The Cybersecurity 202: Here’s why Mitch McConnell is blocking election security bills

with Tonya Riley

THE KEY

Get the full experience.Choose your plan

Want more stories about election security? Get this newsletter here.

As Congress returns this week, Mitch McConnell remains the one-man roadblock for Democrats' election security bills. He's still refusing to allow a vote, even as Democrats deride him as “Moscow Mitch” and accuse him of inviting Russia to interfere on Republicans' behalf in the 2020 election.

But why is McConnell so staunchly opposed?

Republicans and Democrats offer a fairly straightforward theory: McConnell is wary of drawing the ire of President Trump, who has repeatedly wavered on whether Russia interfered in the presidential contest — and seems to view traditionally bipartisan discussions about election security as delegitimizing his unexpected 2016 victory over Hillary Clinton.

“This is a narrative that the White House doesn’t want to approach,” David Jolly, a former Republican House member from Florida and an outspoken Trump critic, told me. “The president’s not comfortable talking about it. He’s someone with a fragile ego. And McConnell is happy to coordinate with this White House. That’s the only thing that explains it.”

McConnell is likely also concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past, says a former Democratic Senate staffer who worked extensively on cybersecurity issues during the Obama administration.

“It would put Republican senators in an awkward spot of having to vote against election security or vote for it and potentially anger Trump or anger some of his base if he were to tweet how bad the bill is,” said the former staffer, who spoke on the condition of anonymity to speak frankly.

The issue has become political firestorm on the campaign trail — and a key talking point for Democrats who point to testimony from intelligence officials and former special counsel Robert S. Mueller III warning that Russia is eager to compromise the integrity of the 2020 election, and states and localities complain they don’t have enough money to fix digital vulnerabilities on their own.

Senate Minority Leader Charles E. Schumer (D-N.Y.) has openly speculated that McConnell's reticence is because he hopes Russian President Vladimir Putin, who officials say directed the hacking and disinformation operations to aid then-candidate Trump in the last election, will try to help the president and other Republican candidates next time.

McConnell himself has doubled down on a wonkier argument: that any federal election security mandates would trample on states’ rights to run their own elections. In an impassioned 25-minute Senate floor speech last month, he claimed Democrats' real goal was “nationalizing election authorities” and that they were pushing for “partisan wish list items that would not actually make our elections any safer.”

A McConnell staffer declined to discuss a possible compromise on election security, telling me that “we don’t engage in hypotheticals about potential support for legislation that doesn’t exist.” The staffer didn't respond directly to the various Democratic election security bills.

Jolly, like several other people I spoke with, expressed disdain for McConnell's states’ rights argument. “If a state was [physically] attacked by a nation-state, we wouldn’t rely solely on that state or their National Guard to respond,” he said.

Daniel Schuman, policy director for the liberal advocacy group Demand Progress who writes a popular newsletter focused on congressional technology priorities, compared McConnell’s argument to claiming the federal government shouldn’t help states recover from hurricanes and other natural disasters.

From McConnell's perspective, there has been real progress on this issue already. The McConnell staffer pointed to $380 million in election security funding that Congress appropriated to help states with election security in 2018 and to several smaller bills the Senate has passed related to election security, including one that would deny entry into the United States to foreign citizens who violate U.S. election laws.

The staffer also provided excerpts from a letter McConnell sent last month to Kentucky’s top election official stating that “the Senate will continue to consider serious bills that attend to real obstacles that still face federal, state, and local authorities as they work together to secure our elections.”

Yet polling shows election security is also a lower priority for voters than hot-button issues such as immigration and health care, Jolly pointed out, which means there’s less political pressure on McConnell to push on election security and risk upsetting Trump. “This is a failure of leadership by McConnell and it’s a raw political consideration,” Jolly said.

It appears unlikely McConnell will shift course and allow votes on substantial election security bills later this Congress. But several people suggested, however, that he might support delivering another chunk of money to states to improve election protections — so long as no election security mandates came with it.

Sen. Ron Wyden (D-Ore.), who sponsored one of the most mandate-heavy election security bills — which would require that states use hand-marked paper ballots and conduct rigorous post-election audits — told me last month that he’d strongly oppose giving states more money without requiring them to follow cybersecurity best practices.

But other Democrats may be more willing to make the compromise.

Clarification: This story has been updated to clarify that a McConnell aide’s statement about “hypothetical” legislation referred specifically to a potential compromise between Republicans and Democrats on election security.

PINGED, PATCHED, PWNED

PINGED: The Trump administration wants a federal appeals court to reverse its June decision allowing former and current federal employees to sue the government for failing to protect their personal information in relation to a massive 2015 breach at the Office of Personnel Management, Eric Katz at Government Executive reports. The Justice Department argued in its filings that hackers had an “espionage-related motive,” meaning the government did not actually put employees at “significant risk” of identity theft.

The OPM breach was one of the largest in government history, compromising deeply personal information about more than 20 million government workers. In addition to workers’ names, addresses, birth dates and Social Security numbers, the hackers obtained detailed background investigation forms that contained information about finances and family relationships. Two government employee unions are suing the government seeking lifetime credit monitoring for affected employees and monetary damages from the contractor involved. Government officials have routinely blamed China for the OPM hack.

PATCHED: A cyberattack took the online encyclopedia Wikipedia offline for users in Europe and the Middle East late Friday, with outages for some users continuing well into Sunday evening. Wikipedia's parent nonprofit organization released a statement blaming unspecified “bad actors” for the attack, adding that it was working on getting the site back up as quickly as possible.

The site's German Twitter account called the attack a “a massive and very broad [distributed denial of service] attack.” In other words, hackers flooded the website with more traffic than it could handle in the hopes of knocking it offline.

It's unclear who was behind the attack, but the popular website sometimes “attracts 'bad faith' actors,” the Wikimedia Foundation wrote in a news release.

“Takedown attacks threaten everyone’s fundamental rights to freely access and share information,” the statement goes on. “We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone.”

PWNED: U.S. Cyber Command may have taken a subtle jab at North Korea over the weekend.

The command posted 11 samples of malicious software to VirusTotal, the tool Cybercom uses to share examples of malicious software with the cybersecurity research community — all of which appeared to be linked to the hermit kingdom, according to cybersecurity researchers.

The release also appeared to be timed to a national holiday in North Korea celebrating the nation’s founding, as Andrew Thompson, a threat analyst at the cybersecurity company FireEye, noted on Twitter.

Attribution, subtle or otherwise, is a key component in any deterrence strategy. You need the adversary to know that the myth security researchers have been perpetuating, that cyber offers a non-attributable venue to conduct attacks, does not apply against your capabilities.
— Andrew Thompson (@anthomsec) September 8, 2019