The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: These political candidates are running on their cybersecurity expertise


In the wake of Russia's election interference campaign in 2016, there's a new wave of political candidates who are betting their cybersecurity expertise can help deliver them into office. 

Digital security hasn’t traditionally been a big stumping point for politicians -- or a core part of their backgrounds. But several state-level candidates are making it central to their pitch to voters, arguing that states are on the front lines facing Russian hackers trying to undermine their elections and cybercriminals trying to steal citizens’ personal data — and those states need elected officials with cybersecurity know-how to protect them.

“This is a threat to our democracy, so it’s important that we have elected officials who not only understand the importance of cyberthreats but understand the minutiae well enough to legislate on it,” said Hala Ayala, a Democratic member of Virginia’s House of Delegates who is running for reelection this year.

“People with my background live this every day,” said Ayala, who spent 18 years as an information security specialist in the U.S. Coast Guard before entering politics. “It behooves us to elect people who understand this evolving threat and can help us better prepare for it.”

Sheri Donahue, who’s running for Kentucky state auditor as a Democrat, compared her pitch to voters to a lawyer who runs on his familarity with criminal law or a doctor who says he knows how to reform the healthcare system. 

“We need to have people with a background and understanding of these things,” said Donahue, who was formerly a top official at InfraGard, an organization that shares cybersecurity threat information between the FBI and the private sector. “In [industry], they’re starting to elevate [chief security officers] and [chief information security officers] so they have a seat at the table. We need to make sure we have that at the state level too.”

Laura Galante, who runs her own cybersecurity firm and is running for the Virginia House of Delegates, also thinks she can help lawmakers take bolder action on election security. While campaigning in her rural district, though, she said she mostly uses her technology background to talk about the need for rural broadband and other local issues.

“Especially in the last few weeks after the Mueller report, it’s been very clear that election systems and state assets are being targeted,” Galante, who was formerly director of global intelligence for the cybersecurity firm FireEye, said of the special counsel's report on Russian election interference. “So having a legislature that’s able to actually look in and question security practices that are being put in place at a state level is very useful.” 

They were all endorsed by 314Action, a group that supports candidates at the federal, state and local level who have a background in science, technology, engineering and math. Among the candidates the group endorsed in 2018 were Sen. Jacky Rosen (D-Nev.), a computer programmer, and Reps. Kim Shrier (D-Wash.), a pediatrician, and Joe Cunningham (D-N.C.), an ocean engineer. 

The group is officially nonpartisan but the vast majority of the candidates it endorses who have a party affiliation are running as Democrats, President Shaughnessy Naughton told me. That’s largely because the group refuses to endorse candidates that don’t take a strong position on combating climate change, she said.

Naughton, a chemist, founded 314Action in July 2016 following an unsucessful run for Congress as a Democrat in Pennsylvania. Since the 2016 election, she said, she's seen a surge of interest from technologist candidates who want to help keep elections secure and stem the spread of disinformation online. 

“These are complicated issues and we need folks who understand them,” she said.

Donahue told me she's gotten a lot of interest from Kentucky voters when she talks about election security -- regardless of who they voted for as president in the 2016 contest. One of her key pitches, she said, is that she wants to expand state audits of the cybersecurity of election equipment. 

The voters, she said, are even familiar with what was once a fringe security issue on the campaign trail. “When I mention auditing voting machines, that resonates with people almost unanimously,” Donahue told me. “I tell them we have to make sure our votes count, and we have to make sure our adversaries aren’t tampering with our election and there’s resounding approval.” 

Donahue is also pitching herself to voters as someone who can protect state and county networks from the scourge of ransomware — a type of malicious software that hackers use to lock up computer systems until the victims pay a fee — and which has compromised municipal networks in Atlanta, Baltimore and elsewhere in recent years to the tune of millions of dollars.

“We have 120 counties in Kentucky and we can’t afford to pay $400,000 in ransom for 120 counties,” Donahue told me.

Ayala’s district in Prince William County is just an hour outside Washington and includes a lot of federal employees whose personal information was compromised in the 2015 Office of Personnel Management breach. So, it’s pretty easy to convince those voters that state government should be doing more to protect citizens’ personal data, she told me.  

Those ideas have been a tougher sell at the capitol in Richmond, however. Since she was first elected in 2017, she has sponsored bills to increase cybersecurity training for state employees and to lower the threshold at which Virginia businesses have to disclose data breaches — neither of which became law.

"When I first started to talk about it, you could see a glazed-over look," she said, "but the conversation's evolving."

CORRECTION: A previous version of this story incorrectly listed the office for which Hala Ayala is running. She’s running for reelection to the Virginia House of Delegates.


PINGED: Google suspended some of its business with Huawei this weekend, Reuters’s Angela Moon reported — a major blow that will make it far harder for the Chinese telecom that is suspected of spying for Beijing to compete globally.   

The move marks the most substantial result of a Commerce Department order last week that described Huawei as a threat to national security and barred U.S. companies from supplying it with certain components.

“The move could hobble Huawei’s smartphone business outside China as the tech giant will immediately lose access to updates to Google’s Android operating system,” Moon reported. “The next version of its Android smartphones will also lose access to popular services including the Google Play Store and Gmail and YouTube apps.”

Huawei, meanwhile, shot back at the order in a New York Times opinion column by Catherine Chen, director of the company’s board.

The “ban will not make American networks more secure,” Chen wrote. “Instead, it will hurt ordinary Americans and businesses by denying them access to leading technology, reducing competition and increasing prices.”

Chen added that “the ban will financially harm the thousands of Americans employed by the U.S. companies that do business with Huawei, which buys more than $11 billion in goods and services from U.S. companies each year [and] … could eliminate tens of thousands of American jobs.”

PATCHED: European Union governments agreed this weekend on a plan to impose joint sanctions on hackers and the organizations that support them, the Wall Street Journal’s Laurence Norman reported.

The agreement comes as the United States is lobbying allies in Europe and elsewhere to impose joint penalties on nations that violate rules of the road in cyberspace — especially Russia and China.  

“The introduction of sanctions was pushed by the Dutch and British, who have blamed Russia for some recent cyberattacks on the bloc,” Norman reported.

“People or entities suspected of significant cyberattacks, or attempted cyberattacks, originating outside the bloc would face a ban on travel to the EU and a freeze on their assets,” Norman reported. “The sanctions can also target people who provide financial or technical support for such attacks.”

British Foreign Secretary Jeremy Hunt praised the new sanctions regime on Twitter – and told Russia to take note.

PWNED: Someone appears to have hacked into a computer system maintained by the U.S. Golf Association and altered records to give President Trump embarrassing scores, my colleague Colby Itkowitz reported.

“It appears someone obtained access to Trump’s page and posted awful scores of 101, 100, 108 and 102,” Colby reported, citing a story in Golfweek. “Par in a round of golf is typically around 72, and Trump has traditionally posted more flattering scores in the 70s and 80s, which some skeptics say are not a true indicator of his golf game.”

The U.S. Golf Association has removed the erroneous records and is launching an investigation, Colby reported.


Cybersecurity news from the public sector:

U.S. senator convening meetings to warn business, academia of China... (Reuters)

APNewsBreak: Schumer calls for probe of Chinese rail tech (Michael Balsamo | AP)

Hacked Florida counties could disclose their identities — if they wanted to (Politico)

DHS Urges Cybersecurity Staff to ‘Deploy’ to Border Instead (The Daily Beast)

Acting secretary blocked Stephen Miller’s bid for another DHS shake-up (Nick Miroff and Josh Dawsey)

Baltimore officials announce manual workaround for property sales during ransomware recovery (Baltimore Sun)


Cybersecurity news from the private sector:

AT&T, Verizon Say They’ve Stopped Selling Location Data to Third Parties (Bloomberg Law)

Venture capitalists predict more aggressive security tools will reap big bucks - CyberScoop (Cyberscoop)

Infamous Forum For Instagram Hackers Gets Hacked by Other Hackers (Motherboard)

Bluetooth's Complexity Has Become a Security Risk (Wired)


Cybersecurity news from abroad:

Sweden requests detention order for WikiLeaks’ Assange (Jan M. Olsen | AP)

Results of kids' singing competition invalidated after Russian bots rig voting (The Hill)

Chinese cyberspies breached TeamViewer in 2016 | ZDNet (ZDNet)