with Aaron Schaffer

Chris Krebs, who led the federal government’s election security efforts during the Trump administration, yesterday lit into elected Republicans who are still contesting the former president’s defeat. 

“This is a power play and this is about fundraising and that’s all this is,” Krebs told my colleague Ellen Nakashima during a Washington Post Live interview

Shame on those that continue to push the ‘big lie,’” he said, referring to baseless claims that Trump won the election. 

The comments are among the harshest from a former Trump administration official about the continuing efforts to call Joe Biden’s victory into question through dubious and partisan audits in Arizona and elsewhere. 

They reflect a growing frustration among officials who spent years ensuring the election was as secure as possible. They're upset the 2020 results are being called into question by people with little or no experience in election security and audits. 

In Maricopa County, Ariz., officials conducted two rigorous audits that verified Biden’s victory there. But the GOP-controlled state Senate commissioned yet another audit against the county’s will. The firm leading the audit, Cyber Ninjas, has no auditing experience and its CEO has spread pro-Trump conspiracy theories. Not surprisingly, the result has been a slew of unforced errors and cybersecurity flubs. 

Yet officials are pursuing similarly partisan audits in Pennsylvania, Wisconsin and elsewhere. 

There are certified, approved audit processes out there. … It's not like audits just fell off the back of a turnip truck,” Krebs said. “We need more of them, in fact, but with a transparent methodological process, not what is happening in Arizona and is threatening to spread to other states.”

Krebs’s former agency, the Cybersecurity and Infrastructure Security Agency, helped numerous states shift to more secure election systems with voter paper trails and installed hacking sensors on voting systems across all 50 states. Trump fired him by tweet in November for stating that the election results were legitimate. 

Since leaving office, Krebs has warned that the nation needs a far more vigorous cyber defense. 

During his conversation with Ellen, he endorsed congressional efforts to require firms in critical sectors to report to the government when they’re hacked. 

A bill that’s working its way through Congress would impose such requirements on firms in 16 industries the government deems critical infrastructure, such as energy and chemical firms, airports and water utilities. The bill, sponsored by Sens. Mark Warner (D-Va.), Marco Rubio (R-Fla.) and Susan Collins (R-Maine), would also impose those requirements on government contractors and cybersecurity firms. 

Krebs also urged the government to do more to punish Russia and China for hacks against U.S. infrastructure, which has emerged as a top national security issues following a major Russian hack against SolarWinds, a software supplier, that enabled the theft of troves of data from U.S. government agencies, and the Chinese hack of Microsoft Exchange. 

As one way of punching back against China, he suggested imposing sanctions and other restrictions against Chinese firms that benefit from intellectual property and trade secrets that Chinese government hackers steal from foreign firms. 

If China wants to be a full-blown member of the World Trade Organization and participate in the global market, there have to be consequences and repercussions for behaving badly,” he said. 

Krebs now runs a consulting firm with former Facebook security executive Alex Stamos. 

Krebs also floated the idea of splitting up the Department of Homeland Security, CISA’s parent agency. 

Specifically, Krebs suggested dividing the parts of DHS that focus on domestic security and resilience – such as CISA, the Transportation Security Administration and the Federal Emergency Management Agency – from agencies that are focused on immigration and border security, such as Customs and Border Protection and Immigration and Customs Enforcement. 

Such a split would place CISA in a more narrowly focused department with agencies it already cooperates with regularly. CISA and TSA are working together now on a program to impose mandatory cybersecurity requirements on pipelines in the wake of the Colonial Pipeline ransomware attack, which could become a model for other critical infrastructure sectors if Congress gives the government broader authority.

A split like that would have an added benefit of separating CISA’s work, which is almost entirely politically neutral, from DHS’s immigration enforcement work, which has been a partisan lightning rod – especially during the Trump administration.

Such ideas have been floated several times for the department that was famously scraped together from different parts of the federal government after the Sept. 11, 2001, terrorist attacks. 

“Does DHS reflect our current national security priorities?” Krebs said. “I think a rational evaluator [or] analysts could say it doesn't.” 

The keys

A bipartisan infrastructure deal is packed with cybersecurity projects.

The deal includes cybersecurity provisions aimed at boosting the security of the electric grid, rural and municipal gas and electric utilities, and other critical infrastructure, according to a summary of the agreement obtained by CNN. The bipartisan infrastructure package cleared a key hurdle toward adoption on Wednesday, but many potential roadblocks remain.

Cybersecurity experts praised the legislation. Guidehouse’s Danielle Jablanski:

The Biden administration raised concerns about NSO Group spyware with Israeli officials.

The conversations were prompted by reports by The Washington Post and 16 media partners that revealed that the company’s Pegasus spyware was used to target journalists and human rights activists, three people familiar with the matter tell Drew Harwell and Shane Harris. A senior administration official confirmed that U.S. officials raised concerns over the matter but declined to provide details.

NSO Group continues to face scrutiny outside the United States. The French government has found traces of Pegasus on a French journalist’s phone, Pegasus Project partner Le Monde reports. The French government is also investigating the phone of Finance Minister Bruno Le Maire to determine if it was infected with Pegasus, Reuters reports

NSO has repeatedly disputed Pegasus Project reports.

It takes too long for the government to hire cybersecurity professionals, lawmakers say.

House lawmakers are focusing their ire on Homeland Security's Cybersecurity Talent Management System, FCW’s Natalie Alms reports. The system took years to go online as DHS tried to hire more cybersecurity professionals.

“That's too long,” said Max Stier, the president and CEO of the Partnership for Public Service. “You can't wait seven years for this kind of action.”

Rep. Andrew R. Garbarino (N.Y.), the top Republican on the House Homeland Security Committee’s cybersecurity panel, also blasted the agency's human resources delays, but noted that he was “pleased” by CISA Director Jen Easterly’s commitment to make them a priority.

Hill happenings

Securing the ballot

Industry report

Daybook

  • Deputy national security adviser Anne Neuberger speaks at the Aspen Security Forum on Aug. 4.
  • CISA Director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas speak at the Blackhat hacking conference on Aug. 5.

Secure log off