The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: House Democrats' first bill aims big on election security

with Bastien Inzaurralde


House Democrats came out swinging on election security in their first bill of the new Congress on Friday, promising at least $120 million for new voting machines — so long as they use paper ballots rather than digital ones.

The move suggests the new House majority plans to push for the strongest election security measures they can get rather than seek compromise with the GOP-controlled Senate or the Trump administration. 

The paper ballot mandate puts the new House majority at odds with the Department of Homeland Security, which has left the door open for machines that record votes digitally but print out a physical paper trail so votes can be audited if there’s any suspicion of hacking. It also tees up a fight with the Republican-controlled Senate, which has been wary of imposing strict requirements on states.

Still, the push for paper ballots was met with applause and optimism by some election security advocates who hope the 2020 election will be more secure than the midterms. 

“Paper ballots, that’s the biggest win in this bill,” said Matt Bernhard, an election security advocate with the group Verified Voting. “This is about as aggressive as you can see anyone at the federal level being in terms of actually passing meaningful legislation.”

It may face an uphill climb, though: The For the People Act, which also includes provisions to expand voting access and increase campaign finance disclosures, is an early peek at Democrats' top priorities for the session -- but bipartisan cooperation is more stalled than ever as large parts of the federal government are still shut down amid a dispute with President Trump over border funding.

The fight over election security specifically has always come down to a delicate balance -- and this go-round is likely to be as contentious as ever. 

On one hand, the federal government and many Republicans are wary of imposing too many security mandates on states for fear of undermining a constitutional balance of powers that gives states broad authority to manage their own elections. On the other hand, states simply aren’t equipped to defend themselves against an ultrasophisticated hacking operation backed by Russia or another cybersecurity adversary.

Democrats view tying a paper ballot and other minimum security requirements to new grant money as a partnership with states rather than an imposition, Rep. Jim Langevin (D-R.I.) told me in December while the bill was still being finalized. 

“This is not going to be at all the federal government coming down to tell states how to run their elections,” said Langevin who co-founded the Congressional Cybersecurity Caucus and was formerly Rhode Island’s top state election official.

Republicans are likely to have a different view. The Secure Elections Act, a bipartisan bill in the Republican-controlled Senate last session, didn’t go nearly as far as this latest House bill and still never reached a floor vote. That bill basically punted on the question of paper ballots — leaving final security recommendations up to an independent advisory commission.

And a House bill that required paper ballots won 126 Democratic co-sponsors last Congress, but not a single Republican one. A Senate bill from Sen. Ron Wyden (D-Ore.) that mandated paper ballots won 14 Democratic co-sponsors and no Republicans.

While House Democrats’ demand for paper ballots is pretty tough, the mandate is worth it, Bernhard told me. A paper ballot is better than a digital ballot with a physical paper trail, he told me, because it guards against sophisticated hackers making a voting machine record one vote but spit out a paper receipt for another.

Bernhard’s position is fairly common among voting security experts, although some allow wiggle room for paper trails provided those systems are paired with “risk-limiting audits” after the election. A risk-limiting audit is essentially a hand check of a representative sample of paper ballots or paper trails to make sure the machines that read votes are tallying them correctly.

As of the 2018 midterm elections, only five states lacked any paper record of votes — Louisiana, Georgia, South Carolina, New Jersey and Delaware — but many more were using paper trails rather than paper ballots.

The For the People Act mandates risk-limiting audits but gives states five years to implement them as opposed to the paper ballot requirement, which would go into effect before the 2020 presidential election. Both mandates are tied to receiving election security grant money. 

The bill includes numerous other cybersecurity provisions too.

Among other things, it would impose new cybersecurity and transparency requirements on companies that produce election hardware and software and create a bug bounty program that offers ethical hackers cash rewards for spotting vulnerabilities in voting systems.

That slate of changes would be a major improvement in election security, but states will need significant federal grants to make them happen, Mark Weatherford, senior vice president at the security company vArmour and a former DHS cybersecurity official, told me.

“There are many opportunities to improve the current systems of voting, which should absolutely be tied to requirements for receiving federal grant funding,” Weatherford said. “I believe that most Americans would see this as a nonpartisan issue.”


PINGED: The partial government shutdown is well into its third week this morning and is hampering DHS’s work standing up its new Cybersecurity and Infrastructure Security Agency, Inside Cybersecurity's  Charlie Mitchell and Mariam Baksh reported

About 43 percent of CISA staff are furloughed during the shutdown, according to a DHS planning document. CISA staff are responsible for securing government websites and assisting with the cybersecurity of critical infrastructure, such as hospitals and airports.

Working with just over half your staff may seem like a skeleton crew, but compare it to the government’s go-to agency for cybersecurity standards, the National Institute of Standards and Technology. Just 484 of NIST’s 3,378 employees are exempt from furlough, or about 14 percent, according to planning documents

PATCHED: Sens. Mark R. Warner (D-Va.) and Marco Rubio (R-Fla.) introduced a bill that would create an Office of Critical Technologies and Security at the White House to coordinate the federal government's response to technology threats from China and other countries. The council would also be tasked with developing a strategy to preserve U.S. “technological supremacy” and protect the supply chain, according to the text of the legislation. The mission of the council's director would also include helping educate the public and business leaders about the threats that technology theft can pose to U.S. national security.

“China continues to conduct a coordinated assault on U.S. intellectual property, U.S. businesses, and our government networks and information with the full backing of the Chinese Communist Party,” Rubio, who sits on the Senate Intelligence Committee, said in a statement. “The United States needs a more coordinated approach to directly counter this critical threat and ensure we better protect U.S. technology.”

PWNED: Germany's Federal Office for Information Security defended its response to the leak of personal data of hundreds of German politicians and celebrities, the Associated Press's Frank Jordans reported. Politicians have blamed the agency for not responding sooner to the data leak — which includes addresses, phone numbers, chat messages and credit card numbers — after it emerged in December. “In a statement, the agency acknowledged it was approached by one lawmaker about suspicious activity on his private email and social media accounts in early December, but said it believed at the time his experience was a one-off case,” according to the AP.

Government officials said German Chancellor Angela Merkel and President Frank-Walter Steinmeier were among the politicians whose personal data was leaked, according to the Wall Street Journal's Ruth Bender. The far-right Alternative for Germany was the only party that did not have data that was leaked. Twitter on Friday shut down an account that was used to spread the data. “The suspended Twitter account showed posts linking to data archives stretching back to Dec. 1 and repeating daily in the manner of an advent calendar, which is popular among children in Germany in the run-up to Christmas,” Bender reported.


— Reps. Will Hurd (R-Tex.) and Robin L. Kelly (D-Ill.) reintroduced a bill that would elevate the position of federal chief information officer, who would report directly to the director of the Office of Management and Budget. The legislation would also direct the federal CIO to submit a proposal to Congress to streamline IT across the federal government, according to a news release from Hurd's office. Additionally, the bill would codify the position of federal chief information security officer, who would report to the federal CIO.

“This bill helps keep the vast information stored by the federal government secure from hackers by making clear that the Federal CIO is in charge of the security of our data across the government,” Hurd said in a statement. The legislation passed the House unanimously in the previous Congress in November but did not advance in the Senate.

— The FBI is investigating fake text messages impersonating Alyssa Farah, Vice President Pence's press secretary, that were sent to several House Republicans, the Wall Street Journal's Michael C. Bender reported. At least one Republican “has been repeatedly engaging with the imposter,” whose “messages sought the whereabouts of certain lawmakers and their availability for meetings,” according to the Journal.

— More cybersecurity news from the public sector:

Pentagon Seeks a List of Ethical Principles for Using AI in War (Defense One)

Retired General Warns Against Letting China Dominate 5G Networks (Bloomberg News)


— Wish Wu, a cybersecurity researcher based in China, withdrew a talk on hacking Apple's Face ID technology that he was scheduled to give at the Black Hat Asia conference in March in Singapore, according to Reuters's Jim Finkle and Stephen Nellis. Wu said his employer, Ant Financial, asked him to cancel the presentation. “Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max,” Finkle and Nellis wrote.

— More cybersecurity news from the private sector:

The Elite Intel Team Still Fighting Meltdown and Spectre (Wired)


— Marriott International said it believes hackers accessed about 5.25 million unencrypted passport numbers and about 20.3 million encrypted passport numbers in the data breach the company disclosed in November, The Washington Post's Peter Holley reported. In a statement, Marriott said there is no evidence that hackers “accessed the master encryption key needed to decrypt the encrypted passport numbers.”

Marriott initially estimated that the information of about 500 million guests was involved in the breach, but the company lowered its estimate in its latest statement. “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” according to the statement.


Chinese censors go old school to clamp down on Twitter: A knock on the door (Gerry Shih)

WikiLeaks tells reporters 140 things not to say about Julian Assange (Reuters)


Coming soon


Trump directs his Cabinet to “find money” for the wall:

Lawmakers from both parties discussed on Jan. 6 how a deal could be reached to end the government shutdown. (Video: Luis Velarde/The Washington Post)

Suspected USS Cole bomber killed in Yemen strike:

The U.S. military said on Jan. 6 it had killed Yemeni militant Jamal al-Badawi, a suspected planner of the deadly bombing of a Navy destroyer, the USS Cole. (Video: Reuters)

Jeff Bridges's Golden Globes speech about trim tabs was pure Jeff Bridges:

Jeff Bridges gave an epic, long, winding acceptance speech after receiving the Cecil B. DeMille Award at the 2019 Golden Globes. (Video: Erin Patrick O'Connor/The Washington Post)