State election officials want the latest round of election security money included in a major bill proposed by House Democrats – but they’re divided on whether they want to accept a slew of voting mandates that come along with it.

The divide is largely along partisan lines. On one side, there's Iowa Secretary of State Paul Pate (R), the incoming president of the National Association of Secretaries of State, who balked at provisions in H.R. 1 that make it more difficult for states to impose voter ID requirements. Pate said in an email the For the People Act amounts to the federal government seizing authority over elections from states. 

On the other side are Democrats who largely support those efforts to expand voter access and consider them a fair trade for more election security money. 

“There’s a tension over H.R. 1 and whether or not it’s a federalization of elections,” one Democratic secretary of state told me at the NASS conference in Washington this weekend. “It is not. And anyone who claims that it is, that’s an overreach.”

House Democrats are eager to take on election security now that they are in the majority -- and included $120 million in their first bill of the session for states to upgrade outdated and vulnerable voting machines. Yet in the same bill they are also pushing voting priorities favored by Democrats and opposed by Republicans -- such as expanding automatic voter registration, restoring felons voting rights and making Election Day a national holiday. A divide among state officials, whose support is actually needed to implement the changes, underscores how the broader, partisan debate over the election priorities in the bill could make it harder to pass the much-needed security fixes.  

The bill also includes other mandates more specific to election security -- including that states audit election results for signs of hacking and that those new machines use paper ballots rather than digital ones. These have also been controversial on their own among state officials -- most notably in Georgia -- who don’t like the federal government limiting their options. 

Senate Majority Leader Mitch McConnell described the bill in a Washington Post op ed last month as “a sprawling proposal to grow the federal government’s power over Americans’ political speech and elections.” That doesn’t bode well for the voting security requirements getting through the Republican-controlled Senate.

The Secure Elections Act, the election security bill that came the closest to passing last Congress, had weaker mandates on election security and still never made it across the finish line. That was in the wake, of course, of the 2016 election, which was upended by a Russian hacking and disinformation operation.

There might be a better chance of passage this Congress, though, because Washington is concerned about the specter of a potential hacking operation from Russia or another adversary aimed at undermining the 2020 election, the Democratic secretary of state said. "You can’t take anything for granted in 2020,” the official said.

The Homeland Security Department, which helped state officials with cybersecurity testing and information sharing about cyber threats before the 2018 midterms, is also pressing hard for states to meet minimal security requirements before 2020.

Chris Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, is working with Congress on honing the election security provisions in the final draft of H.R. 1, he told reporters on the sidelines of the NASS conference. Krebs stopped short of endorsing all of the bill’s current security provisions, but said it had many “good elements.”

He also pushed back on claims of federal overreach on election security.

“I’m not aware of anyone in the federal government, particularly in the executive branch, who’s interested in taking over elections,” he said. “That’s a state-level responsibility and, as we’ve said all along, we’re here in support of state and locals.”


PINGED: More than 60 staffers from the Cybersecurity and Infrastructure Security Agency were on the ground in Atlanta this weekend, conducting computer penetration tests and game planning responses if there was a major hacking incident during Super Bowl LIII, Krebs said on Twitter ahead of the game. The agency worked “to monitor and respond to any emergencies, cyberattacks, or severe communications disruptions” to the game, he said. CISA also partnered with federal, state and local officials as well as the private sector to prepare for the game.

At least nine operational centers staffed with federal, state and local officials were also scheduled to monitor for cyber and physical threats during the game between the New England Patriots and the Los Angeles Rams, CyberScoop's Sean Lyngaas reported, marking "one of the biggest DHS cybersecurity operations at a Super Bowl to date." 

Brian Harrell, assistant director for infrastructure security at CISA, told CyberScoop that “we have always maintained our commitment to…providing federal resources and expertise during this highly visible, special security event,” even though the agency was hit by a funding lapse during the partial federal government shutdown. 

PATCHED: A National Security Agency outpost in Hawaii that's best known for employing former contractor-turned-leaker Edward Snowden, also plays a key role in monitoring cyber threats from China and other foreign adversaries in the Pacific region, Yahoo News's Jenna McLaughlin reported in an extensive profile of the facility.

The Hawaii location is vital for gathering cyber threat data and other signals intelligence because the curvature of the earth affects how far certain signals can travel uninterrupted, McLaughlin reported. A station in the U.S. or Europe, by contrast, "could be far less effective at sweeping up clear digital information from the Pacific," she noted.

The center's location also makes it's easier to hire local people with useful language skills, Priscilla Moriuchi, director of strategic threat development at Recorded Future, told McLaughlin. “Having a facility where people are closer physically and timewise to the countries that they’re following in the Asia Pacific, it’s almost hard to understate that,” said Moriuchi, who is a former head of the NSA’s East Asia and Pacific cyberthreats office.

PWNED: Duke Energy faces a record $10 million fine for breaking safety rules that protect the electric grid from cyber and physical threats, the Wall Street Journal's Rebecca Smith reported. Duke allowed remote computer access to some sensitive systems without the use of multi-factor authentication and improperly set up firewalls on some networks, according to documents from the North American Electric Reliability Corporation, or NERC. The company committed 127 violations of safety rules, NERC said — some of the violations are apparently ongoing while others lasted for years.

“Among the violations identified by NERC, Duke failed to protect sensitive information on its most critical cyber assets and allowed employees without proper clearances to access computerized records for more than four years, the documents say,” according to the Journal. “Duke also allowed contractors, employees and former employees without proper clearances to gain unescorted access to sensitive locations, like substations and computer server rooms, sometimes for many months.”


— Voting machine companies Electronic Systems & Software and Dominion Voting Systems are appealing a court ruling in Wisconsin that allows auditors for former Green Party presidential candidate Jill Stein to speak publicly about their forthcoming review of Wisconsin's election software, the Associated Press reported. That review could turn up evidence software failures or attempted hacking. “Stein’s request for a recount of Wisconsin’s 2016 presidential election results grants her the right to review voting machines,” the AP reported. 

— The federal government is ahead of other sectors in its implementation of the email authentication system called Domain-based Message Authentication Reporting and Conformance, or DMARC, Nextgov's Aaron Boyd reported. The company Valimail said in a report that the federal government is also a leader in the effectiveness of its DMARC policy. “The U.S. federal government occupies a substantial leadership position in the effective use of email authentication—and has remained there over the past several quarters,” the report said. 

— College student Joel Ortiz who accepted a plea deal of 10 years in prison is thought to be the first person convicted of a crime for a phone number hijacking technique called SIM swapping, Motherboard's Lorenzo Franceschi-Bicchierai reported. “Ortiz is one [of] a handful of SIM swappers who have been arrested in the last year for hijacking phone numbers and using them to then hack into emails, social media accounts, and online Bitcoin wallets,” according to Motherboard. “Other people who have been arrested are Xzavyer Narvaez, who’s accused of stealing around $1 million in Bitcoin; Nicholas Truglia, who’s also accused of stealing millions in Bitcoin; and Joseph Harris, one of the most infamous SIM swappers who allegedly stole more than $14 million in cryptocurrency.” Ortiz stole more than $5 million in cryptocurrency by SIM swapping.

— More cybersecurity news from the public sector:

A new report from the Defense Department's operational test and evaluation director says the Joint Regional Security Stacks program is undermanned and should be halted until security issues are resolved.
In a speech to Interpol in November, U.S. Deputy Attorney General Rod Rosenstein lobbied other governments to do more to help Washington track down foreign cybercriminals.

— Apple said it will issue a software update following a FaceTime glitch and apologized for the bug, the Wall Street Journal's Tripp Mickle reported. The flaw allowed a user to listen in on another user while the recipient's device was ringing by calling them in a group conversation. “We sincerely apologize to our customers who were affected and all who were concerned about this security issue,” a spokesman for Apple said Friday. “We appreciate everyone’s patience as we complete this process.”

— More cybersecurity news from the private sector:

Face removed more than 1,700 accounts, groups and pages from its namesake platform and Instagram linked to an online syndicate that has been accused of spreading fake news and hate speech in Indonesia.
The Wall Street Journal
The Federal Reserve will lend a hand to Bangladesh’s central bank as it sues to recoup losses from one of the world’s largest cyber heists, even while the Philippine bank targeted by the lawsuit on Friday called it baseless and beyond U.S. jurisdiction.
A terabyte of data — 100 million pages or 1,000 hours of video — can be shared on a thumb drive. But stolen secrets come with complications.
The New York Times

Coming soon:


Trump's Super Bowl Sunday interview, annotated:

Lawmakers call for Northam's resignation:

This is what’s left of communities abandoned after the Fukushima disaster: