THE KEY

Illinois was ground zero for Moscow’s election interference efforts in 2016 when Russian hackers compromised a voter registration database managed by the state board of elections.

So today lawmakers on the House Homeland Security Committee are heading there for a gut check on whether Illinois and other states are ready to protect future elections. And the top-line assessment they’ll get at today’s hearing in Gurnee, Ill., is: There’s still a long way to go.

Illinois has significantly strengthened protections of voter databases since the 2016 breach and invested more than $13 million in other security measures, including creating a “cyber navigator” program that sends security experts across the state’s 108 voting jurisdictions to find and fix digital vulnerabilities. The state is also getting weekly cybersecurity hygiene scans from the Department of Homeland Security and has prepped cybersecurity experts with the Illinois National Guard to deploy to polling places on Election Day if needed.

But Illinois is still hampered by voting machines that are more than a decade old and rely on outdated software that could make them more vulnerable to hackers. Replacing those machines across the state could cost $175 million or more, Steve Sandvoss, executive director of the Illinois Board of Elections, told me.

“We’ve taken some good steps toward improving our security and I feel far better than I did right after 2016,” Sandvoss plans to tell lawmakers during the hearing. “But cybersecurity is an evolving thing. You’re trying to stay a step ahead of the bad guys, but the bad guys are pretty resourceful.”

Many of Illinois’s voting machines weren’t designed to print paper ballots — which experts say are vital for election security — so they’ve been rigged with a paper backup system that can easily malfunction and is difficult to audit, Elizabeth Howard, democracy counsel at New York University’s Brennan Center for Justice, who will also testify at the hearing, told me.

But it will be extremely tough to replace those machines without a significant infusion of cash from Congress — and Senate Majority Leader Mitch McConnell (R-Ky.) has been wary of spending more money on election security after Congress committed $380 million in 2018. McConnell recently relented and endorsed sending another $250 million to states but that's far short of the $600 million in a House-passed bill. And it's way less than the $2.2 billion over five years the Brennan Center says is needed to address the problem nationwide.  

“Election officials in Illinois and across the rest of the country have taken many important steps to improve our election infrastructure since 2016, but there’s a lot of work still to do,” said Howard, who was previously deputy commissioner for the Virginia Department of Elections.

Howard plans to call on Congress to “provide a consistent, ongoing funding source” for election security and “to pay [its] fair share of the costs associated with protecting our democracy.”

House Homeland Security Chairman Bennie G. Thompson (D-Miss.) also plans to call out the Senate for not committing to new election security spending, according to an opening statement his office shared with me.

“The federal government — especially Congress — must understand the resource constraints of local election officials and partner with them to address vulnerabilities to election infrastructure,” Thompson plans to say.

Illinois was long thought to be the only place where Russian hackers penetrated voter databases or any other election infrastructure before the 2016 contest. But the report from former special counsel Robert S. Mueller III later revealed breaches in two other counties that appear to be in Florida.

In all cases, there’s no evidence hackers changed voter information or accessed anything that could have affected actual vote tallies.

Still, the breach forced Illinois into the spotlight of a national debate and officials there ultimately had to alert 76,000 voters that their information was compromised. 

“The 2016 breach served as a wake-up call to us and I think to other states,” Sandvoss told me. “It’s not just speculative. It actually happened here. And, looking toward 2020, because it’s a presidential year, the stakes are really high.”

Correction: This article has been corrected to state that the 2016 breach by Russian hackers compromised a voter registration database managed by the Illinois State Board of Elections.  

PINGED, PATCHED, PWNED

PINGED: The Democratic National Committee is warning presidential campaigns to be on the lookout for a surge in disinformation operations in advance of tonight’s debate, Ryan Lizza writes for Politico.

The alert is part of a series of security missives from the DNC and warns of “heightened disinformation and discourse manipulation activity leading up to, during, and after the debates with the goal of polarizing opposing Democratic supporters.”

Ryan describes a massive Democratic operation to track and combat disinformation – both from foreign adversaries and Republican and Democratic opponents. It includes a DNC software tool called Trendolizer that tracks trending disinformation, a disinformation war room inside Twitter headquarters and a fast track communication operation with third-party fact checkers Facebook relies on to correct false narratives.

But correcting disinformation can be tricky. “When contemplating a response to disinformation narratives, campaigns should consider whether misinformation has reached a tipping point where the costs of ignoring the issue are higher than the costs of the amplification that a response might generate,” the DNC privately instructed presidential campaigns.

PATCHED: Germany will not ban Chinese telecommunications giant Huawei from its 5G networks, snubbing warnings from the United States that the company poses a national security threat, Andreas Rinke and Douglas Busvine at Reuters report

Preemptively banning Huawei, which is used extensively by major German telecommunications companies, could delay the launch of a 5G network by years and cost billions of dollars, German officials say. U.S. officials have argued to European allies that saving money by contracting with Huawei isn't worth the risk that the technology will be used for espionage by China.

A recent E.U. analysis privately warned member nations of serious security risks Huawei poses to 5G networks, Anna Isaac and Parmy Olson of the Wall Street Journal report. But the E.U. has stopped short of urging members to ban the company.

PWNED: Apple has come under fire for potentially sharing customers’ IP address and location data with Tencent, a Chinese Internet company with government ties, Mark Gurman at Bloomberg News reports. The partnership, which Apple didn’t alert users about, raises questions about the tech giant's willingness to look the other way as companies that collect data on citizens for Beijing use its platform. 

The data was collected as part of an iPhone and iPad security feature that checks to make sure users aren't visiting malicious web addresses. Apple maintains the feature doesn't share web addresses with Tencent and that users’ IP addresses are shared only when the app sends a warning about a suspicious website.

PUBLIC KEY

A rewards program for ethical hackers sponsored by U.S. Cyber Command has uncovered nine “high severity” digital vulnerabilities and one “critical vulnerability” across Department of Defense systemsShannon Vavra at CyberScoop reports

Ethical hackers also found 21 other vulnerabilities of medium and low severity, all of which affect the virtual networks the Pentagon uses to allow employees to remotely access private government servers. The findings follow recent warnings from the National Security Agency that multiple foreign adversaries have been targeting virtual private networks.

Hackers were paid $33,750 for exploits found during the two-week bug bounty. This is the eighth bounty the Defense Department has run with contractor HackerOne since the partnership started.

— More cybersecurity news from the public sector:

Amazon.com Inc's cloud computing arm is making an aggressive push into one ...
Reuters
If American businesses want to stop “playing by China’s rules” and challenge its anti-democratic actions, they will need firm support from the federal agencies charged with protecting them from Chinese hackers, Sen. Ben Sasse says.
CyberScoop
The Lone Star State was the latest respond to a ransomware attack by making it a statewide emergency.
StateScoop
Information Technology Industry Council is renewing its focus on public sector with the addition of FBI CIO Gordon Bitko.
Federal Computer Week

PRIVATE KEY

— Cybersecurity news from the private sector:

Apple Macs are under attack from cryptocurrency-loving North Korean government hackers, according to researchers.
Forbes
Shipping tech giant Pitney Bowes has confirmed a cyberattack on its systems. The company said in a statement that its systems were hit by a “malware attack that encrypted information” on its systems, more commonly known as ransomware.
TechCrunch
Thoma Bravo will acquire British network security firm Sophos for $3.8 billion in cash, the firms announced Monday, marking another major deal that could reshape a decades-old security vendor.
CyberScoop

THE NEW WILD WEST

— Cybersecurity news from abroad:

China is using a seemingly benign mobile app and translation service to hoover up billions of pieces of data inside its borders and around the world, according to reports published in recent days.
Wall Street Journal
China’s Huawei Technologies is ready to enter into a “no backdoor” agreement with India to allay security concerns, the telecom group’s local head said on Monday, as the giant South Asian country prepares to launch next generation 5G networks.
Reuters
A proposal for a memorandum of understanding concerning offensive cyber effects operations in systems or networks based in allied territory.
Lawfare Blog

ZERO DAYBOOK

— Today:

  • The House Committee on Homeland Security will host a Field hearing “Preparing for 2020: How Illinois is Securing Elections” at 10 a.m. in Gurnee, Ill.
  • R Street Institute will host an event on the National Security Implications of Patents at 12pm at the U.S. Capitol Visitor Center, First Street NE, Washington, DC.

— Coming soon:

  • The House Committee on Homeland Security will host a hearing on “Public-Private Initiatives to Secure the Supply Chain” on Wednesday at 10 a.m.