THE KEY

Russian hacking and disinformation represents the single greatest threat to U.S. security, New York Mayor Bill de Blasio said during Wednesday’s Democratic presidential debate.

“Russia [is] trying to undermine our democracy and they’ve been doing a pretty damn good job of it and we need to stop them,” he declared when NBC News hosts polled candidates about the nation’s most pressing national security challenge.

But de Blasio was alone among 10 candidates on the debate stage in calling out the Russian threat. Other candidates cited climate change, China’s economic growth, conflict with Iran and nuclear proliferation.

That’s a startling breakdown as candidates square off in the first presidential debate since 2016 when Russian hackers probed election systems, compromised voter rolls and leaked hacked information in an effort to help Donald Trump’s electoral chances and damage Hillary Clinton.

And it produced some dropped jaws among cybersecurity and national security pros on Twitter – including Susan Rice, who was President Obama’s national security adviser during the Russian interference operation.

And here’s Molly McKew, who advised President of Georgia Mikheil Saakashvili:

Indeed, Russian hacking and cybersecurity more broadly were barely mentioned during the two-hour debate.

The first time the issue came up was nearly 100 minutes in when former congressman Beto O’Rourke (Tex.) charged that President Trump’s foreign policy had weakened U.S ability to meet challenges including “Vladimir Putin in Russia who has attacked and invaded our Democracy in 2016 and who President Trump has offered another invitation to do the same.”

Sen. Amy Klobuchar (Minn.), who has sponsored numerous election security bills, also put in a plug for them about 110 minutes in – and a dig at Senate Majority Leader Mitch McConnell (R-Ky.) who has been blocking election security bills from being voted on by the full Senate.

“If we do not do something about Russian interference in the elections and we let Mitch McConnell stop all the backup paper ballots then we’re not going to get what we want,” she said.

The top polling candidate in Wednesday's debate, Sen. Elizabeth Warren (Mass.), put out a $20 billion plan Tuesday that would require states to implement election security protections or face legal challenges. But she didn’t mention the topic on the debate stage. A whole new set of 10 Democratic candidates will meet for another debate tonight, including former Vice President Joe Biden, who is leading in early polls, as well as Sens. Bernie Sanders (Vt.) and Kamala Harris (Calif.) and South Bend, Ind., Mayor Pete Buttigieg. 

The relative silence on cybersecurity comes as congressional Democrats are gearing up for a drag out fight on securing the 2020 election.

The House on Wednesday passed a spending bill that included $600 million in election security grants for states and a cadre of Senate Democrats, including Klobuchar, have been trying to force floor votes on election security bills in an effort to shame or embarrass McConnell into acting on them.

That disconnect was unsettling for some election security advocates

“It’s disappointing there wasn’t a more sustained conversation about what steps need to be taken to safeguard our elections and how we get there,” Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me by email.

“After all, this is a debate among candidates who hope to appear on the ballot in 2020,” Norden said. “They, and all Americans, have an interest in ensuring that the 2020 elections are free and fair. “

Here’s more from Norden’s organization about the danger Russian hackers pose in 2020:

Ironically, though de Blasio cited Russia as the nation’s greatest threat, his campaign has been less than forthcoming about how it’s protecting itself against Russian hacking.

When I polled the candidates earlier this month about whether they were following basic cybersecurity guidelines recommended by the Democratic National Committee, de Blasios’ campaign declined to answer, saying only, “We take cybersecurity very seriously and will employ a variety of measures to protect our databases."

Warren also declined to answer the questions as did Sen. Cory Booker (N.J.) who was also on Wednesday's debate stage. 

Maurice Turner, an election security expert at the Center for Democracy and Technology, told me at the time that declining to answer those basic cyber hygiene questions was akin to refusing to say if the candidates typically wore seatbelts. “Anything but an immediate, unequivocal ‘yes’ doesn’t inspire confidence and leads to more questions,” he said.

Among the canddiates on Wednesday's debate stage, only Klobuchar and O’Rourke said they were following all the cybersecurity best practices I asked about, including having a full-time employee dedicated to cybersecurity issues and requiring staff to use complex passwords and a second factor such as a fingerprint or SMS code to access campaign tools and data.

Julian Castro, a former San Antonio mayor and Housing and Urban Development secretary, said his campaign had “adopted a number of best practices and guidance given to us by the DNC and various government agencies to protect our information,” but declined to discuss specific practices.

Former Rep. John Delaney (Md.) said his campaign had “implemented a number of the steps and procedures” I asked about and was working closely with the DNC cybersecurity team, but also declined to answer specifics.

The campaigns for Reps. Tim Ryan (Ohio) and Tulsi Gabbard (Hawaii) and Washington state Gov. Jay Inslee did not respond to repeated emails about the survey.

PINGED, PATCHED, PWNED

PINGED: The United States must lift a ban on U.S. companies supplying software and components to the Chinese telecom giant Huawei as a precondition for restarting trade talks, Chinese President Xi Jinping is prepared to tell President Trump when they meet in Japan for the G20 Summit this week, the Wall Street Journal’s Lingling Wei and Bob Davis report.

That ban has contributed to a $30 billion revenue hit at Huawei as the company ramps up efforts to provide next generation 5G wireless technology to global customers. U.S. officials say the ban is a national security issue because Huawei could use its position in 5G networks to spy for the Chinese government.

Chinese preconditions for restarting trade talks also include lifting a number of punitive tariffs the Trump administration has imposed, the Journal reports.

PATCHED: Five of the world's biggest tech services providers had their cloud computing systems compromised repeatedly by a Chinese government hacking group and failed to notify their clients -- even after the government got involved, Reuters's Jack Stubbs, Joseph Menn, and Christopher Bing report.

The biggest targets, IBM and HPE, exposed an unknown number of their clients to hackers, including several U.S. military contractors who had access to information about the travel schedules of top government officials, Reuters reported. The Swedish telecom Ericcson also endured "persistent and pervasive" hacking -- which is especially concerning because U.S. officials have urged allies to turn to Ericcson for next generation 5G wireless technology because they say its rival Huawei could be a Chinese spying tool.

U.S. intelligence officials criticized the companies for failing to notify their clients about the breaches in interviews with Reuters. 

PWNED: The second Florida city in a span of less than two weeks has decided to pay a mammoth sum to hackers who were holding its digital systems hostage, highlighting the growing scourge of ransomware attacks against American cities. Lake City, Fla., officials voted on Monday to pay out $490,000 in Bitcoin to hackers, all but $10,000 of which will be covered by the city's insurance company, the Gainesville Sun’s Andrew Caplan reported.The Riveria Beach, Fla., City Council voted to pay $600,000 to ransomware hackers last week.

The payouts come as officials are pressing federal lawmakers for more resources to keep their cities secure. Officials from Baltimore and Atlanta, which are both facing multi-million dollar bills from ransomware attacks, told lawmakers that federal funding for cybersecurity could be critical to preventing future attacks at a House Homeland Security Committee hearing Tuesday, reports Benjamin Freed at StateScoop

PUBLIC KEY

Senate Democrats are ratcheting up pressure on McConnell, who they say is unfairly keeping election security bills from a vote. Minority Leader Chuck Schumer (N.Y.) slammed McConnell during a press conference for "offering no good excuse" for his opposition to a slate of election security bills.

“American people have little confidence that President Trump will stand up to Putin, so Congress must act,” said Schumer. House Democrats are preparing to pass the Securing America’s Federal Elections, or SAFE, Act, which would mandate paper ballots and provide increased election security funding.  But McConnell has barred votes on any election security bills in the Senate despite attempts by Sens. Mark Warner (D-Va.) and Amy Klobuchar (D-Va.) to force votes on election-related bills last week.

House Speaker Nancy Pelosi (Calif.) also announced during the press conference that there will be a full congressional briefing on election security in July. Here's more from The Hill's Maggie Miller

— More cybersecurity news from the public sector:

National Security
The Department of Homeland Security is entering a new stage of dysfunction and finger-pointing
Colleen Long and Jill Colvin | AP
Huawei's legal chief told CNBC that the company makes "solutions for civil use."
CNBC
With a pirate cell tower, it's easy to send fake emergency alerts warning of a terrorist attack, nuclear bomb, or other disaster.
Vice
PRIVATE KEY

— Cybersecurity news from the private sector:

Breaking up Facebook, Mark Zuckerberg said Wednesday, wouldn't solve issues of misinformation, privacy or election interference.
USA Today
The lawsuit demonstrates the tension between building A.I. systems and protecting the privacy of patients.
The New York Times
Ratings agency Moody's Corp and Israeli cyber group Team8 launched on Thurs...
The situation highlights the challenge of securing open source software, which underlies virtually every IT system in government.
Nextgov
In 2017, two bounty hunters and a fugitive died in a chaotic shoot-out. Shortly after their deaths, someone started tracking one of the bounty hunter's phones.
Vice
THE NEW WILD WEST

— Cybersecurity news from abroad:

Recorded Future determined that APT33 or “a closely aligned threat actor” has used more than 1,200 web domains to conduct attacks since March 28.
CyberScoop