The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Another 2020 election denier will be on November’s ballot

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Architect Frank Lloyd Wright was born on this day in 1867. If you’re in the D.C. area, the Fallingwater house in southwest Pennsylvania that he designed is a wonderful day trip. Here’s a great song (partly) about his work by Conor Oberst

Below: Congress asked the Justice Department about updating a major hacking law, and a Spanish judge will go to Israel to seek an interview with a top NSO executive. 

GOP voters have chosen a second election-denying candidate to oversee elections

Last night, Audrey Trujillo became the latest 2020 election denier to win her party’s nomination to oversee a state’s elections. 

The New Mexico Republican is part of a wave of candidates beholden to conspiracy theories about election hacking and fraud who are seeking to lead elections in more than a dozen states — including in many states that were decisive in President Biden’s victory.

The candidacies are a stark contrast from decades during which Republican and Democratic election officials steered clear of partisan conspiracy theories and were largely on the same page about election security and how to fairly determine who won and who lost. 

The danger

If they’re victorious in November, election watchers fear, these candidates could disregard or intentionally violate security measures. They could also refuse to certify legitimate results or spread unfounded doubt if their preferred candidate loses.

  • “If they’re continuing to maintain the 2020 election was stolen or rigged after everything we’ve seen from intelligence agencies and election officials, it’s fair to ask if they’d be willing to bend or break the rules when they’re overseeing elections,” David Levine, elections integrity fellow at the Alliance for Securing Democracy, told me. 

Trujillo has been outspoken in her baseless criticism of the 2020 contest. She has called Biden’s 2020 election victory a “coup” and compared U.S. voting systems to “any other communist country like Venezuela or any of these other states where our elections are being manipulated,” per the New York Times.  

In fact, federal and state election officials declared the 2020 election the most secure in U.S. history — largely because of enhanced cybersecurity protections and a shift to paper ballots that can’t be altered by hackers. 

Trujillo’s Twitter account also posted tweets mocking Mexicans and suggesting Jews played a nefarious role in developing coronavirus vaccines, per the Albuquerque Journal

Trujillo, who was unopposed for the nomination, is essentially the second election denier to win her party’s nomination as secretary of state. 

  • Michigan Republican Kristina Karamo won the endorsement of GOP state leaders last month to be the party’s nominee for secretary of state in November. Karamo has echoed former president Donald Trump’s false election fraud claims and attended rallies aligned with the fringe QAnon conspiracy group.

Election denier Doug Mastriano also won Pennsylvania’s gubernatorial primary, which will allow him to appoint that state’s top election official if he wins in November. He’s said he’ll appoint someone who will require all of the state’s residents to re-register to vote. And there's more:

  • Big secretary of state primary fights featuring election deniers are also coming up in Arizona and Colorado. Less prominent races are taking place in Alabama, Arkansas, Kansas, Minnesota and Massachusetts.
  • On the extreme end: Colorado secretary of state candidate Tina Peters (R), has already been indicted on a charge of endangering the security of election machines after the 2020 election. As clerk of Mesa County, Colo., Peters allegedly allowed an unauthorized third party to secretly copy election equipment hard drives. She’s been barred from overseeing the county’s 2022 elections.
  • It gets weirder: On the most extreme end, Wisconsin Republican Jay Schroeder is running for secretary of state claiming the 2020 election was illegitimate — even though the Wisconsin secretary of state doesn’t oversee elections. Schroeder argues he’ll assume responsibility for elections and then reform them.

Election deniers haven’t all had an easy path to the nomination. In the most closely watched race so far, incumbent Georgia Secretary of State Brad Raffensperger (R) easily bested primary challenger Jody Hice, winning by about 18 points. 

Raffenspger had become a top target for election deniers after he insisted Biden’s victory in the state was legitimate and resisted Trump’s demands to “find” enough votes to reverse his defeat. Trump endorsed Hice in the race. 

  • A 2020 election denier John Adams lost Ohio’s secretary of state GOP primary to incumbent Frank LaRose by more than 30 points last month.
  • Rachel Hamm, a longshot GOP secretary of state candidate lost decisively in last night’s open California primary. Hamm won about 11 percent of the vote compared with 59 percent for incumbent Democrat Shirley Weber and 19 percent for Republican Rob Bernosky.
General election

Even if they’re nominated, some election deniers will face long odds in November

Trujillo, for example, will go up against incumbent Democratic Secretary of State Maggie Toulouse Oliver, who won her 2018 general election race by a 20-point margin. 

But a long political race focused on wild and baseless conspiracy theories and sowing doubt about election protections may do damage enough to the public’s faith in election security — which has already been driven down by 2020 election fights.

“What we’ve seen to date is election officials across the country and across the political spectrum that support evidence-based practices, that support the security of elections, that see their job as ensuring election outcomes reflect the will of the voters. You can no longer take that to the bank,” Levine told me. 

The keys

A Spanish judge will go to Israel to question NSO Group’s chief executive

Judge Jose Luis Calama’s investigation comes after revelations that some Spanish government officials’ phones were targeted with NSO’s Pegasus spyware. But it’s not clear when the testimony will occur or if NSO chief executive Shalev Hulio will even answer Calama’s questions, Reuters’s Emma Pinedo and Christina Thykjaer report.

The investigation marks one of the most prominent efforts by a government to seek official information about use of NSO spyware. An investigation by The Washington Post and 16 media partners last year found that Pegasus was used to target dozens of phones belonging to activists, journalists and executives across the world. The U.S. government later barred NSO from using most U.S. technology.

  • Dozens of citizens of Spain’s autonomous Catalonia region were also targeted with Pegasus, according to researchers from CitizenLab who pointed to Spain as a potential culprit. Last month, Paz Esteban, Spain’s intelligence chief at the time, reportedly told lawmakers that a court authorized some spying on Catalan separatists. Days later, Esteban resigned.

NSO told Reuters that it “operates under a strict legal framework, and is confident that this will be the result any government inquiry will reach.” The company didn’t say whether Hulio would answer Calama’s questions.

The pressure on NSO from Spain comes as details about the company’s precarious financial situation continue to trickle out. Lawyers representing some of NSO’s creditors — including Swiss bank Credit Suisse and hedge fund Senator — pressed for the company to sign new clients, the Financial Times’s Kaye Wiggins, Ortenca Aliaj and Mehul Srivastava report

  • Credit Suisse and Senator didn’t respond to the FT’s request for comment. 
  • NSO said it still gets “new business” after doing “a rigorous due diligence process.” It has also “terminated 10 customers in recent years based on credible allegations or verification of abuse,” the company said.

Congress asked the Justice Department about reworking a major anti-hacking law

The Justice Department ended up finding that changing the Computer Fraud and Abuse Act to exempt good-faith cybersecurity researchers would be difficult and could have unintended consequences, SC Media’s Derek B. Johnson reports.  

The department feared new legislative language could backfire by creating loopholes that would make it tougher to prosecute malicious hackers, Johnson reports. Instead, the Justice Department last month announced that it would use its prosecutorial discretion to not go after “good faith” researchers trying to identify security flaws that fell afoul of the 1986 law. 

That explanation is sure to raise hackles among many cyber researchers who say the outdated law has chilled legitimate research. Companies can still sue hackers, and prosecutors can charge them under state laws. Hackers have been routinely silenced by legal threats, and civil suits and criminal referrals have been used to silence researchers, my colleague Joseph Menn reported last month.

Government officials to testify about threats to election workers next week

Their testimony comes as election officials around the country increasingly face threats of violence, intimidation and digital harassment — often spurred by misinformation about election fraud and tampering with voting machines. 

Officials from the Justice Department and CISA will testify before the Senate Judiciary Committee on Tuesday morning, the committee said. Election officials have been under rising threat for years, especially in the wake of Trump’s attacks on the integrity of the 2020 election.

  • The Department of Homeland Security is warning that “continued proliferation of false or misleading narratives regarding current events could reinforce existing personal grievances or ideologies, and in combination with other factors, could inspire individuals to mobilize to violence,” Bloomberg Government’s Ellen M. Gilmer reports. - 
  • Threats against election workers and candidates for office will probably increase by November, DHS said.

Government scan

EXCLUSIVE: U.S. Government Ordered Travel Companies To Spy On Russian Hacker For Years And Report His Whereabouts Every Week (Forbes)

Fraud and Identity Theft Trial to Test American Anti-Hacking Law (New York Times)

Global cyberspace

US: Chinese govt hackers breached telcos to snoop on network traffic (Bleeping Computer)

Smartphones blur the line between civilian and combatant (WIRED)

The U.S.-Russia conflict is heating up — in cyberspace (David Ignatius)

UK financial regulators to directly oversee cloud services (Reuters)

Cyber insecurity

FBI takes down dark web marketplace for U.S. citizen personal data (CyberScoop)

Decentralized crypto exchange offline after hacker steals $113 million (Motherboard)

Investor sues the Winklevoss twins’ troubled crypto business over security failures (The Verge)

The government is finally tackling ransomware. More work remains. (Editorial Board)

Industry report

Apple Just Killed the Password—for Real This Time (Wired)


  • Commodity Futures Trading Commission Chair Rostin Behnam and Sens. Kirsten Gillibrand (D-N.Y.) and Cynthia M. Lummis (R-Wyo.) discuss the future of cryptocurrency regulation at a Washington Post Live event today at 9 a.m.
  • The House Armed Services Committee’s cybersecurity subcommittee discusses the annual defense authorization bill today at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.