For a while there, the Senate’s flagship bill to help states improve election security appeared to be gaining steam. Lawmakers from both sides of the aisle signed onto it. And an unlikely coalition of former national security officials, technologists and public policy groups urged lawmakers to pass the legislation.
But the Secure Elections Act stalled last week after the Senate Rules Committee canceled a key vote on the legislation at the last minute — and now its future is uncertain. Some Republicans who seemed poised to support the bill balked after the White House raised concerns about giving the federal government too much authority in election administration, while state officials objected to some of its requirements. Election security experts, meanwhile, worry the legislation is getting too watered down.
The delay highlights the tension at the core of the debate over how to best secure the country’s elections as officials warn about Russia’s ongoing campaign to disrupt U.S. politics. And the lack of progress in Congress underscores how difficult it is for lawmakers to balance competing concerns from state election administrators to national security officials to voting integrity groups.
Sen. James Lankford (R-Okla.), who introduced the bill with Sen. Amy Klobuchar (D-Minn.), said the Secure Elections Act isn’t dead — there are just some kinks to work out.
“This is an important bill that I will not let fail. I look forward to working with Members and groups that have technical concerns with the text ... as we continue to walk through its passage,” he told me in an email.
But the hang-up significantly dims hopes the legislation will pass before the November midterms. Here are three issues lawmakers are grappling with:
1. The White House isn’t keen on the bill.
The bill would give the Department of Homeland Security a greater role in election security by putting DHS in charge of sharing election cybersecurity threats with states and allowing the secretary to appoint an advisory panel to recommend improvements for states. It would also require states to audit the results of their elections and encourage them to use paper ballots instead of digital machines. But state officials would get security clearances.
But the White House is skeptical. “We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections,” White House spokeswoman Lindsay Walters told Yahoo News after last week’s vote was postponed. If lawmakers press forward, she said, they should avoid “the imposition of unnecessary requirements” and “not violate the principles of Federalism.”
The administration isn’t out to sink the bill, Lankford told me, saying that he had “multiple conversations with the White House” over the weekend about it.
2. State officials have reservations.
Questions about whether the bill gives the federal government too big of a role in elections have hounded the bill since its early stages. Lankford and Klobuchar have gone out of their way to address the concerns, meeting with secretaries of state and tweaking the legislation based on their input. But they haven't won over everyone.
Vermont Secretary of State Jim Condos, a Democrat who heads the National Association of Secretaries of State, told me he’s eager to see the legislation pass but objects to the bill’s requirement that states conduct post-election audits because it doesn’t include any funding to carry them out. “I believe that audits are a best practice, as I do paper ballots,” he said. But “funding needs to be part of this.”
Other state election officials have raised their concerns privately, reaching out to their senators “with feedback on specific provisions of the legislation,” said Maria Benson, a spokeswoman for the National Association of Secretaries of State. The organization hasn’t taken a public position on the legislation, but, Benson said, “we look forward to continued positive discussions.”
3. Policy experts say the bill doesn't go far enough.
A previous version of the legislation would have required that states audit their election results “by hand and not by device.” In practice, that means conducting the rigorous paper-based audits that election security experts advocate, rather than software-based reviews. But lawmakers excluded that language in the latest version of the bill, leading prominent election integrity organizations such as Verified Voting to pull their support.
Jake Laperruque of the watchdog Project on Government Oversight said the move was designed to appease opponents who thought the audit requirement was too strong. The organization called on lawmakers to restore the original language,in a letter that was co-signed by groups including FreedomWorks, Americans for Tax Reform and the Brennan Center.
“What's surprising about the delay on [the bill] is that it had accounted for many of the challenges that often inhibit election security measures from Congress,” Laperruque told me. “It was bipartisan. It had support from groups that are strong federalism advocates like Freedom Works and [Americans for Tax Reform]. But Laperruque argues the committee markup of the legislation weakened the bill in a way objected to by tech and security experts in order to appease state officials.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Heads up: more disclosure may be required from Twitter for groups buying political ads “on topics such as abortion, health-care reform and immigration." This is "part of the tech giant’s attempt to thwart bad actors, including Russia, from spreading propaganda ahead of the 2018 election,” The Washington Post's Tony Romm reported. “The new policy targets promoted tweets that mention candidates or advocate on ‘legislative issues of national importance,’ Twitter executives said in a blog post. To purchase these ads, individuals and groups must verify their identities. If approved, their ads then would be specially labeled in users’ timelines and preserved online for the public to view. And promoted tweets, and the accounts behind them, would be required to disclose the name of the actual organization that purchased the ad in the first place.”
The new policy is in line with Twitter chief executive Jack Dorsey's goal of adding context about tweets. “Twitter will treat and cache issue ads similarly to how it began labeling ads purchased by federal political candidates and making digital copies available for the public to view earlier this year,” Tony wrote. “The new rules conform to Dorsey’s previously stated vision to add more context around tweets so that users can ‘make judgments for themselves’ about the nature of the content they consume, he told The Washington Post in a recent interview.”
Twitter's announcement came a day after the Senate Intelligence Committee said Dorsey will appear before senators next week alongside Facebook Chief Operating Officer Sheryl Sandberg for a hearing about foreign influence operations on social media platforms. The committee also has invited Larry Page, chief executive of Google's parent company Alphabet, but it's unclear whether he will attend.
PATCHED: Homeland Security Secretary Kirstjen Nielsen and her counterparts from Britain, Canada, Australia and New Zealand agreed to strengthen their cooperation to monitor cyberthreats, according to a statement from DHS released Thursday. Nielsen traveled to Australia this week for a ministerial meeting of the Five Eyes countries to discuss security issues including terrorism, immigration and cybersecurity.
“A cyber attack is an attack on our communities and our sovereignty,” Nielsen and her counterparts said in a joint communique. “We affirmed our collective resolve to deter malicious cyber activity, including improving domestic resilience, and coordinating technical attribution and operational response policies to mitigate significant cyber incidents.” The ministers also said the Five Eyes would coordinate their response should a “severe foreign interference incident” target them.
In a separate statement specifically about encryption, the United States, Britain, Canada, Australia and New Zealand said they “support the role of encryption in protecting” personal rights and privacy but added that “privacy is not absolute.” The document lists principles that the five countries said should guide discussions with the private sector about encryption:
- Companies such as telecommunication providers or device makers “are subject to the law, which can include requirements to assist authorities to lawfully access data, including the content of communications,” according to the statement. The document also notes that governments “should recognize that the nature of encryption is such [that] there will be situations where access to information is not possible, although such situations should be rare.”
- Governments should abide by the rule of law and due process when they seek access to the information of citizens. “This lawful access should always be subject to oversight by independent authorities and/or subject to judicial review,” the statement said.
- The Five Eyes also seemed to suggest that companies should allow backdoor access to their products. “The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries,” the statement said.
PWNED: Russia has failed to effectively block the banned secure-messaging app Telegram on its soil without hindering access to other online services in the process. So, now authorities are trying something new. “Since Aug. 6, Russian state communications watchdog Roskomnadzor and state security agency the FSB have been testing systems designed to allow more precise blocking of individual services, according to the minutes of a meeting between officials to discuss the plan,” Maria Kolomychenko of Reuters reported Thursday. Russia paused its efforts to shut down Telegram earlier this year after those attempts disrupted access to other services. For example, they prevented voice calls on the messaging app Viber and access to cloud-based apps for Volvo cars, according to Reuters.
“The earlier attempt to block Telegram involved targeting Internet Protocol addresses operated by Amazon, Google and others that hosted Telegram traffic. The problem was that these IP addresses often also hosted traffic for multiple other services which were also affected,” Kolomychenko wrote. “The systems being tested now use a technology called Deep Packet Inspection. The technology operates in a more surgical way, analyzing Internet traffic, identifying the data flows of a particular services and blocking them.” Reuters, citing executives at two of the companies that were invited to join the new tests, reported that initial attempts to block Telegram have been falling short so far.
— “Reality Winner, a former National Security Agency contractor who was jailed for leaking a classified document about Russian interference in the 2016 elections, thanked President Trump on Thursday for calling her punishment ‘so unfair,’ ” my colleague Amy B Wang reported.
Ex-NSA contractor to spend 63 months in jail over “classified” information. Gee, this is “small potatoes” compared to what Hillary Clinton did! So unfair Jeff, Double Standard.— Donald J. Trump (@realDonaldTrump) August 24, 2018
Winner, 26, was sentenced last week to five years and three months in prison. She will be on supervised release for three years following her prison term. “In an interview Thursday with ‘CBS This Morning,’ Winner told host Norah O’Donnell from a Georgia county jail she ‘deeply’ regrets having leaked the report to the media and appreciated Trump for verbalizing what she and her family had not been able to for more than a year,” Amy wrote.
— “The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down,” Reuters’s Warren Strobel and Jonathan Landay reported Friday. “William Evanina, the U.S. counter-intelligence chief, told Reuters in an interview that intelligence and law enforcement officials have told LinkedIn, owned by Microsoft Corp., about China’s ‘super aggressive’ efforts on the site. He said the Chinese campaign includes contacting thousands of LinkedIn members at a time, but he declined to say how many fake accounts U.S. intelligence had discovered, how many Americans may have been contacted and how much success China has had in the recruitment drive.”
— The FBI on Thursday released several videos providing advice to political campaigns on how to improve their cyber defenses. The videos give campaigns tips on topics such as strengthening passwords, securing communications and avoiding phishing attacks.
Here are a few:
— “The U.S. Postal Service on Thursday acknowledged that it inappropriately released sensitive personal information about Democrat Abigail Spanberger, a former CIA officer challenging Rep. Dave Brat (R-Va.), calling it a ‘human error’ that it will address by changing procedures for public information requests,” The Post's Laura Vozzella reported. “‘The Postal Service deeply regrets our mistake in inappropriately releasing Ms. Spanberger’s Official Personnel File (“OPF”) to a third-party, which occurred because of human error,’ said a statement released by spokesman David Partenheimer. In the statement, the Postal Service suggested that confidential information involving other people was also mistakenly released.”
— More cybersecurity news from the public sector:
- Senate Intelligence Committee hearing on foreign influence operations on social media platforms on Sept. 5.
- House Energy Committee hearing titled “Twitter: transparency and accountability” on Sept. 5.
- Two House Homeland Security subcommittees hold a joint hearing on cybersecurity threats to the U.S. aviation sector on Sept. 6.
- 9th annual Billington CyberSecurity Summit in Washington on Sept. 6.
“Beaten up, but not down”: Close friends remember John McCain
Beto O’Rourke was in a punk rock band. The Texas GOP tried to shame him:
Grandmother grabs pythons by their heads and tails to remove them from grill: