with Tonya Riley


Senators on the Intelligence Committee who spent two years probing every facet of Russia’s attempts to interfere in the 2016 U.S. election still can't agree on a path forward to secure the next one. 

The long-awaited 67-page report released yesterday contains dozens of recommendations for securing elections. But most artfully sidestep a boiling policy battle between Republicans and Democrats over whether the federal government should ensure they actually happen.

The report endorses a slew of voting security improvements championed by Democrats, for example — including having paper records of votes, buying new secure voting machines and conducting post-election audits. But it also endorses “states’ primacy in running elections” — a key talking point from Republicans who argue it would violate states’ rights if the government mandates those fixes.

The report also notes that states may need more federal money to upgrade or replace their outdated voting systems but kicks the can down the road until states have fully spent $380 million in election security money that Congress approved in 2018 — evading a partisan dispute over funding. 

Yet Sen. Ron Wyden (D-Ore.) refused to go quietly. Highlighting divisions within the Republican-controlled committee, he appended a full-throated rebuttal to those compromises in a "minority views" section at the end of the report. He argued for a more muscular approach from the federal government as intelligence officials warn Russia and other countries continue to try to interfere in U.S. elections. 

“America is facing a direct assault on the heart of our democracy by a determined adversary,” he said, insisting that leaving election defense to state and local officials would be akin to “ask[ing] a local sheriff to go to war against the missiles, planes and tanks of the Russian Army." 

“The defense of U.S. national security against a highly sophisticated foreign government cannot be left to state and county officials,” Wyden wrote. “For that reason, I cannot support a report whose top recommendation is to “reinforce … state's primacy in running elections.”

The dissent highlights how -- despite states, intelligence agencies and the Department of Homeland Security taking steps to improve election security since 2016 -- Congress has mostly sat on the sidelines caught in partisan squabbling.

Indeed, Senate Democrats spent many of their final hours before adjourning for the August recess Thursday unsuccessfully pushing for election security bills that Senate Majority Leader Mitch McConnell (R-Ky.) has been blocking for months from coming to a vote. 

Here’s Wyden on that effort: 

The election security report is just the first of five volumes the Senate panel is planning to release from its investigation in the coming months.

Here are three more big takeaways from the report.

1. Russian hackers probably probed government or election infrastructure in all 50 states, the report confirms.

But they didn’t always do it the same way. In one state, hackers scanned the entire state’s infrastructure looking for weak spots. In another, they pummeled the state’s networks in one place so attacks elsewhere might go undetected.

Officials from yet another state noted that Russian hackers scanned the state’s entire voter registration database but never tried to break in. The officials compared that to “a thief casing a parking lot” but not breaking into any cars.

The state-level narratives are the richest source of newly disclosed information in the report, but that information is also limited. With the exception of Illinois — where it was publicly known that hackers actually penetrated the state’s voter registration database but didn't appear to have changed any information — the names of the states are redacted. Portions of the state narratives are also redacted, as are large portions of the full report.

2. Federal, state and local governments were not at all ready for Russia’s hacking efforts in 2016.

The report is unsparing in its details on this issue. “State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor,” the report notes. And when DHS and the FBI did alert the states about Russia’s hacking efforts, “they provided no clear reason for states to take this threat more seriously than any other alert received.”

The report praises DHS for making great strides in helping state and local officials defend their election infrastructure since 2016 but also notes that “much more needs to be done to coordinate state, local, and federal knowledge and efforts in order to harden states' electoral infrastructure against foreign meddling.”

3. Russia should fear the U.S. response if it tries to hack 2020.

The report also urges deterring election attacks by ensuring Russia and other adversaries know they’ll pay a price as part of its recommendations to improve their security.

“The United States should communicate to adversaries that it will view an attack on its election infrastructure as a hostile act, and we will respond accordingly,” the report states, adding that officials should outline a range of consequences election hackers might face.

The report also urges the government to work with U.S. allies to develop rules of the road about what’s unacceptable in cyberspace and to collectively impose consequences when other nations violate those rules.


PINGED: A stolen NSA hacking tool was not used in a May 7 ransomware attack on Baltimore, according to a fact sheet the city posted.

That confirms statements by Rep. Dutch Ruppersberger (D-Md.), who represents parts of Baltimore, and by Sen. Chris Van Hollen (D-Md.), who were briefed by the NSA on the attack. But it contradicts a New York Times report that claimed the tool called Eternal Blue was used – and which sparked a debate about whether NSA bore some responsibility for the attack or If Baltimore was at fault for allegedly not patching against the hacking tool more than two years after NSA advised organizations to do so.

The city says in its fact sheet that “independent computer forensic experts have found no evidence that EternalBlue was a factor” in the attack and “have found no evidence” that confirms the Times report.

NSA used Eternal Blue for five years to gather reams of intelligence before it was stolen in 2017 by a group called Shadow Brokers that hasn’t yet been tied to any nation’s intelligence agency. The malicious code has been used in numerous hacking campaigns, including the 2017 NotPetya attack, which U.S. officials have attributed to Russia and crippled thousands of computers in Ukraine and elsewhere.

PATCHED: FBI Director Christopher Wray doubled down yesterday on Attorney General William S. Barr’s comments earlier this week calling for tech companies to help law enforcement crack into encrypted communications. 

“It cannot be a sustainable end state for us to be creating an unfettered space that's beyond lawful access for terrorists, hackers and child predators to hide,” Wray said at the International Conference on Cyber Security at Fordham University on Thursday. Wray called encryption a “national security issue” and claimed it posed serious obstacles to the work of law enforcement. 

Barr's comments reignited criticism from privacy advocates that giving law enforcement backdoor access to encrypted communications would create vulnerabilities that hackers could also exploit to steal regular citizens’ personal information. Experts also dispute the severity of the problem that encryption poses to law enforcement. Under Wray the FBI inflated the number of times encrypted phones posed challenges to law enforcement.

PWNED: Iran is following Russia’s lead and launching disinformation campaigns on social media aimed at influencing Americans’ political views, my colleagues Craig Timberg and Tony Romm report. And other countries may be joining the fray. Saudi Arabia, Israel, China, the United Arab Emirates and Venezuela are just a few of the countries that could launch Russian-style disinformation operations, my colleagues report.

“That means American voters are likely to be targeted in the coming campaign season by more foreign disinformation than ever before, say those studying such operations,” Craig and Tony report. 

Researchers at the cybersecurity firm FireEye have noticed Iranian disinformation campaigns on Facebook, Instagram, YouTube and even in local newspapers. Unlike Russian influence operations that favored President Trump in 2016, Iranian operations are mostly aimed at undermining Trump, criticizing his withdrawal from the Iran nuclear deal and other administration actions.

Researchers tell Craig and Tony that cooperation between the FBI and Silicon Valley on combating influence operations has improved since 2016, but new enemies and strategies could go undetected. Former special counsel Robert S. Mueller III also warned Congress this week that Russia and “many more countries” have their sights set on the 2020 elections.


-- Should pineapple go on pizza? DHS's Cybersecurity and Infrastructure Security Agency posed that question to help demonstrate how foreign influence campaigns seek to divide Americans online. And, boy, did they get a response from the cybersecurity community.

A few brave souls were pro-pineapple in the war. The National Association of Secretaries of State:

But officials at the DHS were hard-line anti-pineapple. DHS special advisor Matthew Masterson:

CISA Director Chris Krebs, the man behind the campaign, was a firm no.

Sen. Ron Wyden (D-Ore.) wasn't as amused.


-- A bipartisan commission on modernizing Congress released a slate of 24 recommendations that were unanimously endorsed by the commission’s 12 members yesterday. One big one was mandating that all federal lawmakers get cybersecurity training.

— More cybersecurity news from the public sector:


-- The cyber insurance industry has grown by $2 billion — or 26 percent — since 2015, according to a new report from Moody'sThe growth has been greatest in the education, hospitality and retail sectors, but lower in healthcare and financial services, the report found. 

The jump is driven by a major increase in hacking and companies trying to reduce risk, Marc Pinto, managing director of financial institutions at Moody’s, told me. Companies may increasingly turn to cyber insurance to reduce their risks as states pass privacy laws that threaten harsh penalties for data breaches, the report states. 

— More cybersecurity news from the private sector:


— Cybersecurity news from abroad: