THE KEY

Democrats are pressing hard this week in what could be their final chance to pass legislation aimed at protecting the 2020 contest against Russian hackers.

Senate Democrats have failed for months to force Senate Majority Leader Mitch McConnell (R-Ky.) to allow a vote on bills committing an additional $600 million to election security and also mandating security reforms such as paper ballots and post-election cybersecurity audits. Now they’re shifting tactics and trying to force some of that funding into a must-pass spending bill.

Round one of the fight starts Thursday at a Senate Appropriations Committee meeting where the top-ranking Democrat, Sen. Patrick Leahy (Vt.), and the top Democrat on the committee’s general government panel, Sen. Chris Coons (Del.), will try to force the money into the Republican draft of a spending bill.

If that doesn’t work, Democrats can keep trying to push Republicans to add the measure through the lengthy give-and-take of the appropriations process that's likely to drag on for several months. Aides for Leahy and Coons declined to tell me precisely what was in the amendment they’ll be introducing Thursday, but Sen. Ron Wyden (D-Ore.) and other senators are pushing for at least the $600 million that’s included in legislation already passed by the House.  

If the last-ditch effort fails, many Americans are likely to cast votes in 2020 in a process still governed by the same lax rules as in 2016 – when a Russian hacking and disinformation operation upended the election and severely damaged voters’ confidence in the democratic process. The federal government has surged its cybersecurity help to state election officials since then and several states and localities have voluntarily improved protections, but the improvements are far from universal. 

“Right now what's going on is we're basically sending local election officials into battle against hackers without the tools or the guidance that is essential to defend our democracy,” Wyden, a major booster of election security legislation, said during a press conference organized by the civil liberties group Public Citizen.

Wyden described the effort as a “full court press with a focus on convincing one person…Mitch McConnell to make reforms that we believe are essential to secure elections.”

Sen. Richard Blumenthal (D-Conn.), speaking at the same press conference, described an “eroding trust in our elections” as a result of the failure to pass legislation. “That trust is necessary for people to turn out at the polls, for ordinary voters to feel that his or her vote counts and elections have consequences,” he said.

The senators calls were echoed by Democrats’ 2016 presidential nominee Hillary Clinton, who savaged McConnell and Trump legislation at a separate event as my colleague John Wagner reported.

“There is no way we can have the kind of secure election that we need without changing our laws and following it up with real investments,” Clinton said. “We have a fundamental set of threats to the bedrock of our democracy, and anyone who stands in the way of confronting those threats — from Mitch McConnell and his allies to the president himself — is abdicating their responsibility to protect and defend the Constitution.”

It’s not just the budgeting process that’s making timing tight, though.

States are already deep in the process of buying and certifying the technology they’ll use in 2020 and there’s not much time left for new purchases and upgrades. Time may have completely run out for some localities still using voting machines lacking paper trails to buy and certify paper-based machines before the 2020 general election.

“I am deeply alarmed that we are running out of time. Time is not on our side. Even now we are up against very serious deadlines,” Blumenthal said.

The senators may also have to figure out whether they’re willing to accept a deal that delivers money to states to upgrade the cybersecurity of their election systems and invest in cybersecurity training but doesn’t mandate any specific fixes such as paper ballots. McConnell and other Republicans have said those mandates would unfairly infringe on states’ rights to run elections.

That’s the deal Democrats took in 2018 when Congress added $380 million for election security upgrades to an earlier funding bill. About 85 percent of that money will be spent before the 2020 contest, Christy McCormick, chairwoman of the Election Assistance Commission, which distributed the money, has said.

Wyden, on Tuesday, called any bill that doesn’t include security mandates “sham legislation” that would only “increase the divide between states with good security and states that are open to foreign hacking.”

Blumenthal was more conciliatory, calling security mandates “the coin of the realm” but also acknowledging that “in a compromise you never achieve everything that we might want.”

A McConnell staffer told me earlier this month the majority leader would “consider serious bills that attend to real obstacles that still face federal, state, and local authorities as they work together to secure our elections” but declined to speculate on whether he might accept a funding-only bill.

PINGED, PATCHED, PWNED

PINGED: The Justice Department is suing ex-NSA contractor Edward Snowden for allegedly violating a non-disclosure agreement by publishing his new memoir Permanent Record without seeking government approval, my colleague Matt Zapotosky reports. DOJ wants to confiscate profits from the book, but has no desire to "stop or restrict the publication or distribution" of the new book, it says.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements," Assistant Attorney General Jody Hunt said in a statement. "This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust." 

In his book, Snowden details the events leading up to and following his decision in 2013 to leak information exposing secret government surveillance programs to the media. Snowden's legal team has already shot back arguing that the book doesn't include any secrets that news organizations haven't already revealed.

"Had Mr. Snowden believed that the government would review his book in good faith, he would have submitted it for review," Ben Wizner, director of the ACLU’s Speech, Privacy, and Technology Project and attorney for Snowden said in a statement.

Here's an excepert from Snowden's memoir published by The Nation.

PATCHED: Ecuador’s government agency responsible for telecommunications and information technology has launched an investigation into a massive breach that exposed the personal data of nearly all of the country's population this week, Palko Karasz and Anatoly Kurmanaev at the New York Times' report. The exposed data included personal information for 20.8 million Ecuadorians (including the personal details of 6.7 million children). It also included 7.5 million financial and banking records and 2.5 million car ownership records. Officials have not disclosed whether any hackers actually stole the exposed data. 

Researchers at vpnMentor discovered the data on an unprotected server in Miami, which has since been patched. The server appears to be owned by the Ecuadorian company Novaestrat, vpnMentor said. Authorities detained and questioned a legal representative for the company in connection with the breach on Tuesday, according to a statement from Ecuadoran officials. 

PWNED: The failure by American tech companies and government agencies to rein in threats like disinformation and deepfakes is giving adversaries like Russia and China an edge when it comes to shaping global Internet standards, Sen. Mark Warner (D-Va.) warned at a symposium on information and election security. Warner pinned part of the problem on Americans' lax attitudes toward cybersecurity, pointing out that adversaries don't need "sophisticated tools" to wreak havoc.

 "They are attacking us using phishing techniques, rattling unlocked doors. In many ways we brought this on ourselves," Warner told the crowd. "The level of security and integrity we accept from commercial technology products is shockingly low."

Warner, who is vice chairman of the Senate Intelligence Committee and a former technology executive, also criticized some American companies as complicit in China's "dystopian" version of the Internet.

"The truth is western companies who help authoritarian regimes build censored apps or walled garden versions of the internet are just as big a threat to a free and open internet as government actors," he said 

PUBLIC KEY

— Cybersecurity news from the public sector:

As loyalties among Afghanistan’s Islamic extremists continue to shift, the U.S. military may be poised to rely more heavily on offensive cyber capabilities to target one group in particular — the dispersed but still active membership of ISIS, according to one military cyber commander.
CyberScoop
The Coast Guard might be the smallest of the nation’s armed forces, but when it comes to cybersecurity, it believes it can punch above its weight.
Wall Street Journal
Current and former government tech leaders also stressed the need for high-level standards to ensure the global AI industry grows in line with democratic values
Nextgov
The discussion comes as the NAACP is fighting what it calls voter suppression efforts that range from unnecessary voter identification to voting machines that can be hacked.
Greensboro News and Record
PRIVATE KEY

— Cybersecurity news from the private sector:

Repo men are passively scanning and uploading the locations of every car they drive by into DRN, a surveillance database of 9 billion license plate scans accessible by private investigators.
Vice
Certificates can be used to sign-off on malicious payloads and can fetch a lucrative price on the black market.
ZDNet
Representatives for both companies all but ghosted an FEC-hosted discussion about what the platforms are doing to fight misinformation and foreign interference in 2020.
Vice
Israeli authorities have arrested multiple employees of the spyware vendor Ability in connection with an investigation into allegations of fraud, smuggling and money laundering at the company, the firm’s chief financial officer said Monday in a U.S. regulatory filing.
CyberScoop
THE NEW WILD WEST

— Cybersecurity news from abroad:

China leads the world in facial-recognition and other new surveillance technologies, but other countries are adopting similar tools, according to a new report by the Carnegie Endowment for International Peace.
Wall Street Journal
Elections Canada is confident in the security of the 2019 federal election despite recent cases of foreign interference in elections in countries like the U.S., Canada’s elections administrator said Tuesday.
iPolitics
ZERO DAYBOOK

—Coming up:

  • The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency will host its second annual National Cybersecurity Summit this Wednesday through Friday in National Harbor, Maryland.
  • The International Association of Privacy Professionals hosts a conference September 24-25 in Las Vegas.