THE KEY

LAS VEGAS — Rep. Eric Swalwell (D-Calif.) applauded the crowd of cybersecurity researchers uncovering dangerous bugs in voting machines and other election systems at a security conference here -- but he's in a bind about how to talk about election security with constituents.

Swalwell, who recently ended a long-shot presidential bid, believes chances are almost nil that Republicans will join Democrats to pass legislation mandating fixes to improve election security before the 2020 contest. By continuing to bang the drum about potential security weaknesses, he worries Democrats risk inadvertently convincing citizens that the election is bound to be hacked — and that there's no point in voting. 

“If we tell voters the ballot box is not secure and that we have all these vulnerabilities … if we say that over and over and over, is the result of that suppressing [the vote]?” Swalwell asked a room of researchers this weekend at the Def Con cybersecurity conference's Voting Village, which focuses exclusively on the security of election systems. 

This is a predicament that will only get harder for many Democrats who are coming to grips with the idea that they may have run out of time to require states to shift to paper ballots, post-election audits and other cybersecurity best practices before the 2020 contest. Swalwell believes these fixes will happen only if there’s a Democratic president and Congress in 2021 or later -- even as intelligence officials warn the 2020 election is a major target for Russia and other adversaries looking to undermine the American political system. 

“I’d welcome your feedback,” Swalwell told the room of hackers. “How do you talk about this as an issue, without scaring .... everybody and then they just say, ‘You know what, I’m not going to vote.' ”

The issue also hasn't played a major role on the campaign trail. Yet Swalwell, speaking to me after his speech, defended Democratic presidential candidates who’ve generally relegated the security of the 2020 election to a second- or third- tier issue behind health care, immigration and climate change and mostly ignored the issue in presidential debates. 

“I trust that whoever emerges [as the nominee] is going to make this a top issue,” he told me. “I think we should know where they stand, but I think the risk of saying election security is the number one issue is that you don’t want someone to say, ‘Wait, is my vote not going to count?' ” And if voters don't turn out to elect Democrats then election security fixes won't happen at all, he said. 

Swalwell’s unusually blunt assessment comes as Senate Democrats are waging a battle in Congress and the media to put pressure on Senate Majority Leader Mitch McConnell (R-Ky.) who has been blocking votes on numerous election security bills.

Those efforts are useful for showing Democrats are committed to election security — and possibly to give a boost to McConnell’s top Democratic challenger in his reelection bid, Marine veteran Amy McGrath — but they have little chance of getting any bills passed, Swalwell told me.

“We're not going to see Republican senators wake up and say, you know what, I want to secure our elections and I'm going to ask Mitch McConnell to force a vote. It’s just not going to work under this president,” he said.

States have voluntarily made myriad election security improvements since 2016, using their own funding and $380 million Congress delivered in 2018. The Department of Homeland Security has also increased its assistance to state and local election officials, including installing a nationwide sensor network that can detect unusual activity on election officials’ networks. Many localities have not made important upgrades, however, such as having a paper record of all ballots.

Other lawmakers who visited Def Con, however, were more eager to keep up the fight on election security.

Rep. Ted Lieu (D-Calif.) told me it’s “ridiculous” that state officials and voting machine vendors haven’t yet fixed known digital bugs in their systems. He also accused Republican lawmakers and the White House of not wanting to improve election security because they believe Russian President Vladimir Putin — who intelligence officials say aided Trump in 2016 — plans to help Republicans in 2020.

“It is a known fact that the Russians did a massive cyberattack and influence campaign in 2016 and it helped Donald Trump. I don’t really know why Republicans aren’t as freaked out, but if I were to speculate, it would be because they saw that election hacking helped their presidential candidate," Lieu said. 

Rep. Jim Langevin (D-R.I.), who co-founded the Congressional Cybersecurity Caucus, warned that “Russia interfered with our 2016 elections, and they remain a threat to the security of our elections in 2020.”

Sen. Ron Wyden (D-Ore.) at the conference on Friday called for “a sustained outcry from the public to force [McConnell] to move legislation on election security.” He also called on ethical hackers at the conference to become “a Paul Revere brigade to come out of Def Con and fan out across the country and make the case for the [Securing America's Federal Elections Act],” a House-passed bill that would deliver $600 million in election cybersecurity money to states along with security mandates.

Wyden told me after the speech that he remains hopeful Democrats can rally enough public pressure to force McConnell to pass a bill in the next couple of months — while there’s still time for state and local election officials to responsibly spend additional election security money on upgraded voting machines and new digital protections.

“This country’s got a long tradition of when we think there really is a threat to our well-being, we can move,” Wyden told me. “And I think this is a threat to our 200-year experiment in self-government.”

Wyden said he’d push back, however, if Senate Republicans offered to approve new election security money with no cybersecurity mandates attached to it — as Democrats and Republicans compromised to do when they approved the $380 million boost in 2018.

“Money is definitely important … but you can’t spend money on machines that are outdated before you open the damn box,” he told me. “That’s the worst of both worlds.”

PINGED, PATCHED, PWNED

PINGED: Swalwell also caused a stir at the Voting Village when he challenged cybersecurity researchers there to try to develop a way to vote on a mobile app with all the security protections of the best in-person voting systems.

That’s an idea security experts have long scoffed at, saying it’s hard enough to secure in-person voting without adding all the concerns about hacked phones delivering phony votes or people casting fraudulent votes with stolen phones. 

Those concerns shouldn’t prevent researchers from setting a long-term goal of making mobile voting happen, Swalwell said. “If it's not possible, tell us it's not possible, but at least let's put the whole of government's resources behind trying,” he said. 

Swalwell argued that paper-based voting — while it’s the most secure option now — will ultimately be less convenient for older voters and could turn off younger voters who are used to doing other activities on mobile devices. “I don't want to lose a whole generation of voters because they're like, ‘Wait, you're just doing this by paper?” he said.

PATCHED: At a live hacking venue in the Voting Village, meanwhile, ethical hackers found “a litany of new vulnerabilities” in voting equipment that will be used in 2020 “ranging from gallingly obvious passwords to hardware issues and exposure to remote attacks,” my colleague Taylor Telford reports

The bottom line, Voting Village organizer Harri Hursti told Taylor: “Everyone claiming we can fix this by 2020 is giving a false sense of security. The aim should be, can we do something by 2022 or 2024?”

Joel Miller, an election auditor from Linn County, Iowa, told Taylor he’s concerned about the security of his county’s systems and can’t get his questions answered — even after formally demanding information from Iowa’s secretary of state’s office. 

“We don’t know what’s going on with the system,” Miller said. “I’m a former IT director, and I know more about what I don’t know, but that’s almost worse than if I didn’t have a tech background. I’m aware there’s more threats out there than we can handle.”

Iowa was among 21 states where Russian hackers probed election infrastructure in 2016, but there’s no evidence the hackers penetrated any of Iowa’s systems. Iowa’s secretary of state’s office told Taylor that “Iowa’s [election] system is secure and we work every day to ensure it remains secure.”

PWNED: As many as 16 million voters will cast ballots on paperless machines in 2020, a reduction from nearly 28 million who did so in 2016, according to a new report released by the Brennan Center today. But that still leaves millions of votes unsecured, and money from Congress could help, the report states.

“Congress provided $380 million to states to help with upgrades, but it wasn’t enough,” researchers Andrea Córdova, Liz Howard and Lawrence Norden wrote. The House approved a bill granting states $600 million in election security funding in June, but the legislation has been blocked in the Senate

Nearly half the states that still used paperless voting machines for at least some voters in 2016 probably will replace those machines by the 2020 election, the report states. 

A growing number of states are also adopting more efficient audit procedures to spot altered votes, researchers found. Colorado, which first implemented new audit procedures in 2017, is joined by 12 other states including Alabama, Ohio, and California. Of the 42 states that plan to use only paper records in 2020, 17 still do not require post-election audits.

PUBLIC KEY

— Cybersecurity news from the public sector:

A Department of Homeland Security bug bounty program, as proposed by legislation being considered in the House, would cost $44 million, according to the Congressional Budget Office.
FedScoop
The incentives for foreign countries to meddle are much greater than in 2016, and the tactics could look dramatically different.
The Atlantic
An effort by the FBI to more aggressively monitor social media for threats sets up a clash with Facebook’s privacy policies and its attempts to comply with its recent FTC settlement.
Wall Street Journal
PRIVATE KEY

— Cybersecurity news from the private sector:

Many of the vulnerabilities relied on using iMessage to own the rest of the phone, Google's Project Zero said.
Vice
At a conference where hackers can try their hand at picking locks and discover c...
Reuters
Researchers have discovered a flaw in the GSM standard used by AT&T and T-Mobile that would allow hackers to listen in.
Wired
THE NEW WILD WEST

— Cybersecurity news from abroad 

UNITED NATIONS (AP) — U.N. experts say they are investigating at least 35 instances in 17 countries of North Koreans using cyberattacks to illegally raise money for weapons of mass destruction...
Associated Press
The phishing targets in China and the IP addresses involved indicate a coordinated effort by nation-state hackers, Anomali researchers said.
CyberScoop