But the coronavirus stimulus legislation is the third such no-strings attached cash infusion for election security since the 2016 contest was marred by a Russian hacking and disinformation operation. And with three strikes against them on efforts to mandate changes such as paper ballots, post-election audits and cybersecurity reviews, election security hawks are likely out — at least until after November.
“This was the last chance for coordinated federal action to help secure the 2020 election and unfortunately Congress has once again blown its chance,” Alex Halderman, an election security expert and computer science professor at the University of Michigan, told me. “It’s not surprising, but it ought to be scandalous that we’ve gone four years without Congress passing election security legislation.”
The Senate voted late yesterday to approve the massive stimulus bill, which also sends hundreds of billions of dollars to health-care centers, large and small businesses and citizens pushed out of work by the pandemic. The Housewill likely approve the package tomorrow and President Trump has pledged to immediately sign it.
The outcome marks a dramatic victory for Senate Majority Leader Mitch McConnell (R-Ky.), who has steadfastly opposed any security mandates being imposed on states in the three-and-a-half years since Russia’s unprecedented operation to undermine Hillary Clinton’s candidacy and aid Donald Trump’s. To date, lawmakers have delivered more than $1 billion for state and local election officials to use as they see fit.
It’s also a major loss for election security hawks who warn that not only Russia but other U.S. adversaries are likely to try to undermine the 2020 election and sow doubts about its legitimacy.
“I certainly would have been hopeful in 2017 that we could impose some [minimal requirements] on election security,” Lawrence Norden, director of the Election Reform Program at New York University's Brennan Center for Justice, told me. “It’s hard for anybody who’s been watching this Congress to say you’re surprised they don’t take basic actions, but it is disappointing.”
The $400 million for coronavirus-related election security changes that made it into the stimulus bill is also far lower than the $4 billion sought by House Democrats and the $2 billion sought by Democratic Senate sponsors of a bill that would have mandated no-excuse mail-in voting across the nation and broadened early voting. And it won’t be nearly enough if states have to substantially increase voting by mail or make other changes if the virus is still making large gatherings unsafe in November, experts warn.
“It’s unmistakable that $400 million is a very paltry amount,” Edward Perez, a former voting machine company executive who's now global director of technology development at the OSET Institute, a nonprofit election technology organization, told me. “You had legislators from both sides of the aisle who were quite comfortable spending significant amounts of money on everything except elections.”
States have made significant progress on election security since 2016, including a widespread shift to voting systems that include paper records so people can verify hackers haven’t changed their votes. About 90 percent of voters will cast ballots using those systems in November, according to a Brennan Center tally.
States have also added a raft of new digital protections around voter registration systems and voter rolls. And the Department of Homeland Security is now monitoring for cyberattacks across the nation and sharing digital threat information with state and local officials.
Democratic lawmakers have also pledged they’ll continue to fight for more money and election protection measures. In a statement after the stimulus bill was released, Sens. Amy Klobuchar (D-Minn.) and Ron Wyden (D-Ore.) pledged to push for “election reforms across the country” and declared that the “American people cannot be forced to choose between their health and exercising their right to vote.”
Klobuchar and Wyden have sponsored numerous such measures including a bill with Sen. Chris Coons (D-Del.) that would dramatically broaden mail-in voting during the pandemic.
But election security concerns are likely to worsen during the outbreak, which has prevented live-fire tests of new voting systems in some states such as Georgia that have delayed their primaries. It may also force officials to implement rapid changes to voting plans that could lead to technical debacles and create opportunities for hackers.
Even before the pandemic hit, 2020 elections were demonstrating how difficult it can be to make big changes to voting systems. During Iowa’s party-run Democratic caucuses, for example, an app meant to calculate delegates dramatically imploded, delaying results for days. A custom-built voting machine in Los Angeles county that officials spent years developing was also slowed by network problems, producing hours-long lines.
“Ramping up for elections during coronavirus is going to be one hundred times as difficult as those changes,” Norden said.
Anxiety created by the epidemic is also likely to make voters far more vulnerable to disinformation operations related to the election, whether from Russia or elsewhere.
“Given how fragile people are, how anxious and hungry for information in these uncertain times, that increases our vulnerability,” Perez said.
And if hackers catch even one state or locality unprepared in November, that could have ripple effects that damage confidence in the entire election.
“Security is a weakest link problem,” Halderman said. “In 2020 or future elections if even one state suffers a major election security breach, that’s likely to cause voters across the country to lose confidence.”
PINGED, PATCHED, PWNED
PINGED: Companies providing Internet modems and other devices to help Americans stay online during the pandemic need to ramp up their cybersecurity protections, says Sen. Mark R. Warner (D-Va.). Warner, who is vice chairman of the Senate Intelligence Committee, sent letters to six device providers including Google, Netgear and Belkin, urging them to ensure their devices can't be used to attack consumer and workplace networks and warning “the security of consumer devices and networks will be of heightened importance” during the pandemic.
Warner wants companies to issue quick fixes to any digital vulnerabilities and notify consumers about cybersecurity best practices. He’s also concerned that a rise in telework has given hackers more opportunities to attack company and government networks. Cybercrimes using coronavirus fears to swipe users' personal information have dramatically increased, researchers say.
Warner is also sponsoring a bill that would tighten cybersecurity requirements for Internet-connected devices used by the government.
PATCHED: A notorious Chinese hacking group has ramped up its activity during the pandemic, Christopher Bing and Raphael Satter at Reuters report. The hackers have targeted more than 75 clients of cybersecurity firm FireEye including manufacturers, health-care organizations and nonprofit groups, researchers there say.
The spike in activity could be related to tensions between China and the United States over trade and the recent coronavirus pandemic, FireEye security architect Christopher Glyer told Christopher and Raphael. Chinese hackers tend to be more targeted in their attacks, making the wide array of targets a departure from the norm, FireEye’s head of analysis John Hultquist told Reuters.
FireEye declined to name which clients hackers targeted but said the hacking group had tried to break into some companies using a flaw in enterprise software from Cisco and Citrix. Both companies say they worked with FireEye to identify the victims and fix the vulnerabilities.
The Chinese Foreign Ministry did not respond to FireEye’s allegations in a comment to Reuters.
PWNED: Web domain registrar Namecheap is blocking any new applications for web addresses that contain “coronavirus,” “covid,” and other words referring to the virus in an effort to crack down on scammers, Nick Statt at the Verge reports. The move comes after the Justice Department announced a restraining order against Namecheap on Sunday for hosting a website set up to sell fake coronavirus vaccines.
The company says it’s working with authorities to prevent more scammers from using its services to exploit coronavirus fears. Companies can still request domains with the banned words, but Namecheap will review their requests manually.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The U.S. Election Assistance Commission will host a virtual public hearing on VVSG 2.0 Requirements at 10am on Friday.