Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around.
That’s the bad news in a spending report released Thursday by the Election Assistance Commission, which is responsible for disbursing the money.
The good news is that states are on track to spend the majority of the money before the 2020 elections — which intelligence officials say are far likelier than the midterms to be a hacking target for Russia and other U.S. adversaries.
The report highlights the lengthy process of investigations and reviews that are necessary before states can make major upgrades to specialized election equipment. Given the tight time frame — Congress approved the money in March and the EAC began disbursing it to states in June — EAC Chairwoman Christy McCormick told me that 8 percent is a reasonable amount to have spent and about what the commission expected.
It’s also a warning to Congress that the clock is ticking if it wants to deliver more election security money that will make a meaningful difference in 2020.
“I’ve heard from states across the board — Democratic and Republican — that more funds are needed,” said a person familiar with the election funding process who spoke on the condition of anonymity because they weren't authorized to speak publicly. “The timing of that money is important, but there’s still time to make a difference for 2020.”
Congress delivered the $380 million in election security money after the 2016 contest was marred by a Kremlin-backed hacking and disinformation campaign that included probing election systems in 21 states. There’s no evidence, however, that hackers successfully penetrated any voting machines or changed any votes.
The $31 million states had spent by September 2018 was mostly targeted at low-hanging fruit such as training staff on cybersecurity best practices, instituting new digital protections for staff accessing election systems and more regularly updating software, according to state narratives included in Thursday’s report.
Many states also planned to use the money for audits immediately after the elections.
“States were able to take advantage of the money to harden their systems before the 2018 elections,” McCormick said. “I think it helped us to have the most secure election we’ve seen so far, especially since 2016 when the alarm bells were rung.”
Before 2020, states expect to use much of the remaining money to hire new security staff, conduct election hacking war games and to update or replace outdated systems, such as voting machines that don’t include paper votes or paper receipts.
Those will all dramatically improve election security, McCormick told me.
State and federal officials agree, however, that the initial $380 million isn’t enough to cover the costs of replacing major election systems across a whole state.
That means either states will have to cover the shortfall or the federal government will have to kick in more — and it’s far from clear whether Democrats and Republicans will agree on new money, let alone approve that money on a schedule that will allow states to make effective use of it.
Congressional Republicans rebuffed Democrats’ efforts to deliver an additional $250 million in election security money to states last year. A major Democratic bill that commits $120 million to election security sailed through the Democratic-controlled House this Congress but will be a nonstarter in the Senate.
And the bipartisan election security bills that gained momentum last Congress — and might be a vehicle for more funding this Congress — have not been re-introduced.
That leaves a big question mark about whether Congress will approve any additional election security funding. And states, meanwhile, are inking contracts for new machines and service while the clock is ticking down to 2020.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
-- Is this really happening? Ecuador is "refusing to comment" on reports from WikiLeaks that its founder, Julian Assange, will soon be expelled from the Ecuadorean embassy in London where he has been living since 2012 to avoid an arrest warrant, per CNN.
From the WikiLeaks official Twitter acount:
BREAKING: A high level source within the Ecuadorian state has told @WikiLeaks that Julian Assange will be expelled within "hours to days" using the #INAPapers offshore scandal as a pretext--and that it already has an agreement with the UK for his arrest.https://t.co/adnJph79wq— WikiLeaks (@wikileaks) April 4, 2019
You might want to #FF this guy, an NBC News producer, who appaerently has been standing outside the embassy all night:
Hello Twitter. As you may have heard, WikiLeaks is asserting that Julian Assange will be forced to leave the Ecuadorean Embassy in London within “hours to days.”— Mac William Bishop (@MacWBishop) April 4, 2019
PINGED: A federal technology manager pleaded guilty Thursday to stealing a government database that contained nearly 250,000 Homeland Security Department employees’ personal information and detailed more than 150,000 internal investigations, my colleague Spencer S. Hsu reports.
The tech manager was allegedly conspiring with a former DHS acting inspector general to create a commercial version of the database – valued at more than $3 million – to sell to other government agencies.
“Sonal Patel, 44, of Sterling, Va., faces a maximum penalty of five years in prison after pleading guilty to one count of conspiracy to commit theft of government property, and agreeing to cooperate with prosecutors regarding a scheme that ran from 2014 to 2017,” Spencer reported.
“Patel in court papers acknowledged instructing a subordinate to send her directions on how to install the copy, and steering the Agriculture Department inspector general’s office to using the commercial version instead of the free government version. In June 2016, her plea statement said, she handed two DVDs with copied data to Co-Conspirator 1 ‘on the side of the road’ before the latter boarded a flight from Dulles International Airport to meet with software developers in India,” who would create the copycat program.
PATCHED: Georgia Gov. Brian Kemp (R) signed a bill approving the statewide purchase of new voting machines Thursday that some security experts say aren’t secure enough.
Everyone agrees that the machines — which include a touch screen that prints a paper ballot — are more secure than Georgia’s old system, which was fully electronic. Many security experts, however, say the machines are less secure than simple pen-and-paper ballots.
Advocates of the machines point out that they’re easier for people with disabilities to use and print a paper ballot so the voter can verify whether their vote was counted correctly. Critics, however, say people rarely verify those printouts are accurate.
Here’s more from the Associated Press’s Ben Nadler: “The signing comes months after Kemp, then the state’s chief election officer, defeated Democrat Stacey Abrams in the governor’s race, and amid several lawsuits challenging the state’s handling of elections.”
“The 2018 election drew national attention and shook voter confidence after it was marred by issues including long voter lines, reports of malfunctioning voting machines and high rates of rejected absentee ballots.”
PWNED: Members of a second House committee are pressing the Federal Emergency Management Agency for more information about a security failure that resulted in the agency improperly sharing the personal information of 2.3 million disaster victims with a contractor.
Republicans on the House Science Committee wrote to FEMA on Thursday asking for a briefing by April 18 about the incident in which the agency improperly shared data about victims of 2017 hurricanes and wildfires — including financial information — with a contractor that placed those victims in hotels.
The House Homeland Security Committee has been briefed on the mishap but wrote to FEMA with additional questions last week.
“The privacy incident at FEMA is particularly concerning to the committee as this information can be used to prey upon individuals in a variety of ways, including identity theft, fraud, targeted scams, and spear phishing,” Republican Science Committee members wrote to FEMA acting administrator Pete T. Gaynor. “Unfortunately, fraud and scams abound in the wake of natural disasters as nefarious actors seek to capitalize on the misfortune of affected communities.”
The lawmakers are also concerned the incident will “undermine disaster survivors’ confidence in their ability to safely and securely share their personal information with FEMA,” which could, in turn, prevent them from receiving important benefits.
Cybersecurity news from the public sector:
The National Security Agency officially released the source code for its cybersecurity tool Ghidra Thursday — following through on a promise that NSA Cybersecurity Adviser Rob Joyce made at the RSA Conference in March.
The newly open-sourced tool is part of a post-Snowden NSA effort to be more open about its operations and to take a more active role in the ethical hacking community. The agency released Ghidra to the software code-sharing site GitHub, which means cybersecurity researchers can experiment with and modify the tool.
It's here! Ghidra source code released: https://t.co/b4PRkodMYA— Rob Joyce (@RGB_Lights) April 4, 2019
This is an ongoing, supported project from @NSAGov. Looking forward to seeing the continued advancements and the innovation that occurs from the release. https://t.co/HXpAqqvzoN
Here’s an explanation of what Ghidra does from Wired’s Lily Hay Newman: “You can't use Ghidra to hack devices; it's instead a reverse-engineering platform used to take ‘compiled,’ deployed software and ‘decompile’ it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does.”
“Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild — like malware being used to carry out attacks — to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.”
Cybersecurity news from the private sector: