Reporter covering cybersecurity

THE KEY

Momentum may finally be building in Congress to take new action to secure the elections from cyberthreats as the midterms approach.

Lawmakers have struggled to advance election security legislation in the months since they approved a $380 million funding package for states to upgrade their election systems. But a flurry of election-related hearings on Capitol Hill in recent weeks — including a pair of hearings Wednesday that featured testimony from some of the government’s top cybersecurity and election officials — shows they’re sharpening their focus on the issue. And the latest attention could help move bipartisan legislation to combat election cyberthreats closer to the goal line as November nears and intelligence officials warn of ongoing attempts by the Russian government to disrupt the U.S. political system.

“The tone has changed so it’s much more forward-looking in terms of, ‘Let’s figure out what we can get done,’ ” said Sen. Amy Klobuchar (D-Minn.), co-sponsor of Secure Elections Act, which would streamline the way state and federal officials exchange threat information and has garnered broad support in the Senate. “Congress, I think, has realized our role has to focus on what’s in front of us, and that’s protecting the 2018 and 2020 elections from foreign interference.”

Klobuchar’s bill, introduced with Sen. James Lankford (R-Okla.), was a focal point in a Senate Rules and Administration Committee hearing Wednesday, the second election security hearing that Rules Committee Chairman Roy Blunt (R-Mo.) has called since June. Officials from DHS and the U.S. Election Assistance Commission testified about their efforts to share cyberthreat information and offer guidance on auditing vote tallies — things that the Secure Elections Act seeks to codify into law.

Lankford urged his colleagues to move on the bill in remarks before the committee. He said he and Klobuchar had worked hard to refine the legislation since they introduced it last year, soliciting feedback from state election administrators as well as officials from the EAC and DHS. 

“It is exceptionally important that we actually get a bill across the floor, get it passed and be able to help secure our elections for the future,” he said.

To be sure, new legislation will still be an uphill battle. Lawmakers have tussled over how big a role the federal government should play in state elections and whether to include new funding for state election security. With the midterms just a few months away, getting a bill marked up and moved to the floor will be a heavy lift.

Still, on the other side of the Hill, the House Homeland Security Committee on Wednesday morning held its first hearing on election security since the 2016 election, where lawmakers heard testimony from Chris Krebs, the top cybersecurity official at DHS.

Chairman Michael McCaul (R-Tex.) praised Congress’s decision to send election security funds to the states, but said that “we can always do more.”

“Foreign interference in our democracy cannot be tolerated,” he said. “I strongly believe we’ll be targeted again this November. We need to be prepared.”

Lawmakers have gotten an earful about election security lately. They've heard testimony on issues ranging from law enforcement's election security needs to the role of virtual currencies as conduits for foreign election interference. This week, they got a briefing from a panel of cybersecurity professionals and former state election administrators on election vulnerabilities. And late last month, election security experts and secretaries of state from across the country visited Capitol Hill to make their case for greater federal election assistance.

Here are a few takeaways from Wednesday's hearings:

1. All U.S. elections are a target for foreign hackers, including the midterms. “The risks to elections are real,” Matt Masterson, senior cybersecurity adviser at DHS, told the Rules Committee. “The 2018 midterms remain a potential target for Russian actors.” He noted that the intelligence community “continues to see Russia using social media, false flag personas, sympathetic spokesmen to influence or inflame positions on opposite ends of controversial issues.”

2. But the Russian government’s efforts to date aren’t as sweeping as they were in 2016. Chris Krebs, undersecretary of the National Protection and Programs Directorate, the main cyber unit in DHS, told House lawmakers that Russia has been quieter this year than it was during the last presidential race. In 2016, Russian hackers targeted election systems in 21 states, breaching a voter database in Illinois. Going into the midterms, Krebs said, “the intelligence community has yet to see any evidence of a robust campaign aimed at tampering with our election infrastructure along the lines of 2016 or influencing the makeup of the House or Senate races.” Masterson echoed his remarks, saying DHS will “remain vigilant and will continue to work with our partners to strengthen election systems.” 

3. ​Voter confidence is the biggest challenge in securing elections. Election officials across the country have stressed this point over and over as November draws near (I reported about it here). Sen. Ted Cruz (R-Tex.) asked EAC Chair Thomas Hicks in the Rules Committee hearing what he would characterize “as the most important security reform that state election authorities should put in place.” Hicks responded: “We need to make sure the confidence of the voter remains high — because if we erode that confidence, voters are not going to come out and actually cast their ballots.” Ensuring that, he said, would require an “A-to-Z” response, “from voter registration all the way down to election night reporting.”

PINGED, PATCHED, PWNED

PINGED: You are probably going to lose some Twitter followers in the next few days. And if you have a massive social following, well, you'll probably lose a lot. “On Wednesday, the social media service said it would begin removing large numbers of Twitter profiles that had been included in people’s follower counts — even though these profiles had been frozen by the company’s security team for suspicious behavior, rendering them completely inactive for significant periods of time,” The Washington Post's Elizabeth Dwoskin wrote. And it looks like Twitter had already started purging accounts before making the announcement because President Trump had lost about 100,000 users Tuesday night, my colleague reported.

Twitter Legal, Policy, Trust, and Safety Lead Vijaya Gadde wrote in a blog post that the move is “another step to improve Twitter and ensure everyone can have confidence in their followers.” Gadde also said the accounts of “most people” will lose “four followers or fewer” while users with a large following “will experience a more significant drop.” “We understand this may be hard for some, but we believe accuracy and transparency make Twitter a more trusted service for public conversation,” she added. “The company said the effort would affect about six percent of follower counts across the service,” Dwoskin reported.

PATCHED: Cooperation between the public and private sectors is essential to respond to cybersecurity threats, Sen. John Thune (R-S.D.) said Wednesday during a Senate Commerce Committee hearing that examined the Spectre and Meltdown vulnerabilities. “Cybersecurity standards should be industry-led and remain voluntary, but the cybersecurity risks that threaten our nation are too great to be handled solely by the government or by industry,” Thune, the committee's chairman, said in his opening remarks. The Meltdown and Spectre vulnerabilities, which were present on virtually all computer processors, were disclosed in January.

Sen. Bill Nelson (Fla.), the ranking Democrat on the committee, said hardware weaknesses such as Meltdown and Spectre threaten “our economy, our way of life and our national security” and​​​ show that “we continue to play defense” on cybersecurity matters. “We patch vulnerabilities once they're discovered and exploited and we simply don't have a sufficiently large, trained cybersecurity workforce to protect our country,” Nelson said. Sri Sridharan, director of the Florida Center for Cybersecurity, which is housed at the University of South Florida, told senators that Spectre and Meltdown “are old news” in the cybersecurity world. “They have been discovered, researched, and patched,” Sridharan said as he read his opening statement. “What they represent, however, is something of far greater concern: The multitude of unknown vulnerabilities that most assuredly still lurk in cyberspace. This, of course, poses a threat to our national security.”

PWNED: “The Commerce Department on Wednesday took a major step to loosen its restrictions on the controversial Chinese telecommunications company ZTE Corp., signing an escrow agreement that paves the way for the firm to continue doing business with U.S. companies,” The Post's Damian Paletta writes. Lawmakers from both parties on Capitol Hill have expressed concerns that ZTE could be an instrument for spying against the United States and that the company therefore threatens national security. The Commerce Department in April had announced punitive measures against ZTE for shipping telecom equipment to Iran and North Korean in violation of sanctions and for making false statements, but Trump tweeted in May that he intended to help salvage the company.

“The Commerce Department said Wednesday’s agreement established an escrow account, which allows the company to transfer $400 million in reserves,” Paletta reports. “This was a condition of its release from severe regulatory penalties.” Sen. Mark R. Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, issued a statement Wednesday that lamented the announcement, calling it a “sweetheart deal” for the Chinese company. Warner added that the deal “lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist.”

PUBLIC KEY

— A database containing detailed and private information about thousands of people with HIV or AIDS in Tennessee remained on a shared computer server for nine months, making the data accessible to about 500 people when only three scientists should have been allowed to see it, the Tennessean's Brett Kelman reported Wednesday. Officials at the Nashville Metro Public Health Department said that “they don’t believe the database was improperly opened during the nine months it was on the shared server because there is at least some evidence the file was never touched,” Kelman wrote. Data stored in the database included names, Social Security numbers, sexual orientation and other personal information, according to the Tennessean.

And even if no data was actually stolen, advocates for people with HIV or AIDS told Kelman that this incident could have serious consequences for the HIV/AIDS community. “During an interview with The Tennessean last week, three HIV community leaders worried that HIV-positive people would now be less likely to seek treatment, and those who are at risk for infection will be unwilling to get tested, out of fear that their identities will be carelessly mishandled by the government,” Kelman wrote. “'They know that, if this information got into the wrong hands, they could lose their family,' said Brady Dale Morris, 42, who has been HIV positive for about a decade.”

— A lawsuit in South Carolina alleges that the state's aging voting machines fail to guarantee the security of elections, according to the Associated Press, citing a report from the State newspaper in South Carolina. “The State newspaper reports the suit filed Tuesday says the South Carolina Election Commission has deprived voters of their constitutional right to vote by failing to provide a reliable voting system,” according to the AP.

— The United States should articulate a strategy to explore artificial intelligence or it risks falling behind international rivals such as China, according to lawmakers and experts, Nextgov’s Jack Corrigan reported Wednesday. “The Trump administration has taken a largely hands-off approach in regards to AI, arguing it’s still too early for the government to get involved in the technology and any attempts at oversight could stifle its growth,” Corrigan wrote. “But in a panel hosted Wednesday by Politico, experts were quick to point out the difference between burdening industry with regulations and addressing the issues at hand today.”

— More cybersecurity news from the public sector:

An FBI agent censured for sending anti-Trump text messages while he helped lead investigations into Hillary Clinton and President Trump will break his public silence Thursday in testimony before Congress.
Wall Street Journal
But their burgeoning approaches to state-sponsored research are divergent as the countries themselves.
Defense One
Morning Mix
Xiaolang Zhang is accused of downloading files that included engineering schematics and technical reports, authorities say.
Allyson Chiu
Hacker who offered Air Force, Army docs claimed to have exploited known Netgear FTP flaw.
Ars Technica
PRIVATE KEY

— Facebook is offering an enormous trove of anonymized user data to scholars to help them study how misinformation in used in elections. Bloomberg reports: "The data  amounting to 1 million gigabytes  will include almost all public URLs Facebook users globally have clicked on in the past year, including stories third-party fact checkers have deemed false, according to Harvard University political science professor Gary King, who is co-chairman of the effort. The data also includes demographic details of those who engaged with the links, such as the age, gender, ideological affiliation of users as well as their friends, and on their behaviors, such as whether they shared the link without opening it, or if they used a happy or sad face to comment on it."

— More cybersecurity news from the private sector:

Martin Tripp told the SEC on Friday that the Silicon Valley car company, whose $53 billion value rivals that of General Motors, had pushed for a number of potentially damaging measures to meet production quotas, including placing batteries with puncture holes into vehicles and reusing scrapped parts.
Drew Harwell
Google Chrome is enabling a new security feature called Site Isolation in response to the set of speculative execution side-channel attacks known as Spectre and Meltdown.
CyberScoop
SECURITY FAILS
THE NEW WILD WEST

— Ugandan officials are reconsidering a tax on the use of social media services following fierce public backlash and protests, the BBC reports. "Government is now reviewing the taxes taking into consideration the concerns of the public and its implications on the budget," Prime Minister Ruhakana Rugunda said in a statement to parliament, per the BBC. "The president has provided guidance on the matter and encouraged further discussion with a view to reaching consensus on how we should raise the much needed revenue to finance our budget."  The tax, approved last month, requires Ugandans to pay 5 cents every day they use social media or messaging apps such as WhatsApp. 

FOR THE N00BS
Your iPhone can do more than you know. With these iOS tricks, you’ll increase your battery life, get access to exclusive apps, connect your phone to a surround-sound system, and figure out who’s calling by the way it vibrates.
Motherboard
ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Thai Navy releases new footage of cave rescue:

This father was separated from his three-year-old son for more than a month:

Pence heckled by protester before speech: “Where are the children?”