That’s the message from Vermont’s top election official, Jim Condos (D), who ends his term as president of the National Association of Secretaries of State this week.
There are just about six months left during which states could responsibly spend a big infusion of federal money aimed at protecting the 2020 contest, Condos told me. If Congress approves new funding after that, most of it won’t be spent until the next federal election cycle, he said. The warning comes as intelligence officials are cautioning that Russia and other U.S. adveraries are likely to try to interfere in the 2020 election in a repeat of the Russian hacking and disinformation operation that upended the 2016 contest.
“It takes time to plan, to do assessments. We all have procurement rules we have to follow … and we want to be responsible stewards of congressional money,” Condos told me by phone from the National Association of Secretaries of States’s summer conference in Santa Fe, N.M.
The prospects of Congress delivering new money in that timeframe don't look good.
Congress has spent plenty of time bickering about election security since 2016 — but its actual efforts to help states secure those elections haven’t lined up well with the electoral calendar. In general, those efforts have been stymied by a battle between Democrats who want new money to be dependent on states following some mandatory cybersecurity best practices and Republicans who say those mandates would infringe on states' rights to run elections as they see fit.
Lawmakers allocated $380 million for election security in March 2018, but states were only able to spend 8 percent of that money before the midterm elections that November. Christy McCormick, chairwoman of the Election Assistance Commission, which distributed the money, told lawmakers in May she expects about 85 percent of it will be spent before the 2020 contest.
That bickering and uncertainty has made it tough for states to plan security upgrades for the 2020 contest, Condos told me.
“We’re talking about defending our democracy and we’re talking frankly about the security, the integrity of our elections,” he said. “That should be nonpartisan. Everyone in Congress should want to help in that direction.”
Despite those concerns, Condos told me he’s confident the 2020 election will be the most digitally secure one yet — because of a mix of election system hardware and software upgrades, and a new regimen of cybersecurity testing.
“We were in much better shape in 2018 than in 2016 and we’ll be far better in 2020,” Condos told me. He warned, however, that “cybersecurity is like a race without a finish line, a never-ending battle. We have to keep our focus and our attention on it every day.”
The Department of Homeland Security’s top election security official Matt Masterson, who was also attending the Santa Fe conference, echoed Condos’s confidence.
“There’s no question that our election process is more resilient and secure than it was in 2016, and heading into 2020 it will certainly be more secure than it was in 2018,” Masterson told me.
DHS dramatically ramped up its assistance to state election officials after 2016 — including offering to scan election systems for digital vulnerabilities and installing a network of digital sensors across about 90 percent of states’ voting infrastructure to spot hacker activity.
Heading into 2020, the department’s main goal is to get more county-level election officials to implement cybersecurity best practices and to join a cyberthreat information sharing program with the federal government, Masterson told me.
DHS is also pushing states and localities that are still buying voting machines for 2020 to invest in machines with paper ballots or paper backups that can be audited after elections, he said.
About 90 percent of voting districts have voting machines with paper backups, according to an EAC report out last week. DHS hopes to get that number close to 100 percent by the 2020 contest, Masterson told me.
“Considering where we were in 2017, the amount of progress we’ve made … it gives me a lot of hope and confidence that we’ll be able to do what we need to do,” he said.
PINGED, PATCHED, PWNED
PINGED: U. S. Customs and Border Protection has suspended business with Perceptics, a contractor suspected to be at fault for a data breach that exposed tens of thousands of classified government documents, my colleague Drew Harwell reported on Tuesday. The agency cited “evidence of conduct indicating a lack of business honesty or integrity” as its rationale for suspending the license plate scanning and surveillance company, Drew reports.
CBP officials initially downplayed the breach, saying that fewer than 100,000 photos of travelers had been compromised. But Drew found a trove of sensitive information on the dark Web, including detailed schematics of technology at key points of entry and various classified CBP documents.
Further investigation could lead to a blacklisting of Perceptics from government contract work. According to the company’s promotional materials, it is CBP’s sole vendor for license plate scanners, Drew reports.
It's unclear how or whether the suspension will affect border operations, Drew reports. Perceptics is also facing a potential investigation by the Canadian Border Service Agency, which also buys its technology.
PATCHED: Chinese officials are forcing visitors crossing into the nation’s Xinjiang region to download an app that scans their text messages, contacts, call records and other data for information that’s of interest to the Chinese government, according to a joint-investigation by the New York Times, the Guardian and Motherboard. U.S. lawmakers have criticized China for using surveillance technology to monitor and suppress Xinjiang's Uighur Muslim population, but this is the first evidence that technology is being weaponized against visitors.
An analysis of phones forced to download the Android-based malware found that the program scans for content from Islamist extremist groups but also seemingly benign content such as “Koran verses, a photo of the Dalai Lama and even a song by a Japanese band,” reports Raymond Zhong at the Times. The app appears to be produced by a telecom company co-owned by the Chinese government that also offers police surveillance technologies, according to the Times.
One journalist who crossed into Xinjiang reported that the government also unlocked Apple devices and connected them to a scanner. The Chinese government did not respond to the outlets’ requests for comment about why it was collecting data on foreigners.
PWNED: Smart-home products manufacturer D-Link Systems has agreed to implement new planning and vulnerability testing before releasing products to settle a lawsuit brought by the Federal Trade Commission over major vulnerabilities in how it stored and protected user data in its devices, according to an FTC statement Tuesday.
D-Link’s “security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement. Among other problems, the company failed to encrypt user passwords stored on its devices, according to the FTC. The company won’t have to pay financial penalties.
The FTC’s 2017 lawsuit against D-Link marked the first time the agency sued a maker of Internet of Things devices. It came after hackers hijacked the computing power from millions of connected devices to launch a 2016 attack that briefly shut down many high- profile websites including Twitter, Spotify and PayPal.
The settlement requires D-Link to submit an independent, third-party security assessment of its software to the FTC every other year for the next decade.
Satellites from the United States and other NATO nations may be at serious risk for cyberattacks, according to a recent report from the British think tank Chatham House. Nearly all modern military operations rely on satellites for things such as GPS coordination and telecommunications, but they’re far less secure than they should be, Chatham House found, citing uninstalled software updates, outdated IT, and supplier networks that weren't sufficiently vetted for vulnerabilities.
A major concern for researchers is that countries such as Russia or China, which operate their own satellite systems, could manipulate or spoof GPS signals coming from the joint-satellite system used by NATO countries. While the scenarios in the research paper are hypothetical, Israel has recently accused Russia of spoofing GPS signals in its airspace.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from the abroad: