Florida lawmakers are railing against the FBI for taking more than two years to acknowledge Russian hackers penetrated some of the state’s voter files — and for remaining mum about which voters were affected.
The long delay signals to voters in Florida and elsewhere that the government won’t level with them if and when their votes are manipulated, the lawmakers say.
And that lack of public faith could do just as much damage as the Russian hacking and disinformation operation that upended the 2016 election and cast doubts on the legitimacy of President Trump’s victory.
“This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) told me. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”
Those concerns about election integrity could be especially damaging in Florida, which was the site of a hotly contested recount between George W. Bush and Al Gore in 2000 and is frequently a decisive state in close presidential elections.
“Florida is the country’s largest swing state … so we can’t afford to have the integrity of our democratic process be compromised or have Floridians be concerned about their vote,” Murphy said.
Murphy and other Florida lawmakers announced plans to introduce legislation to mandate speedy FBI reporting to state and local government officials and to members of Congress about election-related breaches in their districts, as my colleague Karoun Demirjian reported.
The lawmakers, who also include Reps. Michael Waltz (R) and Matt Gaetz (R), are trying to get as much of the Florida House delegation to co-sponsor the bill as possible along with lawmakers from outside Florida. Sen. Rick Scott (R-Fla.) is “looking into” sponsoring a Senate version of the bill, a spokesman told me, but didn’t provide additional details.
While the bill will focus on notifying government officials, Murphy told me, she expects those officials will make the information public as quickly as possible.
“We have a responsibility to our constituents to make sure we do everything we can to ensure the integrity of their votes,” she told me.
The lawmakers’ announcement came after a secretive FBI briefing on the breaches that lawmakers say penetrated voter rolls in two Florida counties before the 2016 contest but didn’t result in votes being changed.
The lawmakers were barred from naming the counties where breaches occurred but my colleagues Karoun and Ellen Nakashima reported one of them was Washington County in the Florida Panhandle, with a population of about 25,000 people.
The public first learned about the breaches from Robert S. Mueller III's report, which revealed that the FBI believed Russian hackers penetrated county-level networks in “at least one” Florida county. Gov Ron DeSantis (R) disclosed the hackers penetrated voter files in two counties after his own FBI briefing Tuesday.
The FBI assured DeSantis that county officials were aware of the breach, he said.
The federal government has a spotty track record when it comes to telling state and local officials about election security issues.
It wasn’t until September 2017, more than 10 months after the 2016 election, that the Department of Homeland Security officially notified election leaders in 21 states that Russian hackers probed their election networks.
And officials in Illinois — where Russian hackers breached a statewide database and made off with the personal data of tens of thousands of voters — didn’t get official confirmation about the breach until Mueller’s team indicted those hackers in July 2018.
DHS has been working hard to improve communication since 2017, including by creating a dedicated “information sharing and analysis center” for election infrastructure and granting more full and temporary security clearances to state election officials.
But even those efforts have focused mostly on sharing information with government officials rather than the public. That's not sufficient for the Florida lawmakers, Murphy told me.
“Just like consumers expect credit card companies to disclose when their personal information is breached … when a voter’s data is breached by a foreign actor, they have a right to know that,” she said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: A bill being prepped for introduction this morning by 38 Senate Democrats – including all seven presidential candidates -- would deliver $1 billion to improve the cybersecurity of election systems across the nation plus $175 million in additional state election security grants every two years.
The Election Security Act, which was introduced in the House on Monday, comes two years after a Russian hacking and disinformation campaign in 2016.
The bill, which doesn’t have any Republican sponsors, is mostly about signaling Democrats’ seriousness about election security. Senate Rules Committee Chairman Roy Blunt (R-Mo.) has said he doesn’t expect to hold hearings on any election security bills this Congress because he doesn’t think Senate Majority Leader Mitch McConnell (Ky.) will bring them to a floor vote.
The Election Security Act basically peels the election security provisions from H.R. 1, a catch-all bill of progressive legislation Democrats introduced soon after retaking the House in 2018. It includes a mandate that states use paper ballots or have paper backups and imposes minimum cybersecurity standards on state and local election systems. It also requires voting system to be tested 90 days before an election and a report on election interference threats by U.S. intelligence agencies 180 days before an election.
Sen. Amy Klobuchar (Minn.), a 2020 presidential candidate and ranking member of the Rules Committee, is spearheading the Senate legislation. Other sponsors include 2020 presidential hopefuls Michael (Bennet (Colo.), Cory Booker (N.J.) Kirsten Gillibrand (N.Y.), Kamala Harris (Calif.) Bernie Sanders (I-Vt.) and Elizabeth Warren (Mass.).
PATCHED: The Election Security Act was just the capper on a week full of cybersecurity action on the Hill.
Here are just a few things that have happened since Wednesday:
The Senate Judiciary Committee forwarded the bipartisan Defending Elections against Trolls from Enemy Regimes Act, which would allow the government to deny visas to foreigners who helped undermine a U.S. election — and deport anyone already in the United States.
Klobuchar and Sen. Chris Coons (D-Conn.) sent a letter to the Election Assistance Commission, which helps states verify the cybersecurity of their election machines, expressing concerns about major shortfalls on the commission’s technology staff. The letter asks what the EAC is doing to improve its staff retention and whether the staffing shortfall will force it to miss security deadlines.
A bipartisan group of lawmakers in the House and Senate introduced the Transportation Infrastructure Vehicle Security Act, which would bar states and cities from using federal money to buy rail cars from China over concerns about digital spying and sabotage. That issue was pushed onto lawmakers’ radar this year after China’s state-owned rail-car manufacturer, China Railway Rolling Stock Corp., expressed interest in a $1 billion contract to supply the next generation of Washington Metro cars.
Rep. Tom Graves (R-Ga.) added a provision to a State Department funding bill directing the department to increase cybersecurity cooperation with allies — especially when it comes to collectively fighting back against nation-state hackers.
PWNED: China shot back at the U.S. government Thursday over its efforts to bar the telecom giant Huawei from U.S. markets and to shut off its supply of U.S. components.
The latter move — which came in a Commerce Department notice that Huawei was being added to list of “entities” that it believes act contrary to U.S. national interests — got less attention but probably will have broader long-term consequences because it will restrict Huawei’s ability to compete globally.
Indeed, some trade gurus refer to the “entity list” as the “death penalty,” as my colleagues Damien Paletta, Ellen Nakashima and David J. Lynch reported, because it “makes it virtually impossible for companies to survive once U.S. firms are discouraged from doing business with them.”
Chinese Foreign Ministry spokesman Lu Kang described the move as an “abuse of export control measures” and pledged that “China will take further necessary measures to resolutely safeguard the legitimate rights and interests of Chinese enterprises,” the Associated Press’s Joe McDonald reported.
Huawei said in a statement that the export resrictions are “in no one’s interest,” “will do significant economic harm to the American companies with which Huawei does business” and will “affect tens of thousands of American jobs.”
The Justice Department on Thursday indicted 10 members of a cybercriminal gang that targeted banking information, infected tens of thousands of computers and caused more than $100 million in losses.
“The primary victims were U.S. businesses and their supporting financial institutions,” CyberScoop’s Sean Lyngaas reported. “Other organizations hit were a Pennsylvania asphalt and paving business, a Washington law firm, a casino in Gulport, Mississippi, and a California furniture business."
The Justice Department timed the indictment with a related legal action by Europol.
“The crackdown saw the U.S. partner with Bulgaria, Georgia, Germany, Moldova, and Ukraine, resulting in an indictment being returned by a federal grand jury in Pittsburgh, and prosecution of defendants in Georgia, Moldova, and Ukraine,” Sean reported. “Five of the accused live in Russia, which does not have an extradition agreement with the U.S.”
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: