With help from Eric Geller, Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— A Senate Intelligence panel’s election security report spurred demands for legislation, although Republicans have foiled Democrats’ recent floor maneuvers.
— The top man at the DHS Cybersecurity and Infrastructure Security Agency discussed vulnerability disclosure, voting machine testing and encryption.
— Governors in New York and Louisiana have taken some rarely seen steps in cyberspace this week.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Wow, yesterday’s plea for arty 70s rock suggestions netted a lot of ideas. It’ll take your MC host some time to work through it. Please send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
SSCI: EPISODE I — The Senate Intelligence Committee on Thursday issued volume one of what will be five reports on Russia’s efforts to interfere in the 2016 presidential election. Similar to previous reports on election security, including from former special counsel Robert Mueller, the first chapter found that the U.S. election infrastructure was unprepared for attacks in 2016 and offers proposals to shore up the system ahead of 2020.
While the report itself didn’t contain much new information, it did set off a fresh round of calls for more election security legislation and investments. Sen. Kamala Harris (D-Calif.), an Intel panel member and a 2020 contender, urged her colleagues to confront foreign interference, including “encouraging state and local governments to audit and replace outdated voting systems, providing states with the funding they need to modernize their election infrastructure, and requiring paper ballots in all federal elections.”
However, Sen. Ron Wyden (D-Ore.) — who received a lengthy “minority views” section of the 67-page report — wrote he couldn’t back the document because it didn’t support a greater federal role in elections. “We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016 and it will fail again.”
Meanwhile, DHS’ Government and Sector coordinating councils issued a joint statement touting the steps they’ve taken since 2016 and their preparations ahead of 2020. “The 2018 midterm elections saw unprecedented levels of coordination between all levels of government and the private sector election companies, and the 2020 election will improve on that effort,” the groups said in a statement.
CYBER POTPOURRI WITH CHRIS KREBS — A coordinated vulnerability disclosure program for the election technology industry is a good idea, CISA Director Chris Krebs said Thursday. “CVD is … a fundamental security and resilience feature for any industry,” Krebs told reporters after speaking at Fordham’s International Conference on Cybersecurity in New York. As Eric recently reported, major voting vendors have been discussing the idea of creating such a program. Krebs said the project has been discussed within the government-industry coordinating body for elections. “CVD’s a good thing,” Krebs said. “You find something, there needs to be a process that folks can report, and coordinate the patching, and make sure that things are done in the right way.”
Krebs also talked up Idaho National Laboratory’s new voting system test program. “The thought of doing that sort of work a year ago [would have been] kind of shocking,” he said. But today, “pretty much all” of the major vendors are participating, and the lab has either already reviewed their equipment or made plans to do so. “For the next generation of equipment,” Krebs said, “it’s going to be better off than the current generation.”
During the gaggle, Krebs briefly touched on encryption but largely shied away from the kind of critical rhetoric heard recently from Attorney General William Barr and FBI Director Christopher Wray. He also discussed CISA’s consultations with officials in Taylor County, Texas, which caught extensive flak recently for planning to buy new paperless voting machines. “I don’t know where that’s going to end up ultimately,” he said. He noted, however, that the machines could be reinforced with paper-trail attachments and that the county hadn’t bought equipment yet. “The deal’s not done,” he said. “We continue to engage with everybody.”
BANGING THEIR HEADS AGAINST THE WALL — Five times in the past two days, Democrats have tried to quickly advance election security bills on the Senate floor, only for Republicans to block them. It’s a campaign that Democrats have been waging periodically in recent months, and one they stepped up in coordination with Mueller’s House testimony Wednesday. Two of the rejected bills brought up Wednesday (S. 1562, S. 1247) would require campaigns to notify government authorities if foreigners offer financial or other assistance. The third (S. 890) would allow the Senate sergeant-at-arms to provide voluntary cybersecurity aid for senators’ and staffers’ personal devices.
Democrats also tried on Thursday to pass S. 1247 again, as well as the House-passed SAFE Act (H.R. 2722) to require paper ballots and post-election audits and would authorize more than $1 billion on election security-related expenses. Although Republicans didn’t explain their objection Wednesday, Senate Majority Leader Mitch McConnell (R-Ky.) accused Democrats of trying to score political points; Schumer said Mueller’s warnings about future election interference demanded action. Also Thursday, a pair of top Democrats criticized the White House for apparently lacking an official to coordinate interagency election security efforts.
ONE STEP FORWARD — The House Oversight Committee approved a bipartisan bill, S. 406, on Thursday that would create a program to allow cybersecurity professionals to move from one civilian federal agency to another to sample other jobs. The measure, introduced by Sen. Gary Peters (D-Mich.), would also require agencies to determine which cyber positions should be available for the rotations and report those positions to the Office of Personnel Management. The rotational program would sunset five years after the bill’s enactment. The measure advanced by voice vote.
LABORATORIES OF DEMOCRACY — New York Gov. Andrew Cuomo on Thursday signed two data breach bills into law. The most prominent, the SHIELD Act, has ramifications for all companies: It would require breach notifications by businesses outside New York if a breach affects state residents. It also would expand the scope of information requiring notification and mandate notices when information is “accessed” rather than just “acquired,” as the old law dictated. The second bill orders credit reporting agencies to provide identity theft prevention and notification services in the event of a breach.
Also this week, Louisiana Gov. John Bel Edwards declared an emergency over a ransomware outbreak affecting the state’s schools. So far the state is coordinating with the FBI, and the declaration allows the National Guard, State Police and others to deploy resources. “The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,” Edwards said. “This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”
TWEET OF THE DAY — A prime example of disinformation.
RECENTLY ON PRO CYBERSECURITY — Krebs said states need to adopt paper ballots. … The House Oversight panel voted to subpoena White House officials’ communications via private emails and messaging apps, citing concerns that they violate federal record-keeping laws. … Check Point found mobile malware on the rise and cryptomining on the decline in the first half of the year. … “EU urges U.S. to cooperate on standards to rein in China.” … Ericsson CEO Börje Ekholm talked 5G security and more in a Q&A.
— “US company selling weaponized BlueKeep exploit.” ZDNet
— Motherboard has a guide on how to get Equifax settlement money.
— CyberScoop has more details on an NSA cyber directorate.
— President Donald Trump appeared next to a phony U.S. seal altered to include Russian elements. CNN
— Hacker Phineas Fisher denied being involved with the Kremlin. Motherboard
— The Cyber Tech Accord added some more members.
— A virus affected Johannesburg residents’ ability to buy electricity. SowetanLIVE
— FormGet exposed documents. TechCrunch
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).