with Tonya Riley
Lawmakers are especially wary of the possibility that hackers may cause even more chaos by disrupting congressional debates and remote voting if they rush to adopt a system that's insecure. And some fear a secure system may not be built until well after the pandemic has run its course.
“I have high confidence that we can create a system that would allow for us to debate and vote online in times of emergencies but that’s not something we should rush into, and we need to be mindful of security concerns,” Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, told me. “This would be a high value target for anyone from nation state actors to rogue hackers to try to disrupt proceedings or to undermine confidence in the system.”
Underinvestment in cybersecurity planning has left Congress struggling to complete even basic tasks during a crisis.
This makes it harder for lawmakers to act as a check on the White House, which is better equipped to continue working during the pandemic since it can make big decisions with just a few people in a room or by secure line.
“It’s as if one of the branches of government has decided to sit on the sidelines, and it’s time for them to get back in the game,” Paul Rosenzweig, a top Department of Homeland Security official during the George W. Bush administration, told me. “We have three branches of government and we need them to be checks and balances on each other during this time of crisis.”
Rosenzweig helped draft a letter signed by two dozen think tanks and advocacy groups urging Congress to include provisions in the next coronavirus stimulus bill establishing a system for all House members to vote remotely and boosting congressional technology funding to ensure that system is secure and reliable.
Plans inside Congress have been decidedly low-tech so far.
House members planning to return to Washington to vote on another coronavirus relief bill could also vote as soon as this week on a plan hatched by House Rules Committee Chairman Jim McGovern (D-Mass.) that would allow a handful of members in Washington to cast ballots on behalf of colleagues back home.
Some groups of lawmakers, including the Congressional Progressive Caucus, are also experimenting with remote hearings on Facebook, and there’s talk of holding some committee meetings via webcast.
But there’s little appetite for a large-scale technological fix in the House. One big concern is that less tech-savvy members couldn’t manage to use it securely without help from staff.
“Many members of Congress probably couldn’t handle two-step authentication from their laptops,” a senior House Democratic aide told me. “We have conference calls where people can’t even mute themselves or get off mute. There’s a big tech gap that’s going to be problematic."
There’s also widespread concern that remote voting systems could face legal challenges from people who say it doesn't meet constitutional requirements for what counts as a vote in Congress. These concerns – along with a slew of technical and security hurdles to remote voting – were outlined in a 23-page House Rules Committee report that detailed potential options in March.
“If this is challenged in the courts and we’ve passed 40 laws that have been enacted and the Supreme Court invalidates them all, that’s a nightmare,” the senior aide said.
The Senate has already outright rejected any efforts for remote voting.
That's the verdict from Senate Majority Leader Mitch McConnell (R-Ky.) and Rules Committee Chairman Roy Blunt (R-Mo.).
Sen. Amy Klobuchar (Minn.), the Rules Committee’s top Democrat, is pushing for a way that the body can vote without members returning to Washington but has been stymied by objections from McConnell, a staffer in her office told me.
Asked about whether such a system could be created securely, a Democratic staffer on the Rules Committee said, “Cybersecurity is a key consideration with any technology implemented in the Senate.”
But remote voting advocates say cybersecurity concerns are overblown.
Making online voting secure for lawmakers is far easier than for the general public, they say, because lawmakers don’t remain anonymous when they vote. That means it would be difficult, if not impossible, for a hacker to change a vote without the lawmaker noticing and correcting it.
Congressional lawmakers could simply hold a large video conference and make speeches or vote one by one when their names are called, said Daniel Schuman, policy director for Demand Progress, one of the lead groups advocating for remote voting. That's basically an online version of what they do in Washington.
To be extra secure, lawmakers could also verify their votes are recorded correctly using email, Schuman said.
He also downplayed concerns about lawmakers not being able to handle the technology.
“They may not be tech savvy but they’re not stupid,” he said. “People are managing all sorts of technology solutions and the simple things work best. My 7-year-old can do teleconferencing. It’s not that hard.”
Schuman’s organization also helped organize a mock online hearing at Georgetown University last week to demonstrate how such a hearing would work. It was chaired by former Rep. Brian Baird (D-Wash.) and included testimony from retired Gen. David Petraeus, who described the military's use of teleconferencing, as well as technologists and lawmakers from other nations that have embraced remote work.
Other nations’ governments are moving far more quickly toward remote meetings.
The European Union Parliament is already holding some votes using email during the pandemic. The United Kingdom’s Parliament is expected to approve a plan today that would allow up to 120 of its 650 members to participate in some proceedings using the Zoom app and it may extend the system to legislative debates later.
State lawmakers in New Jersey and Pennsylvania are also testing remote voting. And even the U.S. Supreme Court plans to hear some arguments by telephone next month.
Langevin said he's confident the pandemic will spur Congress to be better prepared for remote voting before the next crisis – but that's unlikely to happen in the next few months.
“Necessity is the mother of invention and there’s no doubt that creating an e-Congress capability will take on greater urgency after this,” he said. “I believe that for any future crisis we will have that capability, but we need to make sure it is secure and well thought out.”
The keys
Republicans are ramping up claims that voting by mail will lead to fraud.
Rep. Greg Walden (R-Ore.) is joining the chorus of GOP officials claiming voting by mail could lead to fraud – even though his state votes almost entirely by mail. Other states lack Oregon's safeguards and won't be able to put them in place before November, he told Fox News yesterday.
“I think mandating that every state has to have vote by mail with just a few months before the election is really dangerous, frankly, for the electoral integrity and the outcome of the election,” Walden said.
That echoes similar concerns from House Minority Leader Rep. Kevin McCarthy (R-Calif.) and President Trump who called online voting “horrible,” “corrupt” and prone to widespread fraud earlier this month.
But Democrats disagree. They’re demanding $4 billion and a guaranteed option to vote by mail for all Americans, which they say is vital so people don’t have to risk their health to cast ballots. Progressives including Reps. Alexandria Ocasio-Cortez (N.Y.), Pramila Jayapal (Wash.), Mark Pocan (Wis.) Rashida Tlaib (Mich.), Ayanna Pressley (Mass.) and Ilhan Omar (Minn.) touted a vote-by-mail requirement as one of their priorities for the next coronavirus stimulus bill during a Facebook Live event yesterday along with actions to halt layoffs and ensure financial support for lower-income people.
States are already moving forward on expanding vote-by-mail. Officials in several states that require an excuse for absentee voting are declaring the pandemic an appropriate excuse for all voters during primary elections, per a rundown from the Brennan Cyber at New York University.
New York is preparing to announce plans to send mail ballots to all absentee voters, reports Zach Fink at NY1:
NEW: @NYGovCuomo is expected to issue an Executive Order allowing all registered voters to vote by mail in the special elections and primaries set for June 23.
— Zack Fink (@ZackFinkNews) April 20, 2020
The Governor recently expanded absentee voting, but voters had to apply. Now, ballots will automatically be mailed out
The Supreme Court may limit the reach of a controversial decades-old computer fraud law.
Justices will hear an appeal this term from a former police officer who was convicted under the 1986 Computer Fraud and Abuse Act for digging through law enforcement records for information that he sold to an acquaintance, Lawrence Hurley at Reuters reports.
The case will test whether the law can be used to charge people for misusing computer records they rightfully have access to. If justices rein in the law, it would be the biggest change in years to the nation’s main anti-hacking statute, which cybersecurity experts say is overly broad and out of step with the modern Internet.
Lawyers for the plaintiff, Nathan Van Buren, say his conviction opens the door for prosecuting anyone who uses a computer in a way their employer doesn't like – even for things as innocuous as using a work computer for a sports betting pool.
But the Justice Department is urging the court to leave the law unchanged. Officials there say prosecutors already have guidance that prevents the act being used too broadly.
A government watchdog wants the State Department to step up its cybersecurity defenses.
The new Government Accountability Office report adds cybersecurity to a list of high priority open recommendations the department needs to move faster on.
Top priorities include changing how the department hires cybersecurity-related positions and establishing a better process for managing cybersecurity incidents that threaten both national security and employee privacy.
The State Department agreed with the recommendations and said it began working on a fix in January.
Hill happenings
Trade groups say Congress must boost cybersecurity funding for state and local governments in the next coronavirus bill.
Top tech and cybersecurity trade groups said in a letter to House leadership that state and local governments were already facing serious cybersecurity woes and increased remote working during the pandemic has made them even more vulnerable.
The letter endorses a plan submitted earlier this month by Reps. Bennie G. Thompson (D-Miss), chairman of the Homeland Security Committee, and Cedric Richmond (D-La.), who chairs the committee’s cybersecurity panel.
Groups that signed the letter include the Alliance for Digital Innovation, BSA | The Software Alliance, Computing Technology Industry Association, Cyber Threat Alliance, Cybersecurity Coalition and Global Cyber Alliance
In other government security news:
Cyber insecurity
Your Facebook information is at risk — again.
A hacker dropped the profile details of 267 million users, including email addresses, names, dates of birth and phone numbers online for the cheap price of $540, Zak Dorffman at Forbes reports.
No passwords were stolen, but it's enough information for hackers to craft a phishing campaign to steal more valuable data, Zak writes.
Privacy patch
Microsoft executives say the coronavirus pandemic underscores the need for a federal privacy law.
“In the U.S., the need for this conversation in the midst of a pandemic underscores the urgency for a strong federal privacy law,” write Julie Brill, chief privacy officer, and Peter Lee, corporate vice president for research and regulation.
“An updated legal framework placing obligations on businesses that collect and use personal data would help provide the necessary guardrails for companies to know how to protect and respect personal data as they create tools and technologies to address urgent societal needs.”
The Washington state tech giant is weighing in on a growing debate between privacy and public safety as it is providing AI to researchers, developing a self-checking tool and protecting hospitals from ransomware. The executives also released privacy principles to which they urge governments to adhere when using technology in their responses, including:
- Providing transparency around why data is collected and how it is used
- Giving people a choice over where their data is stored
- Limiting data use to public health applications
- Deleting data once the emergency is over
Daybook
Today:
- The Open Technology Institute will host an online event on work-from-home digital security today at 11 a.m.
Coming up:
- The R Street Institute will host a discussion on "EARN IT Act and Its Broader Implications for Encryption and Cybersecurity" on April 28 at 2 pm.
Have an event you want our readers to know about? Email tonya.riley@washpost.com.
Secure log off
Viruses vs. Viruses. Preparing to respond to a cybersecurity incident can be a lot like responding to a pandemic.
Dragos's Lesley Carhart:
“You’ll never know a threat is 100% contained, but through careful analysis you can make a competent risk management decision that it has been contained within tolerances”... 😑
— Lesley Carhart (@hacks4pancakes) April 20, 2020