The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The battle for election security funding is back

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I hope you're getting ready for the last official summertime weekend. Take a walk outside. Have a drink on a patio. 

Below: A cybersecurity lawyer was indicted for allegedly lying about his connection to Hillary Clinton's campaign and hackers stole the data of more than a million people who took coronavirus tests. 

Democratic election officials seek a funding infusion

Election officials scrambled to successfully manage the 2020 election amid a global pandemic, threats of foreign interference, and federal funding that arrived sporadically and sometimes too late to be helpful. 

Now they're pressing Congress for a $20 billion cash infusion to prepare for a new set of threats — some sparked by baseless claims by former president Donald Trump that Joe Biden's victory was illegitimate. 

At the top of the list: Physical security protections for polling places and poll workers, including personal security for election officials who continue to face threats of physical harm months after the race was called in Biden's favor. 

“It’s often cheaper to do physical security than cybersecurity, but it’s also a need that’s increased since 2020,” Colorado Secretary of State Jena Griswold (D), told me. “We recognize this is a quickly growing threat and unfortunately we expect it to grow further.”

Price tag

Griswold is the chairperson of the Democratic Association of Secretaries of State. She was one of 14 top state election officials — all Democrats — who wrote to House Speaker Nancy Pelosi (D-Calif.) and Senate Majority Leader Chuck Schumer (D-N.Y.) this month advocating for $20 billion in election security money, spread out over 10 years, to be included in the Democrats' mammoth reconciliation bill.

That letter puts the total cost of getting election systems up to snuff at $53 billion over the next decade. 

Big ticket items in addition to physical security include:

  • Improved cyber protections
  • Equipment upgrades
  • Maintaining well-trained election staff

Pelosi and Schumer's offices didn't respond to requests for comment. 

The hefty price tag is a result of underfunding of elections for more than a decade before 2016, Griswold said. 

The last major federal contribution came in the wake of the disputed 2000 election. That largely funded paperless electronic machines that reduced uncertainty about which candidate voters intended to pick. But it raised cybersecurity risks because there was no paper record to test whether that choice was altered by hackers. 

“We’re dealing with a spike of new threats to elections and that requires more funding,” Griswold said. “We have aging infrastructure and all voters need access to safe and secure elections.”

Deja vu

The letter effectively relaunches a fierce partisan battle over election funding that raged before the 2020 contest.

During that period, congressional Democrats pushed for up to $4 billion in election security funding paired with a slew of mandated security measures. Those included that states must have paper records for all ballots and conduct post-election audits to make sure hackers hadn't altered how votes were recorded. 

What they got, after battling with Republicans, was about $1 billion for election security and adapting to the coronavirus pandemic. Congress never attached any security requirements to that money, which Republicans said would encroach on state rights to run elections. 

The good news: The election came off without any evidence of significant foreign interference. And, even without mandates, Democratic and Republican state and local officials almost uniformly embraced the most important security measures. Roughly 95 percent of votes were recorded on paper in 2020 compared with 80 percent in 2016. 

But that kind of unity may be a thing of the past. GOP state lawmakers in Arizona, Wisconsin, Pennsylvania and other battleground states have embraced Trump's baseless election fraud claims — most of which have been disproved by the very security measures touted before the 2020 election. 

Supporters of Trump's election conspiracy theories are also running for the top election official post in numerous states that Trump narrowly lost to Biden. 

“I think there’s a bigger divergence now. The ‘big lie’ is getting bigger,” Griswold said. 

The keys

A grand jury indicted a cybersecurity lawyer whose firm represented Hillary Clinton's campaign

The lawyer, Michael Sussmann, alerted the FBI in 2016 about suspicious Internet traffic between Trump’s company and a Kremlin-linked bank. He said he was working for an unnamed cybersecurity expert, but special counsel John Durham (appointed by the Trump administration to investigate the FBI's role in the 2016 presidential campaign) claims Sussmann was secretly working for the Clinton campaign, Devlin Barrett and Spencer S. Hsu report

Yesterday, Durham released a 27-page one-count indictment which “accuses attorney Michael Sussmann, a former federal prosecutor with expertise in computer cases, of having ‘lied about the capacity in which he was providing the allegations to the FBI’ by claiming he was not representing a client when he was secretly acting on behalf of Clinton’s political team,” Devlin and Spencer write.

Sussmann, who is an attorney at a prominent law firm tied to the Democratic Party, is scheduled to make an initial court appearance this morning. Ahead of the indictment, Sussmann’s lawyers insisted he hadn’t committed a crime.

“Michael Sussmann is a highly respected national security and cyber security lawyer, who served the U.S. Department of Justice during Democratic and Republican administrations alike,” his lawyers Sean Berkowitz and Michael Bosworth said in a joint statement.

Hackers stole sensitive information about more than one million people who got coronavirus tests in Paris last year

Hackers took the names, contact information and test results of about 1.4 million people, Radio France Internationale’s Sarah Elzas reports. The hack targeted a system that transmitted data to the national contact-tracing database, Paris’s public hospital system said.

Hospital officials have complained to France’s data watchdog, which is investigating the breach. It’s the latest in a wave of breaches of French hospitals and medical professionals during the coronavirus pandemic. In February, French investigators said they were looking into a leak of 500,000 patients’ personal data that included confidential health information. A separate breach led to the posting of 700,000 people’s coronavirus tests earlier this month, French media reported.

A hack of the web hosting firm Epik has exposed the people behind numerous far-right websites

Epik has provided services to several sites popular on the political Right, such as Parler, Gab and TheDonald, the Record’s Catalin Cimpanu reports. The hackers have leaked ownership, transaction and other data from several of those sites.

Three Epik customers whose data was included in the leak verified that the leaked materials were legitimate.

An Epik spokesperson denied being aware of a breach, though they said the company is “investigating the allegation.” Hackers defaced Epik’s support site after the company did not acknowledge the hack.

Cyber insecurity

Most Americans have doubts about their online security and privacy

Nearly two-thirds of Americans say their social media activity and data showing their physical location isn’t secure, according to an Associated Press-NORC poll, the AP's Matt O’Brien reports

Here are more poll results:

  • Around 70 percent of Americans said data privacy should be treated as a national security issue.
  • Around 80 percent said the federal government should push for harsher sentences for cybercriminals.
  • Around three-quarters said there should be national standards for companies’ data collection and the government should boost its cybersecurity investments.

Exclusive: Facebook targets harmful real networks, using playbook against fakes (Reuters)

Industry report

Cybersecurity firm Bitdefender released a tool to unlock computers targeted by ransomware group REvil

The tool works for all victims hacked before July 13, when the ransomware group abruptly disappeared, Bleeping Computer’s Lawrence Abrams reports. A “trusted law enforcement partner” collaborated with Bitdefender to create the tool, the company said.

REvil had been one of the most notorious ransomware gangs before its disappearance. The group has reemerged in recent weeks. REvil's ransomware infected hundreds of organizations in July through the hack of Kaseya, a company that provides IT software to its customers. In June, it hacked meat processor JBS, which paid $11 million in ransom.

Kaspersky received 105 government, law enforcement requests in H1 2021 (Security Week)

Government scan

Union wants Civilian Cyber Reserve proposal dropped from defense bill (NextGov)

Securing the ballot

Lawyer: Arizona Senate's 2020 election review out next week (Bob Christie | AP)


  • Rep. Jim Langevin (D-R.I.), Southern Company CEO Tom Fanning and others discuss cyber threats to critical infrastructure at a Carnegie Endowment for International Peace event today at 12:30 p.m.
  • Former Undersecretary of State Keith Krach and former U.S. Agency for International Development deputy administrator Bonnie Glick speak at a Center for Tech Diplomacy at Purdue event on semiconductors and supply chains on Sept. 21 at 9:10 a.m.
  • Homeland Security Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify at a Senate Homeland Security and Governmental Affairs Committee hearing on homeland security threats since Sept. 11, 2001, on Sept. 21 at 9:30 a.m.
  • Mayorkas, Wray and Abizaid testify before the House Homeland Security Committee on Sept. 22 at 9 a.m.
  • The Homeland Security and Governmental Affairs Committee holds a hearing on the national cybersecurity strategy and protection of federal and critical infrastructure systems on Sept. 23 at 10:15 a.m.

Secure log off

“Once I was young. But never was naive.” Thanks for reading. See you tomorrow.