with Tonya Riley

A bipartisan Senate report on Russia's 2016 hacking operations may be the last major catalyst for lawmakers to make meaningful election security changes before the 2020 contest. 

The heavily redacted Senate Intelligence Committee report unanimously endorses the intelligence community’s conclusion that Russian President Vladimir Putin was instrumental in directing a wide-ranging hacking and influence effort aimed in part at helping elect President Trump. It’s a bipartisan congressional rebuke of “President Trump’s oft-stated doubts about Russia’s role in the 2016 race,” as my colleague Ellen Nakashima reports

But it came out the same day Congress passed a $484 billion stimulus bill aimed at aimed at shoring up small businesses during the coronavirus pandemic — which didn’t include any money to make elections more secure during the crisis. And it’s far from clear whether more money will come through in time to help. 

It's the latest disappointment for election security advocates who say far too little has been done since 2016.

They worry about both Russian hacking and the public health risks that polling sites could face during the pandemic. The disparity reflects an almost-four-year routine in which lawmakers’ alarm about election security has outpaced their financial commitment to it. 

“States are being forced to make massive adjustments to the way they conduct elections… in light of the covid pandemic,” Lawrence Norden, director of the Brennan Center’s Election Reform Program, told me. “That will cost money [and] there is time, but not much. State and local governments really need to see that money in the next coronavirus package.” 

Lawmakers pounced on the report to warn Russia is already working to upend November’s contest. 

But there was no call for specific reforms or federal help in the comments from the Republican leader.  “Russia’s aggressive interference efforts should be considered ‘the new normal,’ ” said Sen. Richard Burr (R-N.C.), the committee’s chairman. “That warning has been borne out by the events of the last three years, as Russia and its imitators increasingly use information warfare to sow societal chaos and discord. With the 2020 presidential election approaching, it’s more important than ever that we remain vigilant against the threat of interference from hostile foreign actors.”

The committee’s vice chair, Sen. Mark Warner (D-Va.), warned “there is certainly no reason to doubt that the Russians’ success in 2016 is leading them to try again in 2020, and we must not be caught unprepared.” 

But election security efforts so far are nowhere near where advocates say they should be. 

The Brennan Center has estimated it would cost about $2 billion to fully secure U.S. election systems against Russian hacking and another $2 billion to establish universal voting by mail and make other changes to make voting safe during the pandemic. 

So far, though, Congress has devoted just about $1 billion to election overhaul since 2016. That includes $400 million passed in Congress’s first coronavirus stimulus bill in March, after Democrats unsuccessfully pushed for $4 billion and for universal access to voting by mail and expanded early voting.

And lawmakers haven't mandated that any of the money be used for specific changes supported by experts, such as mail voting during the pandemic so voters don't have to visit unsafe polling sites and paper records for ballots so they can verify their votes weren't changed. 

All eyes are on the next stimulus bill. 

Senate Minority Leader Charles Schumer (D-N.Y.) pledged yesterday that election reforms will be among Democrats’ top priorities in any future coronavirus stimulus bill, along with financial support for state, local and tribal governments and hazard pay for medical workers.  

We must make sure that our elections this fall are conducted fairly, that states have enough money to run them properly, and that every American can exercise his or her constitutional franchise safely and confidently,” Schumer said.

But Senate Majority Leader Mitch McConnell (R-Ky.) is pushing back against the idea of any additional stimulus during the pandemic, telling my colleagues Erica Werner and Seung Min Kim that he wants to “push the pause button” on additional spending legislation, at least until lawmakers return to the Capitol in person, which is scheduled for May 4. 

Meanwhile, the time window for state and local officials to make substantial and meaningful reforms to elections is rapidly closing. 

Other Democrats also used the report to tout stricter rules on states in exchange for funding.

They’ve long favored this move, but have been stymied by McConnell, who opposes any new rules for state election officials. He says they would violate states rights and could serve Democrats' electoral priorities.

Here’s Sen. Kamala Harris (D-Calif.), a sponsor of several election security bills:

And Sen. Cory Booker (D-N.J.):

Sen. Chris Van Hollen (D-Md.) blamed McConnell for blocking reforms. 

Sen. Ron Wyden (D-Ore.) also bemoaned the failure to mandate paper ballots and other election security measures in an appendix to the Senate report. He called it “a threat to democracy” and warned it impedes the government’s ability to determine whether election systems were hacked or not.

“The actions of our adversaries challenge our intelligence capabilities,” he wrote. “In this case, in which audits are inadequate, state and local election officials lack the expertise and resources to identify sophisticated cyberattacks, and [the Department of Homeland Security] lacks comprehensive, nation-wide information, the harm is partly self-inflicted.” 

NOTE TO READERS ON OUR NEW LOOK: We debuted a redesign of The Cybersecurity 202 this week, aimed at making this tipsheet cleaner, sharper and easier to read. Please let us know what you think here. Thanks for being a Cybersecurity 202 reader, and tell your friends to sign up here.

The keys

Nearly 25,000 emails from global health groups responding to the pandemic have been leaked online.

The email addresses and passwords allegedly belonging to National Institutes of Health, the World Health Organization, the Gates Foundation and other groups on the front lines of the coronavirus response are already being used in a harassment campaign by far right groups including Neo-Nazis and white supremacists, my colleagues Souad Mekhennet and Craig Timberg report

The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic,” Rita Katz, executive director of SITE Intelligence Group, which monitors online extremism and first spotted the leak, told my colleagues.

SITE could not confirm whether the emails were legitimate but Australian cybersecurity expert Robert Potter said he verified that the WHO email addresses and passwords were real. The NIH, Centers for Disease Control and Prevention, WHO and World Bank did not immediately reply to requests for comment Tuesday evening. The Gates Foundation said it was monitoring the situation but had no indication of a data breach.

The emails appear to be compiled from earlier leaks, rather than newly stolen by hackers, per the New York Times's Nicole Perlroth:

China, Iran and Russia are bombarding the United States with coronavirus disinformation.

The phony messages include that the coronavirus is an American bioweapon, that American sanctions are killing Iranians and that the U.S. economy is faltering under the economic weight of the disease, the State Department warns in a report obtained by Betsy Woodruff Swan at Politico

The three powers are pushing similar messages, which is quite rare, the report notes. The coronavirus accelerated the alignment, which centers on painting China as a global leader at the United States’ expense. China has even allowed some Russian propaganda into its tightly controlled online information system, the head of the department's Global Engagement Center, Lea Gabrielle, told Betsy. 

The Chinese Embassy and Russian Embassy denied responsibility for any disinformation; the Iranian Embassy denied involvement and instead claimed the United States was behind the disinformation.

Senators call on government to defend hospitals from hackers.

The senators want the Department of Homeland Security and U.S. Cyber Command to consider issuing a joint statement warning of serious consequences for hackers that damage hospitals during the pandemic. It could be modeled on a March warning the agencies issued about hacker efforts to undermine U.S. elections, they say.  

“[O]ur country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” the senators wrote in a letter to DHS’s top cybersecurity official Christopher Krebs and Cyber Command chief Paul Nakasone. 

Those threats are coming from China, Iran, Russia and North Korea, they say. The group, which included, Sens. Richard Blumenthal (D-Conn.) Tom Cotton (R-Ark.), Mark Warner (D-Va.), David Perdue (R-Ga.), and Edward J. Markey (D-Mass.) also called on the agencies to: 

  • Increase reporting on threats faced by the health care, public health and research sectors
  • Coordinate with the Department of Health and Human Services, Federal Trade Commission and FBI to investigate cyberattacks and disinformation
  • Provide direct resources to health-care providers and the National Guard Bureau
Volunteer cybersecurity pros identified more than 2,000 vulnerabilities in health-care institutions in 80 countries. 

The group known as the Cyber Threat Intelligence League was launched to combat coronavirus-related hacking in March. 

The league has also helped take down 2,833 criminal domains, including 17 designed to impersonate government organizations, the United Nations, and the World Health Organization, according to its report.

The group, which has grown to more than 1,400 volunteers across 76 countries, won praise from Krebs:

Coronavirus fallout

The Small Business Administration told 8,000 small-business owners their personal information may have been exposed.

The computer bug has been fixed and there's no evidence data was misused, the SBA told CNBC.

Coronavirus fraud continues to climb, the Federal Trade Commission reports.

And there's this from the FBI:

Securing the ballot

Sixty-seven percent of Americans support implementing vote-by-mail measures during the pandemic.

That's according to a new NBC News-Wall Street Journal poll. Other findings include:

  • About 58% of voters favor changing election laws permanently to allow voting by mail.
  • 39% oppose a permanent change
  • But one-quarter of that 39 percent says mail-in voting should be allowed this November because of the coronavirus.

Global cyberspace

U.K. officials are standing by their decision on Huawei.

The United Kingdom's move to allow the Chinese telecommunications company to help build its next-generation 5G networks was pilloried by U.S. officials. But it's "a firm decision and is not being reopened, Simon McDonald, permanent undersecretary at the foreign ministry said yesterday, according to Reuters. The current policy caps Huawei involvement at 35 percent of the nation’s 5G infrastructure. U.S. officials say Huawei poses a Chinese spying risk, which the company rejects.

But nine telecommunications carriers are still pushing back. They sent a letter on Friday expressing support for an inquiry into 5G security by Parliament's defense committee. The companies, including Airspan and Mavenir, say they can offer a safer alternative to Huawei using 5G software technology.

In other international security news: 

Hackers working in support of the Vietnamese government have attempted to break into Chinese state organisations at the centre of Beijing's effort to contain the coronavirus outbreak, U.S. cybersecurity firm FireEye said on Wednesday.

Privacy patch

Marc Rotenberg has departed from his role as executive director of the Electronic Privacy Information Center.

General Counsel Alan Butler will serve as interim executive director, the organization announced yesterday.

Rotenberg is a longtime pillar of the Washington privacy policy world. The announcement doesn't cite a reason for Rotenberg's departure. But he faced intense criticism from employees for continuing to show up to work in early March after taking a test for the coronavirus that later came back positive, Protocol's Issie Lapowksy reported last week. 

The board is still looking into the issue:


Coming up:

  • The R Street Institute will host a discussion on "EARN IT Act and Its Broader Implications for Encryption and Cybersecurity" on April 28 at 2 pm.

Have an event you want our readers to know about? Email tonya.riley@washpost.com.

Secure log off

Sen. Warner managed to generate controversy yesterday. But it wasn't about Russia. 

From MSNBC's Nick Ramsay:

You can watch the whole video on Instagram. But some viewers may find it disturbing. My colleague Laura Michalski:

Even Warner's communications director was trying to stay out of it.