Below: This week’s web attacks in Ukraine were the largest the nation has ever faced, and another cyber-focused lawmaker is retiring from Congress.

Election officials are in a money crunch

Election officials are facing a barrage of cybersecurity threats as the midterms approach.

But chances are slim that Congress will pitch in any money to help out.

Story continues below advertisement

Their wish list includes:

More cyber testing for election office computer networks.

Cyber training for election workers and volunteers.

Better physical security to ensure outsiders and rogue staffers can’t monkey with election machines so they’re unsafe to use.

That’s on top of money they need for a suite of non-cyber challenges, including replacing staff who’ve quit amid a wave of death threats against election workers, inspired by former president Donald Trump’s false claims of election fraud, as Mike DeBonis and Amy Gardner report.

Recent challenges

The money crunch is a common dilemma for election officials who’ve faced one crisis after another in recent years, including Russian interference in the 2016 contest, the coronavirus pandemic and disinformation campaigns about elections from foreign and domestic sources.

Advertisement

Congress has kicked in to help — including about $800 million for election security between 2016 and 2020 along with another $400 million to run safe elections during the coronavirus pandemic. But that’s only a fraction of what officials have said is necessary to make elections as secure as possible.

Story continues below advertisement

“When election officials don’t have sufficient funds to run elections, they have to make tough choices and the truth is those choices can adversely impact the accessibility and security of elections,” David Levine, an election integrity fellow at the German Marshall Fund’s Alliance for Securing Democracy, told me.

The big ask

Election funding proposals have ranged from $20 billion sought by Democratic election officials to a more modest request for $5 billion in the next budget cycle.

Advertisement

The Bipartisan Policy Center has suggested spending about $400 million annually on elections and focusing on ideas favored by Republicans and Democrats.

Story continues below advertisement

But bipartisan consensus is a long way off.

Most Democratic proposals link election security efforts with measures to make voting easier — which Republicans oppose. Republicans, who’ve generally been skeptical of federal funding for elections, aren’t keen on pitching in more money regardless.

Sen. James Lankford (R-Okla.), who pushed for election security funding before 2020, told my colleagues more money isn’t necessary now, pointing to about $435 million states haven’t spent yet. However, that money is mostly being held in reserve for future election machine purchases and won’t cover day-to-day security needs.

Some voting districts closed the gap before 2020 with funding from private sources, including about $300 million distributed through a nonpartisan, nonprofit group funded by Facebook founder Mark Zuckerberg and his wife, Priscilla Chan. But such outside funding is unlikely to be repeated this year, partly because of Republican claims the money was geared toward Democratic districts. The Center for Tech and Civic Life denies those claims and said the money was distributed to all districts that requested it.

Making strides

Election officials made significant progress closing the biggest cybersecurity gaps before 2020.

Top ticket items included replacing voting machines that lack paper ballots, which are easier to hack undetected, and increasing post-election audits to ensure hackers didn’t manipulate vote counting. (There's no evidence Russian hackers changed votes in 2016, but they hacked into voter rolls in at least two states and probed many other election systems).

Advertisement

Story continues below advertisement

But states still have ongoing security needs, such as conducting regular cybersecurity audits and hiring cyber pros to assist when problems arise.

Trump lies

There are also a slew of new challenges that have popped up since 2020 — many of them prompted by widespread belief in Trump’s phony election claims.

Here are two big examples.

More voting machine monitoring: A handful of local election officials have improperly accessed election machines since the 2020 contest, raising the specter of an insider making machines more vulnerable to hacking.

The most prominent of the officials, Mesa County, Colo., clerk Tina Peters, was spotted partly because of a series of security measures surrounding the machines. But those measures are applied unevenly among counties and many may want to ramp them up now, Levine told me.

Advertisement

Story continues below advertisement

Data from Mesa County machines later made its way to the Internet, raising questions about the security of the machines in future elections. Officials said the machines remain safe to use because of other protections.

Cyber safety for workers: Election workers have faced a series of attacks from some Trump supporters who baselessly accuse them of being complicit in fraud — many of which have involved publishing their personal information online in a process called doxing.

That’s increased the need for physical security protections. But election workers could also be helped by cyber training to help them better secure their personal information and make doxing harder.

The keys

Ukraine calls recent digital strike against government and bank websites the largest such attack in the nation’s history

The attack disrupted services by Ukrainian banking giant PrivatBank and also targeted the Defense Ministry’s website, Reuters’s Natalia Zinets reports. It comes amid a tense standoff with Russia that’s prompted fears of a physical invasion and more damaging cyberattacks.

Advertisement

Story continues below advertisement

“This attack is unprecedented, it was prepared in advance,” Deputy Prime Minister Mykhailo Fedorov said. “And the key goal of this attack is destabilization, it is to sow panic, to do everything so that a certain chaos appears in our country.”

Ukrainian officials suggested that Russia was responsible but stopped short of directly attributing the attack. “Today we know that the only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation,” said Ilya Vityuk, who leads the state security service’s cybersecurity department.

Context: The recent digital attacks come as the United States and allies accuse Russia of lying about withdrawing some of the 150,000 troops massed at the Ukrainian border.

Advertisement

Story continues below advertisement

Meanwhile, the U.S. government blamed Russia for hacking U.S. defense contractors. The attacks have been going on since at least the beginning of 2020, officials said. Hackers were able to stay in the firms’ networks for as long as six months and steal proprietary and sensitive information about weapons systems and other technologies used by the U.S. military. Cyberattacks on U.S. defense contractors are expected to continue in the “near future,” the NSA, CISA and FBI said.

Another cybersecurity-focused lawmaker is retiring

Rep. Kathleen Rice (D-N.Y.) is the 30th House Democrat who has announced that she is retiring, Daniela Santamariña and Dave Clarke report. Rice, a former prosecutor, is a member of the House Homeland Security Committee’s cybersecurity subcommittee who has represented New York’s 4th Congressional District since 2015. There are also 13 Republicans who’ve announced plans to leave Congress, bringing the total number of retirements to 43.

Advertisement

Story continues below advertisement

Rice has introduced a handful of cybersecurity bills, including legislation to assess cyberthreats to election infrastructure. Alongside Rep. John Katko (R-N.Y.) — who is also leaving Congress — Rice introduced legislation that would have required House members and employees to participate in annual cybersecurity training sessions.

Rice joins at least four other cybersecurity-focused lawmakers who have announced plans to not run for reelection so far this year. The list includes cyber heavyweight Rep. Jim Langevin (D-R.I.).

Clearview AI says it’s on track to collect 100 billion face photos within a year

The controversial facial recognition company is positioning itself for a major expansion — one that will be funded largely by government contractors and taxpayers who its systems would be used to monitor, Drew Harwell reports. Drew obtained a financial presentation by the company that said $50 million in investor money could help fund more data collection, new products, a bigger international sales team and more spending on lobbying policymakers to “develop favorable regulation.”

Advertisement

The trove of images collected by Clearview raises questions about cybersecurity and privacy. It could be a valuable target for hackers working for foreign governments or seeking a profit. And people can’t change faces like passwords if they’ve been stolen.

Clearview AI has built its database of images by taking photos from social media sites and other websites without the consent of those websites or the people photographed. Major sites like Facebook, Google, Twitter and YouTube have demanded that Clearview stop collecting photos and delete any that had previously been taken. The company has argued that its data collection is protected by the First Amendment.

Here are some highlights from the presentation, per Drew:

Clearview's tech roadmap: not just identifying you by your face, but your license plate, your location, your fingerprints and how you walk. (It's just research at this point, the company says; who knows whether it'll ever get deployed.) https://t.co/250YN8YOmN pic.twitter.com/sthyRib71p — Drew Harwell (@drewharwell) February 16, 2022

Clearview's "product expansion plan" goes way beyond police: scanning "gig economy" workers, verifying people's identities for banking, sending "real-time alerts" of "high-risk individuals" in stores and malls https://t.co/250YN8YOmN pic.twitter.com/HsXAJrzwdg — Drew Harwell (@drewharwell) February 16, 2022

Chat room

Were the recent website-overwhelming attacks in Ukraine actually underwhelming because they were technically simple and produced few long-term effects? Here’s a good analysis from Mandiant threat intelligence lead John Hultquist:

DDOS and SMS spam designed to undermine Ukraine's financial systems isn't that different from turning off the lights to undermine confidence in basic services. Don't fixate on technical complexity. Nerds aren't the audience. — John Hultquist (@JohnHultquist) February 16, 2022

I don't want to overemphasize this incident either. It probably wasn't that impactful. But judging it by its technical merits rather than its psychological effects or the intended psychological effects misses the point of these tools entirely. Perception, perception, perception. — John Hultquist (@JohnHultquist) February 16, 2022

Global cyberspace

Prosecutors ask not to delay Netanyahu trial despite acknowledging witness hacking

Israeli police hacked a phone belonging to Shlomo Filber, a witness in former prime minister Benjamin Netanyahu’s corruption trial, but didn’t pass along any hacked data to the prosecution, prosecutors say, Haaretz’s Chen Maanit reports.

“So far, no evidence has been found that the police used the spyware without a warrant, but in certain cases the hacking has been found to exceed the limitations in the warrants,” Maanit writes.

Cyber insecurity

Industry report

Daybook

Jen Easterly , Deputy Attorney General Lisa Monaco , Department of Homeland Security Under Secretary for Strategy Policy and Plans Rob Silvers and FBI Deputy Assistant Director Tonya Ugoretz CISA Director, Deputy Attorney General, Department of Homeland Security Under Secretary for Strategy Policy and Plansand FBI Deputy Assistant Director speak at the Munich Cyber Security Conference, which begins today at 8 a.m.

The U.S.-China Economic and Security Review Commission meets to discuss China’s cyber capabilities today at 9 a.m.

The Aspen Institute hosts an event previewing what cyber conflict over Ukraine might look like on Friday at 2 p.m.

Philip Lockwood NATO deputy head of innovation discusses NATO’s technological innovations at an event hosted by the German Marshall Fund of the United States on Feb. 23 at 9 a.m.

Secure log off