Good morning! Here at The Cybersecurity 202, we regard journalism as critical infrastructure.

Below: Syniverse says it was hacked and two senators propose an overhaul of cybersecurity regs.

Pennsylvania’s election audit doesn’t have to be suspicious

Pennsylvania is barreling toward a hyperpartisan, divisive election audit, not unlike the one in Maricopa County, Ariz.

But there’s a way to carry out an ethical audit, election experts say. Just look at how New Hampshire did it.

verified election experts, a transparent process and bipartisan support marked a recent audit conducted in New Hampshire after a discrepancy in a state legislative race. That audit serves as an example of a bipartisan, “ethical” audit, antithetical to the one carried out in Maricopa County, said David Levine, an advisory committee member for the Global Cyber Alliance’s Cybersecurity Toolkit for Elections.

“[New Hampshire] brought in some genuine election experts who understood election security and integrity, and then they conducted a very transparent bipartisan process that was spurred on by bipartisan-supported election legislation,” Levine said.

Forensics or fishing?

One of those experts who conducted the New Hampshire audit was Philip Stark. Stark calls the Maricopa County audit a “fishing expedition," in contrast to New Hampshire's “forensic audit” that engendered widespread public confidence in the process.

“The New Hampshire audit was a forensic audit in the sense that there was a known problem,” he said. “That’s not what happened in Maricopa. There was no evidence that anything was wrong.” 

Another key difference: Maricopa County sought help from Cyber Ninjas, a cybersecurity firm with no election experience that emerged from obscurity to conduct the election review. Arizona's Senate president rejected an offer of help from election security experts who had previously worked for Clear Ballot Group, a Boston-based election integrity group.

“One of the things that’s been difficult about the 2020 election cycle is you’ve seen people capitalize on the lack of knowledge about certain election intricacies and manipulate election information in a way to be politically beneficial,” Levine said. “Cyber Ninjas encapsulates that to some extent. This is a group that did not have election audit experience.”

The group of auditors that conducted the New Hampshire audit did have political affiliations. 

  • But it was a multi-partisan group of Democrats, Republicans, independents and the politically unaffiliated, Stark noted. The auditors included himself, Harri Hursti and Mark Linderman, all of whom are respected election experts in the political community.
  • In contrast, Cyber Ninjas had no prior election auditing experience, and the owner has been caught tweeting support for pro-Trump election conspiracy theories.

“The people who were doing it [in Maricopa County] … they had an ax to grind,” Stark said. “They decided there was fraud, and they said, ‘let’s go find it,’ instead of saying, ‘here’s the evidence, here are the artifacts generated by the election. Can we figure out whether the answer is right?’"

How to do it

Verified Voting, a group that focuses on how technology affects elections, published a report on best practices for election tabulation audits. The list includes: 

  • Examining paper ballots.
  • Full transparency on the procedures and how long it will take.
  • Proper chain of custody for the equipment.
  • Distribution of responsibility.

“A responsible post-election assessment is also not giving voter records to third parties, which creates at least two vectors for voter impersonation attacks,” said Gregory Miller from the OSET Institute, a group that develops public election technology.

Most important: Election experts say the best way to halt the spread of distrust is to ensure best practices and instill trust in election officials – before elections ever take place.

“There shouldn’t be a huge motivation to do these post-election assessments and call them audits or forensic or whatever … if we trust our election officials,” said John Sebes from OSET Institute. “If we don’t trust our election officials … that’s conspiracy theory. Not much you can do about that.”

One-sided

The election audit in Arizona, and another one being carried out in Wisconsin, haven't received bipartisan support.

Now, Pennsylvania Republicans are moving toward a similar review. Senate Republicans are in the process of subpoenaing election data, even as their Democratic counterparts protest.

“All aspects of the certified 2020 election have been thoroughly reviewed and adjudicated in the courts with no findings of irregularities or fraud,” Pennsylvania Senate Democrats countered in a statement.

And, it's not just about Pennsylvania. If the state follows the audit through to its end, it could represent a victory for Trump backers and a defeat for Democrats and election officials who are trying to stop the spread of such audits. The state's audit is part of a larger fight over whether Americans will trust future elections – even if their preferred candidate doesn't win.

Miller said that conducting an audit review a year after an election is unprecedented.

“The challenge we have here is that it appears that there’s one political movement in this country that’s working hard to sew seeds of massive distrust as we race toward 2022,” he said.

The keys

Peters, Portman unveil bill to overhaul federal government’s cybersecurity

The Senate Homeland Security and Governmental Affairs Committee will discuss the legislation on Wednesday. It would be the first change since 2014 to the law that lays out rules for federal government IT and cybersecurity.

The bill, introduced by chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), lays out reporting requirements for federal agencies that are breached, gives the Cybersecurity and Infrastructure Security Agency additional authorities and details a host of other cybersecurity provisions.

A major telecom company says it was hacked

Syniverse, which routes billions of text messages annually, said it was breached, Motherboard’s Lorenzo Franceschi-Bicchierai reports. The company provides its services to major phone carriers worldwide. It said it discovered the breach in May, but the cyberattack began in 2016.

Syniverse said in a Securities and Exchange Commission filing that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions,” and that log-in information allowing access to its systems was compromised for around 235 customers. The company declined to answer questions from Motherboard about the breach.

Sen. Ron Wyden (D-Ore.) is calling for the Federal Communications Commission to “get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.” Wyden noted that “the information flowing through Syniverse’s systems is espionage gold.” 

Lawmakers are calling for a new process to determine the definition of ‘critical infrastructure’

A new bill would give CISA Director Jen Easterly a road map for determining “systemically important critical infrastructure.” The bill by the top Republican on the House Homeland Security Committee, Rep. John Katko (R-N.Y.), and Rep. Abigail Spanberger (D-Va.), will be introduced today. 

The bill’s introduction comes after a ransomware group that targeted an Iowa agricultural cooperative insisted that it was not “critical infrastructure.” It follows a similar proposal by the bipartisan Cyberspace Solarium Commission, which wanted Congress to direct the executive branch to define “systemically important critical infrastructure.” 

But there are “distinct differences” between the bill and the commission's proposal, a committee aide said. Unlike the commission's proposal, it wouldn't identify risk-based standards for owners and operators. But the bill would prioritize CISA resources for owners and operators of systemically important critical infrastructure.

Privacy patch

Industry report

  • Former CIA official Jerry Sussman and Ted Chiodo, an Obama White House aide, have founded cybersecurity firm LangleyCyber.

Daybook

  • CISA chief of staff Kiersten Todt and FBI Deputy Assistant Director Tonya Ugoretz speak at the two-day Uniting Women in Cyber 2021 event, which begins today.
  • The Center for Democracy and Technology hosts an event on the Patriot Act today at noon.
  • The R Street Institute hosts an event on diversity in cybersecurity today at 1 p.m.
  • CISA Director Jen Easterly speaks at a Washington Post Live event today at 3 p.m.
  • Top U.S. cybersecurity officials speak at the Mandiant Cyber Defense Summit today.
  • Easterly and others speak on the first day of CISA’s four-week Annual National Cybersecurity Summit on Wednesday.
  • Top U.S. officials and lawmakers participate in the Aspen Cyber Summit on Wednesday.
  • The Senate Commerce Committee holds a hearing on data security on Wednesday at 10 a.m.
  • U.S. cybersecurity officials speak at the U.S. Cyber Challenge Awards Program and Cybersecurity Summit on Wednesday at 1 p.m.
  • The Center for Strategic and International Studies hosts an event on sixth-generation network standards on Wednesday at 3 p.m.
  • Homeland Security Secretary Alejandro Mayorkas, Easterly and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins Wednesday.
  • European cybersecurity officials speak at Kaspersky’s EU Cyberpolicy Forum on Thursday at 5 a.m.
  • Silicon Flatirons hosts an event on encryption on Thursday at noon.
  • The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County on Thursday at 10 a.m.
  • Lawmakers and cybersecurity officials speak at a National Cyber Security Alliance event on Thursday at noon.

Secure log off

Thanks for reading. See you tomorrow.