The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Senate panel wants politicians to put party aside for election security. Fat chance in 2020.

with Tonya Riley


A long-awaited Senate Intelligence Committee report admonishes politicians to forget about politics when dealing with election interference operations and to exercise maximum restraint before suggesting an election was hacked or corrupted.

Good luck with that. 

"Restraint" is not the operative word in the Trump era. The bipartisan report arrived just days after President Trump’s 2020 campaign manager Brad Parscale suggested without evidence on Twitter that a long delay in reporting Iowa caucuses results was because of a #RiggedElection. In fact, the count was marred by technical issues

And while the Republican-run committee states "the President of the United States should take steps to separate himself or herself from political considerations when handling issues related to foreign influence operations,” Trump has not been living by that mantra. Nor has he been “explicitly putting aside politics when addressing the American people on election threats.” 

The president has openly contemplated accepting dirt on his opponents from foreign nations in the 2020 race -- and cast doubt on the intelligence community’s conclusion that Russia interfered on his behalf in 2016. And the Senate acquitted the president just this week after the House impeached him for pressuring Ukraine’s leader to help dig up dirt on the family of a political rival, former vice president Joe Biden. 

“I’m concerned about what the president will do” in the 2020 race, Sen. Angus King (I-Maine), a committee member who helped draft the report, told me. 

“Our system rests upon trust that when you mark your ballot it will be counted … To the extent our leaders cast doubt on that system, it undermines the entire process,” he said.  

“Right now, it’s very difficult to see a path forward to how these recommendations are going to be adhered to,” said Ari Schwartz, a top cybersecurity official on the National Security Council during the Obama administration. 

Those concerns highlight a glaring gap in the nation’s election security preparations even as the Department of Homeland Security has launched a cross-country effort to vet the cybersecurity of election systems since 2016 and federal and state lawmakers have devoted more than $900 million to strengthening protections.

“If there’s inconsistency in messaging at the very top — as there has been — that undercuts anything that the rest of the administration is trying to do to deter this kind of behavior,” warned Chris Painter, who was the Obama administration's top cybersecurity diplomat during Russia’s 2016 foreign interference operations.

The broader report — which is the third of five the committee plans to release from its investigation into Russia’s election manipulation efforts — criticizes the Obama administration for being too slow and timid in its response and too hamstrung by political concerns. 

Specifically, the report faults the former administration for balking at striking back against Russia’s behavior before the election because officials feared that retaliating against Russia for leaking hacked emails from the Hillary Clinton campaign could be read as a partisan move to help the Democratic candidate. 

The report also notes, however, that those failures are “understandable” given limited information the administration had at the time, as my colleagues Karoun Demirjian and Devlin Barrett report. Officials didn’t know how aggressively Russia would respond to any counterpunches and worried they “might attempt to affect electoral infrastructure,” the report states.

So, instead of punching back, Obama personally warned Russian President Vladimir Putin about unspecified “consequences” if Moscow’s efforts escalated, and national security adviser Susan E. Rice, Secretary of State John F. Kerry and CIA Director John O. Brennan delivered similar warnings to their Russian counterparts.

“This level of interference in a U.S. election process was a relatively new thing [and] it took a while to get our arms around what exactly was going on,” Michael Daniel, who was White house cybersecurity coordinator at the time, told me. “It’s hard to wind the clock back to early July 2016 and not apply the lens we have now," said Daniel, who is now president of the Cyber Threat Alliance. 

The report includes an “additional views” addendum from Republican committee members James Risch (Idaho), Marco Rubio (Fla.), Tom Cotton (Ark.), John Cornyn (Tex.) and Ben Sasse (Neb.) that treats the Obama administration far more harshly.

“Hollow threats and slow, hapless responses from the administration translated to perceived weakness on the part of the U.S., and Putin exploited that weakness with impunity,” the Republicans write. “It appears to us that either the Obama administration was woefully unprepared to address a known and ongoing national security threat, or even worse, that the administration did not take the threat seriously.”

A separate addendum from Sen. Ron Wyden (D-Ore.) knocks the Obama administration for not informing lawmakers and the public more quickly about the scope and scale of Russian activities.

The full report stops short of faulting the Obama administration for that but warns that in future interference campaigns the public should be notified as quickly as possible.

“The cat’s out of the bag now,” King told me. “We know there will be attempts to meddle in this election, so the argument that we shouldn’t mention it because it will undermine public confidence is really moot at this point and it’s important we get quick and accurate information out.”


PINGED: Problems set off by a malfunctioning vote-counting app continue to plague the Iowa caucuses, which have yet to determine a clear winner more than three days after the contest. 

Democratic National Committee Chairman Tom Perez called for a recanvass yesterday -- essentially a recount of all paper records -- following a New York Times report that the first count was riddled with errors and inconsistencies.



Top Republicans, meanwhile, admonished the company Shadow Inc., which created the app. "In order for democracy to work, Americans must believe the results of their elections, and caucuses, are rock-solid and secure beyond a shadow of a doubt,” Homeland Security Committee ranking Republican Rep. Mike Rogers (Ala.) and House Administration Committee ranking Republican Rep. Rodney Davis (Ill.) wrote in a letter yesterday to Shadow chief executive Gerard Niemira. “Unfortunately, by choosing not to test your app for any technical glitches prior to its roll-out, your company has caused significant doubt over the Caucus results and, consequently, has undermined electoral confidence.”

The pair also slammed Niemira and Iowa Democrats for reportedly declining an offer from DHS to test the app and ignoring warnings from the DNC's top cybersecurity expert.

PATCHED: Trump unleashed “apoplectic” anger at Boris Johnson in a phone call after the United Kingdom prime minister announced a decision to allow the Chinese telecom Huawei a limited role in building his nation’s next-generation 5G telecommunications network, Sebastian Payne and Katrina Manson at the Financial Times report

In public, White House officials expressed more muted disappointment at the decision, which defied months of warnings by the United States to its allies that the Chinese telecommunications giant can’t be trusted not to aid Beijing spying. 

U.S. officials meanwhile are broadening their options for competing with Huawei.

Attorney General William P. Barr suggested in a speech yesterday that the United States should consider investing in Finland’s Nokia and Sweden’s Ericsson, which are also major builders of 5G equipment, to counter China’s dominance in the market, my colleagues Ellen Nakashima and Jeanne Whalen report.

The White House is also working with U.S. tech companies including Microsoft, Dell and AT&T to create 5G software that would help companies reduce their reliance on Huawei equipment.

Huawei has denied aiding Chinese government spying.

PWNED: States have a generally positive view of assistance the Department of Homeland Security's cybersecurity arm has provided in safeguarding state and local elections, a government watchdog reported yesterday. That's a significant change in course from when states balked at the increased role in election security tasked to DHS in 2017.

But the Cybersecurity and Infrastructure Security Agency has not yet completed its plans to safeguard the 2020 elections, which kicked off this week in Iowa. 

“In the absence of completed plans, CISA is not well-positioned to execute a nationwide strategy for securing election infrastructure before the start of the 2020 election cycle,” the Government Accountability Office report released yesterday notes.

The cybersecurity agency's plans will focus on protecting election infrastructure and sharing intelligence and identifying threats, both key concerns for lawmakers. But the agency faces challenges including inadequate resources to meet the need of local election jurisdictions, hindered ability to access social media sites to collect threat information and limited capacity for field staff to respond to incidents on Election Day, according to the report.

Without finalized plans it's unclear how CISA will address those concerns, the report warns.

CISA previously intended to finalize election plans by January but cited reorganizations within the organization as a cause for the delay. The agency has seen a significant turnover during the Trump administration, drawing scrutiny from Democrats.


— Cybersecurity news from the public sector:

After the Iowa Caucus Meltdown, New Hampshire Says It’s Ready (Wired)

Feds are lining up more indictments related to Chinese cyber-activity, officials say (CyberScoop)

Brazilian judge delays "for now" decision on indictment of U.S. journalist Greenwald (Reuters)


— Cybersecurity news from the private sector:

Ransomware suspected after DC-lobby firm CUNA knocked offline (TechCrunch)

Skeletons In The Closet: $2 Billion Cybersecurity Firm Darktrace Haunted By Characters From HP’s Failed Autonomy Deal (Forbes)


— Cybersecurity news from abroad:

Malaysia warns of Chinese hacking campaign targeting government projects ( ZDNet)

Saudi Aramco sees increase in attempted cyber attacks



  • Georgetown Law’s Institute for Technology Law & Policy in partnership with the Georgetown Law Technology Review  will co-host a daylong conference on “Election Integrity in the Networked Information Era on from 9 a.m. to 5 p.m.

Coming up:

  • The Senate Homeland Security and Governmental Affairs Committee will host hearings to examine a roadmap for effective cybersecurity, focusing on what states, locals, and the business community should know and do on Tuesday at 9:30 a.m.
  • The Senate Committee on the Judiciary, Subcommittee on Intellectual Property has scheduled a hearing entitled “The Digital Millennium Copyright Act at 22: What is it, why was it enacted, and where are we now” for Tuesday at 2:30 p.m
  • The Senate Armed Services Committee will host hearings to examine United States Special Operations Command and United States Cyber Command in review of the Defense Authorization Request for fiscal year 2021 and the Future Years Defense Program on Thursday at 10 a.m.
  • RSA Conference 2020 is scheduled for Feb. 24 to 28 in San Francisco