with Tonya Riley


States are barreling toward 2020 with major digital weaknesses in their election systems and not enough money to fix them, according to a report out today from four organizations focused on election security.

The report comes about 16 months after Congress delivered $380 million to states to shore up weaknesses highlighted by Russia’s hacking efforts during the 2016 election. But that money covered only the most glaring vulnerabilities, the report authors told me, and there's a serious risk that Moscow or another adversary could do major damage in upcoming elections if Congress doesn't provide more. 

“We’re facing foreign intelligence services that are throwing everything they have at trying to penetrate our elections, and states don’t have the resources they need to defend against that,” David Salvo, director of the German Marshall Fund’s Alliance for Securing Democracy initiative and one of the report's authors, told me.  

Democrats in Congress have introduced numerous bills this year that would deliver more election security money to states, but they’ve failed to gain Republican support for them. And Senate Majority Leader Mitch McConnell (R-Ky.) has expressed opposition to any new election security legislation, making it unlikely new money will be delivered this year.

The report focuses on six states — Alabama, Arizona, Illinois, Louisiana, Oklahoma and Pennsylvania — and how each spent their portions of the $380 million in election security money and what vulnerabilities they left unfixed.  

Pennsylvania, for example, spent all of the $14 million it was allocated upgrading outdated voting machines to ones that produce paper vote records — which experts say are vital for security and allow for election audits to ensure sure hackers didn’t change the results.

But Pennsylvania didn’t have enough money left over to replace its statewide voter registration system, which is more than a decade old and vulnerable to hacking, the report notes. The state was also short of funds for cybersecurity training for its election workers and for regular digital testing of elections systems.

Alabama, on the other hand, used its $6 million in federal money to pay for an updated voter registration database, upgraded computer systems and post-election audits. But the state didn’t have enough money to replace voting machines that are more than a decade old and that lack many of the security features of modern machines, the report notes.

The trade-offs highlighted in the report are likely common among most of the 50 states, Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me. The Brennan Center was another sponsor of the report along with the University of Pittsburgh’s Institute for Cyber Law, Policy and Security, and the R Street Institute think tank.

In general, states spread their money among four priorities, Norden said: upgrading voting machines, replacing voter registration systems, hiring more cybersecurity workers and conducting post-election security audits. But “there are a lot of unfunded security needs because the money is not going to fund all these things for any states,” Norden said.

And that’s particularly dangerous because a successful breach of an election system in any one state could cast doubt on election results across the nation, said Rachael Dean Wilson, head of external affairs at the Alliance for Securing Democracy and another report author. 

“Our election security is only as strong as the weakest system we have,” she told me. 

Fully funding states’ current election security needs could easily cost $1 billion or more over the next few years, Norden said. He stressed, however, that states will need annual election security funding rather than one-time infusions to keep elections safe from foreign hacking for the long haul.

“We’ve been approaching election security funding in this country as if it’s one and done, and that’s not the way it works,” Norden said. “We don’t spend on the military every 10 years, we spend annually. And this is also a national security issue.”


PINGED: Sen. Robert Menendez (D-N.J.) wants the leaders of a hacked medical billing agency and the laboratories that hired it to answer questions in front of Congress, his office exclusively told The Cybersecurity 202. That breach, which was disclosed in June, exposed the personal information of at least 20 million patients, including financial and medical records in some cases. 

Menendez shared his plans to call the companies before the Senate Finance Committee the same day that a fourth company, Clinical Pathology Laboratories, announced it was compromised in the breach and revealed 2.2 million additional victims. The hacked billing company, American Medical Collection Agency, meanwhile, hasn't responded to queries from Menendez and other senators and filed for bankruptcy. One of the major breach victims, Quest Diagnostics, is based in Menendez's home state of New Jersey. 

“Last month I wrote AMCA leadership demanding answers about the scope of their hack, and rather than provide the answers the American people deserved, they filed for Chapter 11 protection,” Menendez told me in a statement. “We cannot allow this company to escape its responsibility to patients and ignore our legitimate questions by hiding behind bankruptcy.”

AMCA first discovered the breach in March, but only made it public when Quest, LabCorp, and Opko Health all reported last month that their patients’ information had been exposed by the company. Here are more details about the Clinical Pathology Laboratories breach from TechCrunch's Zack Whittaker.

CORRECTION: A previous version of this item misstated the committee Menendez intends to call AMCA before. It's the Senate Finance Committee.

PATCHED: Microsoft has identified 781 attacks by nation-state-backed hackers against political parties, campaigns and democracy-focused NGOS since August — and 95 percent of those attacks were against U.S.-based organizations. The threats reflect a pattern similar to attacks by nation-states leading up to the 2016 and 2018 U.S. elections, researchers warned in a Wednesday blog post.

Many of those attacks targeted democracy-focused nongovernmental organizations, but “a spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns [often] serve[s] as a precursor to direct attacks on campaigns and election systems,” the researchers wrote.

PWNED: Sen. Chuck Schumer (D-N.Y.) is calling for the Federal Bureau of Investigation and Federal Trade Commission to investigate a popular app to determine whether Russian intelligence could be exploiting the data the app is collecting.

“FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments,” the Senate minority leader wrote in his request to the agencies.

FaceApp first launched in 2017. But it started trending again this week with a new artificial intelligence filter that allows users to make their faces look older in pictures, gaining popularity with celebrities including LeBron James and the Jonas Brothers. Experts point out that FaceApp's privacy policy, which grants the company permission to store user photos and transmit them outside the United States, could put users at risk of having their photos collected by Russian intelligence -- including for facial recognition systems, my colleagues Hannah Denham and Drew Harwell report

Wary of Russian interference ahead of the 2020 election, the Democratic National Committee is also warning 2020 campaign staffers to avoid the app, CNN's Donie O'Sullivan reports. “It's not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks,” Bob Lord, the DNC's chief security officer, said. 

FaceApp, however, denies any wrongdoing. The company told my colleague Geoffrey A. Fowler that it does not transfer data to Russia and that most images are removed from its servers within 48 hours.


— Cybersecurity news from the public sector:


— Cybersecurity news from the private sector:


— Cybersecurity news from abroad 



  • The Aspen Security Forum takes place through July 20 in Aspen, Colorado