THE KEY

Sen. Elizabeth Warren (D-Mass.), the top-polling candidate in the first Democratic presidential debate tonight, also has the most ambitious plan for how to protect U.S. elections from foreign hackers.

But that aim-for-the-fences approach, which Warren introduced in an eight-page blog post Tuesday, is sure to be a nonstarter among Republicans. And it will face serious scrutiny from some of Warren’s Democratic opponents who are championing a more practical approach to securing elections.

Warren’s plan would basically federalize election security. Washington would set all the rules for protecting federal elections against hackers — such as using hand-marked paper ballots and conducting security audits — and it would also foot the bill. States that didn't meet her requirements would face lawsuits from a new agency named the Secure Democracy Administration. It comes after the 2016 election in which Russian hackers and trolls stole emails and launched a disinformation campaign aimed at helping elect Donald Trump.

Warren would commit $20 billion over 10 years to the plan, which also focuses on improving ballot access for minorities and ending gerrymandering.

“Our elections should be as secure as Fort Knox. But instead, they’re less secure than your Amazon account,” the policy plan declares.

But the plan already is alienating Republicans. Sen. James Lankford (Okla.), the Republican sponsor of the election security bill that came closest to passing last Congress, the Secure Elections Act, criticized Warren’s proposal in an email to me, saying, “Elections are not and should not be run by the federal government.”

“The overwhelming majority of states have secure and reliable election systems, and one of the strengths of our democracy is the diversity of our election systems,” Lankford said. 

And the proposal will be a tough sell even for many Democratic lawmakers who are wary of usurping power from state and local election officials.

“It’s a fine plan, but politically I don’t think it will ever happen,” Herb Lin, a senior research scholar for cyber policy at Stanford University and co-author of a recent Stanford report on election security, told me.  

The proposal sets up a division on election security between Warren’s complete rewrite and more limited proposals from other 2020 candidates that are widely supported by Democrats — and some of which have bipartisan support.

Sen. Amy Klobuchar (D-Minn.), who will share the debate stage with Warren tonight, is the chief sponsor of the Election Security Act, which is modeled on major election security provisions that passed the Democratic-controlled House earlier this year. It has 40 Democratic co-sponsors in the Senate, including Warren and five other presidential contenders.

Klobuchar has also sponsored numerous other bills aimed at preventing a repeat of 2016, some with Republican cosponsors. And she’s part of a pressure campaign led by Senate Minority Leader Chuck Schumer (N.Y.) to force Majority Leader Mitch McConnell (Ky.) to bring some of those proposals to the floor.

And she was a co-sponsor of the Secure Elections Act with Lankford last Congress. As was Sen. Kamala Harris (D-Calif.), who will be in Thursday’s debate. 

The Klobuchar and Harris campaigns didn’t respond to a request for comment about Warren’s proposal.

Election security pros I spoke with generally praised the specific security requirements in Warren’s plan but were skeptical the broader federal takeover of elections was feasible.

“There are definitely some ideas that look like they could have long-term positive benefits on our elections here, but I certainly don’t think anything this wide-reaching, this groundbreaking, would stand a chance with the current Congress,” Maurice Turner, a senior technologist at the Center for Democracy and Technology, told me.  

And even if Warren could get support for the package, that support might fade over time — along with the necessary funding to keep the nation’s election equipment up to date and secure, Lin told me.

“This is going to require a continuing investment and it’s not clear Warren’s approach will do that,” he said. “It’s $20 billion over 10 years and that’s good, but information technology needs to be constantly refreshed. If you don’t take that into account, in 15 or 20 years your election machinery will suck again.”

And Warren’s hard line could backfire if Republican voters don’t trust a Democratic president to implement those fixes fairly, Susan Greenhalgh, policy director at the National Election Defense Coalition, said.

“We want everyone to have confidence that elections are free and fair, and if there’s concern that one party is going to be taking over and strong-arming the election process, some people won’t have that confidence,” she told me.

“We need a more aggressive federal response, and states have been moving far too slow and this is a national security issue,” Greenhalgh told me. “But the appearance of an improper election can be just as damaging as actual corruption.”

PINGED, PATCHED, PWNED

PINGED: New research shows that Internet and cellular devices produced by Huawei are “far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies,” Kate O'Keeffe and Dustin Volz at the Wall Street Journal report. The study could give the Trump administration extra ammunition as it urges allies to ban the Chinese company from their 5G networks.

In a test of 10,000 software components across 500 variations of enterprise network equipment, cybersecurity researchers found that half the components contained at least one hackable vulnerability. The report was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm and reviewed by government officials who considered it credible, the Journal reported. 

The study doesn’t speculate on whether the vulnerabilities were put there intentionally to assist Chinese government hackers, but that hasn’t stopped the White House from using it as fodder for its hard-line stance against the manufacturer.

“This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers,” a White House official told the Journal. “Huawei does not disclose this covert access to customers nor local governments. Huawei declined to comment on the research. The company has steadfastly maintained it does not assist Chinese spying, 

Meanwhile, some U.S. tech companies are finding clever ways around a Commerce Department ban on supplying software and components to Huawei over national security concerns, the New York Times’s Paul Mozur and Cecilia Kang report


 

 

PATCHED: More than 20 million federal employees and others who had their security clearance records stolen in a 2015 database breach can sue the government for failing to protect their data, a federal appeals court ruled, my colleague Eric Yoder reports

“[The Office of Personnel Management] effectively left the door to its records unlocked by repeatedly failing to take basic, known, and available steps to secure the trove of sensitive information in its hands,” the decision explained, pointing to several warnings OPM received from an agency watchdog.

The OPM breach was one of the largest in government, exposing deeply personal information about people’s finances and relationships that they had to share to get security clearances, as well as names, addresses, birth dates and Social Security numbers.

The federal employee unions bringing the suit are asking the court to force OPM to follow through on the recommendations in those warnings as well as to award lifetime credit protection and monetary damages to the victims.

PWNED: The NSA decided to scrap its controversial call records program after two collection errors in which the agency received records it should not have and violated Americans’ civil liberties and privacy, my colleague Ellen Nakashima reports this morning.

The second of those erroneous collections came last fall and was effectively a final straw for officials after years of problems with the program, which was first disclosed by leaker Edward Snowden in 2013.

Information about the erroneous collections was obtained in a lawsuit filed by the American Civil Liberties Union. NSA still hasn’t formally acknowledged shutting down the program, which was launched in the wake of 9/11 and expires in December.

PUBLIC KEY

The U.S. Census Bureau put the 2020 Census at “potentially catastrophic risk” by not implementing"basic security practices,” a recent report from the bureau's inspector general found. The report adds to a growing list of cybersecurity concerns over the 2020 census, including some raised by the Department of Homeland Security last month.

The bureau rushed to deploy its virtual storage environments to meet a testing deadline and failed to follow a number of Commerce Department protocols in the process, the investigators found. One security failure could have given attackers unlimited access to eight Amazon Web Services accounts, the report found. Worse, the bureau then lost the keys for the accounts and would have been unable to tell whether the accounts — and a potential buffet of American’s personal information — had been compromised. (Amazon founder and CEO Jeff Bezos owns The Washington Post.)

The watchdog is recommending that the Census Bureau’s top technology official reassess its security requirements for using computer clouds and present a plan for complying with Commerce department IT guidelines within 60 days.

— More cybersecurity news from the public sector:

Politics
The former special counsel will appear publicly before two committees on July 17 — a made-for-TV moment that Democrats have been craving for months. 
Rachael Bade
Concerns over trade, conflict and oil will dominate a summit of the Group of 20.
Reuters
Members of two House Science subcommittees drilled experts about the security of voting machines during a hearing Tuesday afternoon, putting the spotlight on election security as congressional Democrats continue to push f
The Hill
PRIVATE KEY

— Cybersecurity news from the private sector:

About a dozen rural U.S. telecom carriers that depend on Huawei for network gear are in discussions with its biggest rivals, Ericsson and Nokia, to replace their Chinese equipment, sources familiar with the matter said.
Reuters
McAfee has filed a lawsuit against former employees, accusing them of conspiracy and stealing trade secrets before starting new positions at a competitor.
CyberScoop
Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices.
Krebs on Security
THE NEW WILD WEST

— Cybersecurity news from abroad:

Estonia is entrusting terabytes of information on its citizens to an ally in the hope of improving the security of its crucial government systems.
NBC News
CHAT ROOM

Hats off to Tech Crunch reporter Zack Whittaker for exposing that a portion of a blog post from the security company Check Point software was plagiarized from a 2018 Wired item. And hats off, also, to Check Point for being forthright about the issue, investigating it and trying to prevent future problems.

ZERO DAYBOOK

Today:

  • The House Homeland Security Committee will bring in representatives from Facebook, Google, and Twitter to discuss their company's efforts to address terror content and misinformation at 10 a.m. 
  • Harvard Professor Cass Sunstein talks to Facebook Founder and CEO Mark Zuckerberg about government regulation, shifts to privacy, and innovation at the Aspen Ideas Festival at 4:30 p.m.