As the House Homeland Security Committee meets for the first election security hearing of 2019 today, Congress is still far away from a grand bargain to help protect state election systems from foreign hackers.
But the goalposts may be changing with Democrats in charge of the House.
The new top Republican on the committee, Rep. Mike Rogers (Ala.), tells me he's ready to impose requirements on states to secure their election systems against hackers. He called for a baseline of security states must meet before receiving money from the government to upgrade outdated and vulnerable voting machines and secure other election infrastructure.
“We want to get some minimum standards that have to be adhered to," Rogers tells me. And he says he's willing to work with Democrats to get it done.
This is a step forward from last Congress when many Republicans -- including governors-- balked at the idea of imposing serious mandates on states after an initial delivery of $380 million for security with no strings attached. House Republicans last session largely evaded the question of election security; they did not offer any major proposals or hold any hearings on the topic until well into 2018.
But the terrain looks different in Washington now that Democrats are exercising their new power in the House to push for a broad overhaul in U.S. elections -- and security mandates are starting to look more like the middle ground.
House Democrats' first bill of the new Congress mandates states use paper ballots rather than digital ones and make other security upgrades in exchange for $120 million. But it also pushes for a whole host of progressive priorities opposed by many Republicans. H.R. 1, also known as the For the People Act, would expand automatic voter registration, restore felons voting rights and make Election Day a national holiday, among other things.
Rogers says the Democrats' proposal is a nonstarter, but is open to compromise on the security parts.
“H.R. 1 is not a bipartisan vehicle," he said. "But, it’s my hope that after H.R. 1 moves on the House floor, we can revisit just the election security part with an actual vehicle that might move through the Senate.”
Rogers wants to organize a meeting in the next two months with House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and leaders of the Senate Homeland Security Committee to hammer out a bill that can win bipartisan support in both chambers, he said.
“I want to make sure we’re all singing off the same sheet of music, a vehicle that can get through the House and Senate,” Rogers told me. “As long as we don’t get too in the weeds and start getting to the point of picking winners and losers [in the election industry], I think we’ll get Republicans to go along.”
Rogers’s fig leaf may not be enough, however, to spark a compromise between emboldened House Democrats and Republicans who still control the Senate and have been notoriously wary of any kind of mandate on states. That means Congress may be unable to pass meaningful legislation to secure election systems before the 2020 presidential contest when Homeland Security officials say foreign hackers may pose a much greater danger than during the 2018 midterms.
It doesn't appear to be swaying Democrats, either: A Thompson staffer told me the chairman appreciates Rogers’s commitment to election security but is focused on passing the Democratic bill. Thompson introduced a version of that bill’s election security provisions last Congress, which won 126 Democratic co-sponsors and no Republican ones.
There are also problems in the Senate where the most popular bipartisan bill last Congress, the Secure Elections Act, basically punted on security mandates, leaving the question to an advisory panel convened by the Department of Homeland Security. That bill still never reached the Senate floor, partly because of White House concerns.
Rogers hopes lawmakers can agree to a bill with specific mandates this Congress that goes further than the Secure Elections Act, he told me.
That bill “didn’t really crank my tractor,” he said. “I didn’t think it went far enough. We’ve got to be more specific.”
Finally, there's also a partisan division among states seeking election security money, state officials have told me, with Democrats more comfortable with federal mandates than their Republican counterparts.
California Secretary of State Alex Padilla, the state's top election official, will testify at today's hearing that Congress should endorse election security best practices, such as keeping election infrastructure off the Internet as much as possible, using paper ballots and rigorously testing voting systems before an election and auditing them afterward, according to written testimony his office provided me.
States will need new federal grant money to implement those security measures, though, and to upgrade their current, outdated election systems, Padilla plans to testify. And the $380 million Congress granted last year simply wasn’t enough, he’ll say.
“There are some elections officials searching on eBay for replacement parts for systems that are no longer supported by manufacturers,” according to Padilla's prepared testimony. “Others are utilizing operating systems that are so old, their vendor no longer provides tech support — meaning some voting machines cannot be patched or updated with the latest security software. Simply put, too many elections officials are ill equipped to defend against 21st century threats.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: President Trump is expected to sign an executive order by Friday that would aim to protect U.S. telecommunications networks and could lead to barring Chinese companies including Huawei, The Washington Post's Ellen Nakashima and Tony Romm reported. With the executive order, the president is expected to declare a national emergency about the threat to the telecommunications supply chain. As a result, the Commerce Department will consult with the State Department and the Department of Homeland Security to come up with rules to implement the policy; officials will have several months to develop the rules. U.S. officials have said that Huawei could be used as a platform for Chinese spying. The order will not ban specific firms or countries, according to officials.
“Major telecom companies such as AT&T and Verizon already bar Huawei equipment from their core networks, a response to concerns raised years ago by U.S. intelligence agencies,” my colleagues reported. “But officials say that issuing the executive order now is a way to show the world that the United States is leading by example, taking decisive measures to protect the telecom supply chain.” Federal officials want the executive order to be ready before the Mobile World Congress in Barcelona, a mobile industry conference, which will be held later this month.
PATCHED: The Senate Homeland Security and Governmental Affairs Committee is set to examine a handful of cybersecurity bills today during a business meeting. The panel is set to discuss the Federal Rotational Cyber Workforce Program Act, which would allow civilian cyber workers from a federal agency to temporarily work in another agency to gather new experience. The bill was reintroduced in this Congress by Sen. Gary Peters (Mich.), the committee's ranking Democrat, and Sen. John Hoeven (R-N.D.).
The committee is also set to mark up a bill by Hassan and Rob Portman (R-Ohio) to codify into law the DHS teams that are tasked with defending the government's networks against cyber threats. The DHS Cyber Hunt and Incident Response Teams Act would make the agency's “cyber hunt” and “cyber incident response” teams permanent, according to a news release from Hassan's office. The bill would also direct DHS's teams to help the private sector restore computer services after cyberattacks. Hassan said in a statement that it would help “foster collaboration between the best minds in the field of cybersecurity to help fend off cyberattacks and protect vital infrastructure.” The committee is also expected to mark up a third cybersecurity bill, called the National Cybersecurity Preparedness Consortium Act.
PWNED: Some lawmakers on Capitol Hill want Metro to get approval from the Defense Department, DHS and the Transportation Department before striking any deal to build the next generation of rail cars for the nation's capital because of concerns about potential Chinese spying, The Post's Faiz Siddiqui reported. China Railway Rolling Stock Corp. appears interested in bidding for a contract to build Metro's 8000-series rail cars. Metro added security provisions in its procurement requirements last week but some lawmakers remain worried.
“The broader challenges posed by China’s ambitions demand the attention of policymakers, and I’ve been engaging with my colleagues on how to appropriately respond to China’s cyber incursions and other malign actions,” Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, said in a statement Sunday, according to my colleague. Metro “needs to share a sense of urgency that I haven’t seen from their response so far, and I have requested that they hold a more detailed briefing for my office this week on their handling of this issue.”
— Three recent solicitations for federal business opportunities show that the Defense Department is investing tens of millions of dollars in cyber training, Fifth Domain's Justin Lynch reported. “The Air Force released a Feb. 5 public solicitation to support expansion of its CyberWorx project by building new training facilities located at the service’s academy in Colorado,” Lynch wrote about one of the projects. “The $30 million expansion is expected to be the first phase of the project and will include new cyber research and testing facilities.”
— Federal prosecutors said two hackers were charged with making false shooting and bombing threats in the United States and Britain, the Associated Press reported. The threats were aimed at schools and other institutions. The two men belong to the hacking collective Apophis Squad, according to the Justice Department. “Members of Apophis Squad used ‘spoofed’ email addresses to make it appear some threats had been sent by innocent parties, including the mayor of London, according to court papers,” the AP reported.
— More cybersecurity news from the public sector:
— Researchers are disagreeing over which hacking group carried out cyberattacks against the Norwegian software company Visma, an international apparel company and an American law firm, CyberScoop's Sean Lyngaas reported. The cybersecurity companies Recorded Future and Rapid7 attributed the attacks to the Chinese government-linked hacking group APT10 in a report last week. The companies said they had “high confidence” that APT10 was behind the operations.
“But analysts at other companies that follow APT10 say the activity described in the report is the work of another China-linked hacking group, called APT31 or Zirconium,” CyberScoop reported. “An APT10 attack would have looked different, according to Kris McConkey, head of cyberthreat detection and response at PricewaterhouseCoopers (PwC).”
— The Milwaukee-based email provider VFEmail said it suffered “catastrophic destruction” by a hacker who ravaged the firm's primary and backup systems in the United States, Brian Krebs of KrebsOnSecurity.com reported. “It’s not clear how or whether VFEmail will recover from this latest attack, but such actions are an unsettling reminder that although most cybercriminals have some kind of short- or long-term profit motive in mind, an intruder with privileged access to a network can just as well virtually destroy everything within reach as they can plant malware or extortion threats like ransomware,” wrote Krebs, who is a former Post reporter.
— More news about security incidents:
- House Homeland Security Committee hearing on election security.
- The Center for Strategic and International Studies holds an event on digital surveillance.
- Senate Homeland Security and Governmental Affairs Committee business meeting to consider several cybersecurity bills.
- The Bipartisan Policy Center and the Democracy Fund hold an event titled “The voting experience: 2018 and the future” tomorrow.
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
Inside Paul Manafort's 2016 meeting with a Russian operative:
Hundreds protest for immigrants with temporary status:
With their country at a crossroads, Venezuelans stage dueling rallies: