with Bastien Inzaurralde

Readers, next week I’ll be writing about the biggest cybersecurity stories of 2018 and looking forward to what will make news in 2019. Got ideas about what I should include? Drop me a line at joseph.marks@washpost.com or DM me at @Joseph_Marks_.


House Democrats are planning a blitz of efforts to improve election security when they take control of the lower chamber next year.

Democrats will include some version of election security legislation in H.R. 1, the major legislative package they plan to introduce in the first days of the next Congress, Rep. Bennie Thompson (D-Miss.), incoming chairman of the House Homeland Security Committee, told me.

Thompson also intends to hold public hearings with Trump administration leaders and state and local election officials focused on how they’re hardening election systems in the lead-up to the marquee 2020 contest. The committee will further seek to hear from top voting machine manufacturers, which have had a contentious relationship with congressional watchdogs, a Democratic committee aide told me.

The House Oversight Committee will also review how states are spending $380 million in election security grants that Congress approved as part of an omnibus spending bill in March, Rep. Robin L. Kelly (D-Ill.), incoming chair of the committee’s information technology panel, said in an interview.  

“The first thing we have to do is have some oversight hearings and talk about weaknesses, which we didn’t get an opportunity to do this last session,” Thompson told me. “The will to do oversight on cyber issues just wasn’t there.”

Taken together, the actions suggest a relentless Democratic focus on election security when the party reclaims the House majority come January, which is likely to keep the issue in the headlines during an off-year when it might otherwise fall off the radar. The Democratic push comes after the GOP-led Congress failed to pass a comprehensive election security measure this year following the intelligence community's conclusion that Russia interfered in the 2016 election, including unsuccessful probes of voting systems in 21 states.

The Homeland Security Department didn't observe substantial digital efforts by foreign actors to undermine the 2018 midterm vote, officials have said.

The election security provisions in H.R. 1 will be based around Thompson’s Election Security Act, though details are still coming together, he said. That bill, which would allocate $1.7 billion to election security over seven years, was co-sponsored by 124 House Democrats but failed to win  Republican support this Congress.

Thompson is hoping the recent revelation of a breach at the National Republican Congressional Committee will spur Republican cooperation next Congress.

“Now that there’s an acknowledgment that there’ve been some election security issues on both the Democratic and Republican sides, we need to get bipartisan support for some legislation to address it,” Thompson told me.  

Thompson hasn’t contacted Republicans about supporting his measure, but plans to do so when he assumes the chairmanship.

DHS, which conducted cybersecurity audits for state and local election systems before the 2018 midterms, will also keep focusing on election security next year, the department’s top cyber official, Chris Krebs, told me this week.

“We’re taking a breath during this slow moment right now, taking a look at what were successes in ’18 and areas where we can improve our focus,” Krebs told me. “We’ll be ready to get right back into it come the new year.”

House Republicans did hold hearings on election security, including Homeland Security and Oversight committees in July. But their efforts were too little and too late for Thompson and other Democrats, who formed an election security task force to do work outside the formal committee process in June 2017 and released a state-by-state assessment of election cyber protections this year.

The Senate has worked on a more bipartisan basis, even though it failed to ultimately pass a major bill on the subject and is unlikely to do so before the end of this Congress. That bill, the Secure Elections Act, which was sponsored by Sen. James Lankford (R-Okla.), created an expert panel on election security and would have allocated grant money to states based on how closely they modeled the panel's best practices.


PINGED: Thompson also said during our interview that he plans to hold oversight hearings next Congress about White House cyber operations, including national security adviser John Bolton’s decision in May to eliminate the role of the White House cybersecurity coordinator.

Lawmakers and cyber experts have fretted that cyber issues will fall through the cracks without a high-profile White House point person. “We want, as much as we can, to be a team player,” Thompson said of the relationship between his committee and the White House, “but you’ve got to give us some players to put on the team.”

Other priorities for Thompson’s committee include examining cybersecurity in critical infrastructure sectors with less advanced protections, such as drinking water and wastewater systems, and preparing more people to enter the cyber workforce, he told me.

The committee will also urge more businesses to take part in a program that gives them legal protections to share cyber threat information with the government, he said. Nearly 200 private-sector organizations are receiving threat information from the government under that program, but only six are sharing in, according to June numbers from DHS.  

PATCHED: Navy Secretary Richard Spencer ordered a review of cyber vulnerabilities in his service branch as Chinese hackers have breached Navy contractors and subcontractors over the past 18 months and allegedly stolen highly sensitive information, according to the Wall Street Journal’s Gordon Lubold and Dustin Volz. “Attacks on our networks are not new, but attempts to steal critical information are increasing in both severity and sophistication,” Spencer said in an internal memo in October, as quoted by the Journal. “We must act decisively to fully understand both the nature of these attacks and how to prevent further loss of vital military information.”

Lubold and Volz noted that Spencer did not mention China in the memo, but there are several indications that Chinese hackers are behind the breaches. “Cyber fingerprints pointing to China include the remote administering of malware from a computer address accidentally exposed as located in the island province of Hainan, and a documented use of a suite of custom hacking tools shared among known Chinese hacking groups,” according to Lubold and Volz. “U.S. officials also say they have classified sources and methods that make it clear China is responsible.”

PWNED: Cyber weapons, information operations, artificial intelligence and the Internet of Things constitute “long-range emerging threats” against the United States, according to a report released by the Government Accountability Office. The report warned that foreign adversaries including Russia, China, Iran and North Korea may carry out cyberattacks against America's critical infrastructure and military infrastructure. “Adversaries could also launch cyber attacks on the U.S. health care system, threatening patient safety by disrupting access to medical care,” the report said. “Finally, adversaries are also developing tools to directly attack hardware and embedded components in aviation systems, which can manipulate or destroy data.”

After sending a questionnaire to the Defense, State and Homeland Security departments as well as the Office of the Director of National Intelligence, the GAO analyzed the answers and listed cyber weapons among 26 threats, some of which could either materialize in about five years and some of which have no time frame. Those threats fell into four broad categories: “adversaries’ political and military advancements,” “dual-use technologies,” “weapons” and “events and demographic changes,” such as climate change and pandemics.

The report identified quantum information science as an example of dual-use technology that could threaten the United States. “Quantum communications could enable adversaries to develop secure communications that U.S. personnel would not be able to intercept or decrypt,” the report said. Also, “quantum computing may allow adversaries to decrypt information, which could enable them to target U.S. personnel and military operations.”


— The Federal Election Commission approved a proposal by Sen. Ron Wyden (D-Ore.) to allow lawmakers to use leftover campaign funds to bolster the defenses of their personal electronic devices and accounts. The measure applies only to lawmakers themselves and not their family members or staff. As I reported yesterday in The Cybersecurity 202, members of Congress could, for example, use the funds to buy secure phones or routers as well as password manager tools.

“Given the growing cybersecurity threats posed by foreign governments hacking the personal accounts and devices of elected officials, it is common sense to permit these same funds to be spent on cybersecurity as well,” Wyden told me in an email before the FEC voted on his proposal. Additionally, as I noted yesterday, Wyden intends to introduce legislation in the next Congress to help secure the personal devices of congressional staffers, according to a Wyden aide.

— “The Justice Department inspector general could not recover any texts from the phones assigned to two controversial FBI officials for their work with special counsel Robert S. Mueller III because by the time investigators requested the devices, they had been reset in preparation for others to use them, according to a report made public Thursday,” The Washington Post's Matt Zapotosky reported. The report described investigators' efforts to retrieve messages from the government phones of former FBI agent Peter Strzok and former FBI lawyer Lisa Page, including by “consulting with the Defense Department, which had a forensic tool that other agencies apparently did not,” my colleague noted.

The report also mentioned issues with the FBI's ability to collect messages. “The inspector general wrote that the FBI seems to have multiple problems with its automated system for storing messages,” Matt wrote. “The report said the bureau acknowledged, as of Nov. 18, that it was ‘still not reliably collecting text messages from approximately 10 percent’ of FBI mobile phones.”

— More cybersecurity news from the public sector:


— Facebook this year paid the biggest single reward of $50,000 since it launched its bug bounty program in 2011, Wired's Lily Hay Newman reported. “The bug that garnered this windfall was in Facebook's developer subscription mechanism for notifications on certain types of user activity,” according to Wired. “Think of it as RSS for data being generated on Facebook. The researcher found that in certain situations a developer, or attacker, could have manipulated the subscriptions to receive updates that shouldn't have been authorized about certain actions and users.”

— The Aerospace Industries Association (AIA), a trade group representing aerospace and defense companies, released voluntary cybersecurity standards for contractors. The objective of those standards is “to help U.S. aerospace companies ensure the weapons systems they make for the U.S. military are secure from hackers,” The Post's Aaron Gregg reported.

“With aggressive state and nonstate cyber actors targeting the United States, it is essential that our industry work collectively to protect technology and information,” said AIA president and chief executive Eric Fanning, as quoted by my colleague. “We are committed to bringing our industry together in partnership with government to implement this and other meaningful measures that keep us and our nation safer from cyber threats.”

— More cybersecurity news from the private sector:


— Tensions flared between executives of the Chinese telecommunications giant Huawei and Britain's National Cyber Security Centre in late November when Ian Levy, the technical director of the NCSC, “walked out of a meeting with the Chinese company over its perceived failure to fix security holes in its products,” Reuters's Jack Stubbs reported, citing sources familiar with the talks. Stubbs added that while “Huawei responded with a pledge to spend $2 billion on a security overhaul to address the British concerns, tensions between London and the world’s biggest producer of telecoms equipment remain high as it fights U.S.-led allegations of Chinese state spying.”

— More cybersecurity news from abroad:


A year after the battle of Raqqa ended, Syrians return home to ruins:

A year after the Islamic State was driven from its capital of Raqqa, many Syrians have returned only to find the city still in ruins. (Liz Sly, Joyce Lee/The Washington Post)

Fire destroys thousands of voting machines ahead of Congo's presidential elections:

Before the Dec. 23 presidential election was postponed, thousands of voting machines were destroyed in a fire at a warehouse in Congo's capital. (Reuters)

Miss USA apologizes for comments about Miss Universe contestants’ English:

Miss USA Sarah Rose Summers apologized Dec. 13 after comments she made about the English-speaking abilities of two Miss Universe contestants. (Drea Cornejo/The Washington Post)