The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: McConnell's support for election security funding is just the start of a big fight

with Tonya Riley


Senate Majority Leader Mitch McConnell (R-Ky.) partially relented yesterday in the fight over election security by throwing his support behind a $250 million infusion of cash for state election officials.

But that concession is likely just the start of what could be a battle royal in Congress.

Democrats, who have derided McConnell as "Moscow Mitch" for blocking progress on election security after the Russian interference in the 2016 election, were already arguing the majority leader had only embraced a half measure. McConnell signed on to a measure, which is expected to be approved as part of a must-pass spending bill, to provide cash to states to upgrade their election systems, but it doesn't mandate how it should be spent.

Senate Minority Leader Chuck Schumer (D-N.Y.) took to the Senate floor to bemoan the language supported by McConnell for not requiring changes such as paper ballots and post-election security audits experts say are vital to thwart hackers from Russia and elsewhere. 

“It doesn’t include a single solitary reform that virtually everyone knows we need, but it’s a start,” Schumer said.

A bill that delivers money for election security but doesn’t mandate any particular fixes is a good bargain for McConnell and many Republicans who are wary of expanding federal authority over state and local-run elections — and who fear blowback from President Trump if they talk too much about Russia’s 2016 hacking and influence operation aimed at helping Trump’s election.

McConnell, who has denigrated Democrats’ election security efforts as a “Trojan horse for partisan wish list items that would not actually make our elections any safer,” touted the cash-only deal on the Senate floor and even signed onto the amendment as a co-sponsor.The measure's main sponsors are Senate Appropriations Chairman Richard Shelby (R-Ala.), ranking Democrat Patrick Leahy (D-Vt.) and Sen. Chris Coons (D-Del.).

Sen. Amy Klobuchar (D-Minn.), who has sponsored numerous election security bills, warned  the new cash was “not a substitute for passing my comprehensive election security legislation.”

Even Leahy was quick to warn that $250 million isn’t nearly sufficient to protect the elections against hacking threats.

“I think more is needed and eventually we’ll have more, but this is a good start,” he said.

And then there was Sen. Ron Wyden (D-Ore.), who has been warning fellow Democrats against approving new election security money without mandating that states spend it wisely. He savaged the McConnell's move, noting that it even leaves open the possibility that some of the $250 million could go to election priorities other than cybersecurity.

“Mitch McConnell is desperate for this issue to go away, but this proposal is a joke,” Wyden said.

There’s also a cadre of Republicans, including Senate Homeland Security Chairman Ron Johnson (R-Wis.), who believe Congress did all that was necessary to protect elections when it delivered $380 million to states in 2018.

Johnson praised the work the Department of Homeland Security has done to improve election cybersecurity since 2016 when I spoke with him outside a DHS cybersecurity summit but said additional money from the federal government would not make elections more secure.

He also noted states have not yet spent all of the $380 million Congress provided for election security in 2018. The Election Assistance Commission, which is distributing that money, estimates about 85 percent of it will be spent before the 2020 election.

“We don’t need any more money. We just need to start doing what we need to do,” Johnson told me.

Most Democrats, on the other hand, fear that unless the federal government lays down some rules for how states can use the money there’s no guarantee they’ll actually ensure the 2020 election is better protected.

“Giving states taxpayer money to buy hackable, paperless machines or systems with poor cybersecurity is a waste,” Wyden said.

DHS’s top cybersecurity official Chris Krebs called the $250 million infusion “a good start” during a news conference at the DHS cybersecurity summit but declined to say how much money Congress should give states overall.

Krebs urged Congress and state legislatures to provide annual election security funding rather than one-time cash infusions and to focus that funding on long-range priorities, such as ensuring voting machines get regularly updated and replaced  and that cybersecurity audits are comprehensive and effective.

“As I talk to … state election directors, the thing they want more than anything on funding, whether it comes from their state or whether it comes from the federal government, is consistency, something they can set the budgeting clocks by,” Krebs said. “Because if it's these inconsistent mass injections of cash every 10 years or eight years, that creates some disruption.”

Krebs also expressed some skepticism about mandating election security changes, noting the majority of states have adopted cybersecurity best practices since 2016, including switching to paper records for ballots and conducting post-election cybersecurity audits.

“I don't know if we necessarily need to legislate towards edge cases where you have a county here or there that may go buy some DRE,” he said, referring to direct-recording electronic voting machines, which don’t produce a paper record of votes and that experts say are more vulnerable to hacking.

About 12 percent of U.S. voters probably will vote on paperless machines in 2020, down from about 20 percent in 2016, according to an August report from New York University’s Brennan Center for Justice. That number is likely to drop further as other counties transition to paper-based machines. 

Lawrence Norden, director of the Brennan Center’s Electoral Reform Program, called the Senate agreement on election security funding “an important step in the right direction” yesterday but warned that “the fight to secure the nation’s election infrastructure is far from over.”


PINGED: If the U.S. government wants to persuade allies not to use technology built by Huawei, it may have to fund its own technology, Krebs and Sen. Mark R. Warner (D-Va.) agreed at DHS’s Cybersecurity and Infrastructure Security Agency summit yesterday.

“Any kind of solution … will require active engagement from our government,” Warner said, urging Democrats and Republicans to abandon the idea of a “laissez-faire approach” to technology development.

The United States has had limited success urging allies to eschew next-generation 5G wireless technology built by Huawei over concerns about Chinese spying — partly because there are only a couple of competitors to Huawei in 5G and their offerings are all more expensive. That has put less wealthy countries looking for cheap options in a bind. Warner and Krebs called for the private sector and government to work together so that there are other products that can compete with the Chinese giant.

“I think the biggest opportunity facing the United States and our allies is to look at [5G technology] and say how can we use American, Western and Korean and Japanese innovation to take back that space,”Krebs said. He added that government support for technological development isn't unprecedented, citing the U.S. government's intervention in developing safer aerospace technology.

PATCHED: The Election Assistance Commission greenlighted the continued use of voting systems that run on Microsoft Windows 7, despite the fact that Microsoft will no longer provide security updates for that system starting in January, Sean Lyngaas at CyberScoop reports. EAC commissioners told lawmakers that decertifying the systems would have “wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” according to a letter obtained by Sean.

The decision raises questionss about whether EAC policies aimed at making election administration more convenient are also making elections less secure. The EAC won’t certify any new voting systems unless they run software that still receives security updates from vendors. But there are no regulations that require the EAC to decertify machines that are no longer patched for security updates or are set to stop receiving updates. That raises the specter of voting machines that become increasingly hackable as their software ages, an election security expert warned. 

“We are no longer in a time where we can think of computer systems as appliances where you can just plug them in and they’ll be fine,” Maurice Turner, senior technologist at the nonprofit Center for Democracy & Technology, told Sean. “We need to get ahead of this before we’re right back in the same scenario.”

PWNED: Federal investigators have charged two men that with what they say might be the biggest tech support scam uncovered to date, Thomas Brewster at Forbes reports.

The two scammers managed to rack up more than $10 million from nearly 8,000 victims — most of whom were seniors and less computer-savvy, Justice Department investigators say. The scammers employed a fake pop-up saying that the users' PCs had a virus to dupe them into paying for thousands of dollars in fraudulent IT support, the investigators said. 

“It is our duty as citizens to protect our growing elderly population, and it is our duty as law enforcement to investigate and arrest those …, who seek to make a profit through fraud and deception,” said Peter Fitzhugh, Homeland Security Investigations special agent in charge. The fraud ring operated for three years in both the United States and India, and there may have been more suspects involved though none have been named, Brewster reports.


— Cybersecurity news from the public sector:

Huawei Argues Ban on Doing Business with U.S. Government is Unconstitutional (Wall Street Journal)

Facebook’s Mark Zuckerberg seeks to reassure wary lawmakers about Libra, elections in rare D.C. trip (Tony Romm)

Navy moves to penalize contractors for poor cybersecurity (Inside Defense)

Lawmakers Intro Bill to Enhance Not-Yet-Revived Office of Technical Assessment (Nextgov)

Government cyber reskilling programs are just getting started, Federal CIO says - CyberScoop

How Hackers Could Break Into the Smart City (Wall Street Journal)


— Cybersecurity news from the private sector:

Why WeWork's at risk of sharing customers' private info (CNET)

The Internet of Things Is Still a Privacy Dumpster Fire, Study Finds (Vice)

A flaw in iOS 13 can expose your contact details, even though Apple was alerted about the problem in July (CNN)


— Cybersecurity news from abroad:

China’s scissor-hand selfie-takers warned of cybersecurity threat (South China Morning Post)


— Coming up: