THE KEY

Election security barely came up in nearly three hours of clashes between Democratic presidential candidates last night.

That's somewhat shocking considering the debate took place less than a week after former special counsel Robert S. Mueller III warned that Russia and other nations are eager to undermine the security of the 2020 elections. And Senate Democrats are also waging a drag-out fight to pass new laws mandating digital protections over fierce opposition from Majority Leader Mitch McConnell (R-Ky.).

If they had tackled cybersecurity, they would have found that the liberal-moderate divide that characterized much of the debate -- and split candidates who want bold changes on health care and immigration from those who want to take a more incremental approach -- is at play in election security too. 

Sen. Elizabeth Warren (Mass.), one of the five top-polling candidates, has proposed major policy reforms such as expanding Medicare for all Americans, imposing a wealth tax and forgiving student debt. She complained at one point in the debate, “I don’t understand why anybody goes to all the trouble of running for president of the United States just to talk about what we really can’t do and shouldn’t fight for.”

True to form, Warren also has a big, bold plan for election security that would deliver $20 billion in security funding to states over 10 years -- but also threatens those states with lawsuits if they don’t follow proposed federal cybersecurity rules such as using hand-marked paper ballots and conducting security audits.

Many election security advocates, though, say they worry Warren’s plan has little chance of passing through Congress. It also could backfire by alienating state and local election officials and stoking fear among Republicans that Democrats are seizing federal control over elections because they want to swing the results, these security advocates say.

Sen. Amy Klobuchar (Minn.), who’s in the moderate lane on Democratic issues including healthcare and trade, has also taken a moderate path on election security. She was a main sponsor of the major bipartisan election security bill during the last Congress, which drew seven Democratic sponsors and six Republicans.

She’s also pushed numerous bills this Congress that would make fundamental reforms to election and campaign security – but not on the level of Warren’s wholesale federalizing of the election process.

One of those bills, which is modeled on legislation that passed the House – would deliver $8 billion in election security money to states over the next seven years and mandate fixes including paper ballots, digital testing of voting machines and cybersecurity testing for voting machine companies. Another bill, which was co-sponsored by Sen. Lindsey Graham (R-S.C.) would mandate more transparency in political ads that might be sponsored by foreign powers.

That insider approach hasn't fared much better than Warren's shoot-for-the-fences proposal so far, though. McConnell is blocking both of those bills from a vote. 

Klobuchar also made one of the rare references to cybersecurity during the debate, when she savaged Trump for joking with Russian President Vladimir Putin at a G-20 meeting in June after a reporter asked Trump whether he’d press Putin not to interfere in the 2020 election. She says the apparent chumminess was not a good look as U.S. intelligence agencies say Russian hackers intervened to help Trump's candidacy and undermine Hillary Clinton’s. 

“When he was asked about invading our democracy, he made a joke,” Klobuchar said, adding that future presidents “better put [the] interests of our country first, not the Russians'.”

Some of the other moderates on the stage also have cybersecurity chops. Former Rep. John Delaney (Md.) has proposed creating a cabinet-level cybersecurity department to deal with issues including Russian election attacks.

And former Colorado Gov. John Hickenlooper helped create a National Cybersecurity Center in Colorado Springs during his governorship that’s tackled major cybersecurity research challenges, including the best digital security for space assets.

Hickenlooper also said during the debate that he'd surge diplomatic efforts as president to reach an agreement on international cybersecurity rules among other topics.

Sen. Bernie Sanders (I-Vt.), the other liberal pushing structural reforms on the stage last night and who’s among the top five polling candidates, hasn’t released any cybersecurity plans or spoken about the issue extensively on the campaign trail.

Cybersecurity watchers were perturbed by the lack of focus on cybersecurity during the debates, which they said didn't square with heightened public concern about the topic:

Here’s Mieke Eoyang, vice president for the Third Way think tank’s National Security program:

And Wall Street Journal cybersecurity reporter Dustin Volz:

PINGED, PATCHED, PWNED

PINGED: Senate Democrats have found their first Republican co-sponsor for legislation that would require presidential candidates to report attempts from foreign nationals to influence their campaigns to the Federal Bureau of Investigation. The new support from Sen. Susan Collins (R-Maine) deals a blow to efforts by McConnell who has been thwarting efforts by Democrats to pass a host of election and campaign security bills.

“Russia’s efforts to interfere in our elections remain relentless,” Collins said as she signed on to the Foreign Influence Reporting in Elections Act. Collins has previously supported other bipartisan voting security legislation in the Senate. House Democrats introduced a companion bill to the FIRE Act yesterday.

McConnell has attacked Democrats and pundits who criticize him for blocking election security bills, accusing them of pushing legislation to favor their party and calling their crusade “modern-day McCarthyism.”

PATCHED: The New York Attorney General's office is opening an investigation into Capital One after the company announced a data breach that exposed the personal information of 106 million credit card applicants, Attorney General Letitia James announced yesterday.

“We cannot allow hacks of this nature to become every day occurrences,” James said in a statement.

Capital One also faces a lawsuit filed in federal court in Washington, which claims the company failed to properly secure customer data.

The company will also likely face scrutiny in Congress, where Rep. Debbie Dingell (D-Mich.) is already calling for a hearing.

Sen. Ron Wyden (D-Ore.) suggested that stronger consumer laws are needed to hold CEOs accountable for breaches:

Rep. Frank Pallone (D-N.J.) also promoted his consumer privacy legislation:

PWNED: Small aircraft owners need to watch out for a new digital vulnerability that could enable hackers to manipulate aircraft data to potentially fatal results, the Department of Homeland Security’s cybersecurity agency warned in an alert yesterday.

By physically accessing the hardware that controls an aircraft's data systems, hackers could alter measurements including compass and altitude data and airspeed, making it impossible for pilots to distinguish the real readings and potentially lose control of the aircraft.

DHS is calling on aircraft manufacturers to review their use of the technology, known as CAN bus networks, to deter attacks. 

Patrick Kiley, a researcher at Rapid7 who first flagged the vulnerability, plans to reveal more details about it at the DEF CON cybersecurity conference in Las Vegas next week. 

PUBLIC KEY

The number of state and local governments using a protection against email spoofing has increased by 76 percent since October 2018, according to a new report from the email security firm ValiMail.

But that still only amounts to about 8 percent of state and local governments using the email security tool called DMARC, researchers found.  

That rise in DMARC use was likely caused by growing concern over a surge in ransomware hacks against local and state governments and those governments following the lead of the federal government which mandated DMARC for all its email domains in 2017, Valimail CEO Alexander García-Tobar told me.

— More cybersecurity news from the public sector:

A U.S. judge on Tuesday dismissed a Democratic Party lawsuit arguing that the Ru...
Reuters
Accused Capital One hacker appears to have posted Slack references to other breaches. Other victims may include a major international telecoms company and an Ohio government department.
Forbes
A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a...
NBC Los Angeles
Three Louisiana school districts, Georgia agency part of the latest round of victims.
Ars Technica
Government auditors and a former top cyber official are concerned, but OMB says the numbers reflect a more substantive and collaborative cybersecurity review process.
FCW
PRIVATE KEY

— Cybersecurity news from the private sector:

The recent high-profile data breach at a top proponent of cloud computing could reignite debate among financial institutions about using such outside vendors.
Wall Street Journal
The security researchers involved say that Apple has yet to fix all of the discovered flaws.
BBC News
THE NEW WILD WEST

— Cybersecurity news from abroad:

Mariana Krasteva, a 55-year old engineer, is one of more than four million Bulga...
Reuters
Telegram reacts after hackers have hijacked more than 1,000 accounts in Brazil.
ZDNet
ZERO DAYBOOK

Today:

  •  Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs will discuss 5G innovation and security at the Center for Strategic and International Studies (CSIS) at 2:30pm.

Coming up: