet)


"Google could face a record penalty this month from European regulators for forcing its search and Web-browsing tools on the makers of Android-equipped smartphones and other devices, potentially resulting in major changes to the world’s most widely deployed mobile operating system," my colleague Tony Romm reports

"The punishment from Margrethe Vestager, the European Union’s competition chief, is expected to include a fine ranging into the billions of dollars, according to people familiar with her thinking, marking the second time in as many years that the region’s antitrust authorities have found that Google threatens corporate rivals and consumers."

— More cybersecurity news from abroad:

WhatsApp launches Indian media blitz to dispel fake news woes (Reuters)

Australian lawsuit funder files complaint against Facebook, flags suit over privacy breaches (Reuters)



Coming soon


Trump says he'll speak with Mueller. His lawyers aren't so sure:

President Trump continues to assert he will speak with special counsel Robert S. Mueller III, but Trump's lawyers keep moving the goal posts. (Video: JM Rieger/The Washington Post)

How to bend the ball like soccer's biggest stars:

D.C. United midfielder Zoltan Stieber explains how soccer players are able to "bend" free kicks. (Video: Justin Scuiletti/The Washington Post)

“Will you sign my waterboard?” Cheney gets the Sacha Baron Cohen treatment:

Former vice president Dick Cheney was featured in an alleged teaser trailer for Sacha Baron Cohen's new show. Cohen tweeted the trailer July 8. (Video: Allie Caren/The Washington Post)