By Joseph Marks
Voters in Columbia, Ga., on Oct. 16, 2018. (Melina Mara/The Washington Post)
The divide is largely along partisan lines. On one side, there's Iowa Secretary of State Paul Pate (R), the incoming president of the National Association of Secretaries of State, who balked at provisions in H.R. 1 that make it more difficult for states to impose voter ID requirements. Pate said in an email the For the People Act amounts to the federal government seizing authority over elections from states.
On the other side are Democrats who largely support those efforts to expand voter access and consider them a fair trade for more election security money.
“There’s a tension over H.R. 1 and whether or not it’s a federalization of elections,” one Democratic secretary of state told me at the NASS conference in Washington this weekend. “It is not. And anyone who claims that it is, that’s an overreach.”
House Democrats are eager to take on election security now that they are in the majority -- and included $120 million in their first bill of the session for states to upgrade outdated and vulnerable voting machines. Yet in the same bill they are also pushing voting priorities favored by Democrats and opposed by Republicans -- such as expanding automatic voter registration, restoring felons voting rights and making Election Day a national holiday. A divide among state officials, whose support is actually needed to implement the changes, underscores how the broader, partisan debate over the election priorities in the bill could make it harder to pass the much-needed security fixes.
The bill also includes other mandates more specific to election security -- including that states audit election results for signs of hacking and that those new machines use paper ballots rather than digital ones. These have also been controversial on their own among state officials -- most notably in Georgia -- who don’t like the federal government limiting their options.
Senate Majority Leader Mitch McConnell described the bill in a Washington Post op ed last month as “a sprawling proposal to grow the federal government’s power over Americans’ political speech and elections.” That doesn’t bode well for the voting security requirements getting through the Republican-controlled Senate.
The Secure Elections Act, the election security bill that came the closest to passing last Congress, had weaker mandates on election security and still never made it across the finish line. That was in the wake, of course, of the 2016 election, which was upended by a Russian hacking and disinformation operation.
There might be a better chance of passage this Congress, though, because Washington is concerned about the specter of a potential hacking operation from Russia or another adversary aimed at undermining the 2020 election, the Democratic secretary of state said. "You can’t take anything for granted in 2020,” the official said.
The Homeland Security Department, which helped state officials with cybersecurity testing and information sharing about cyber threats before the 2018 midterms, is also pressing hard for states to meet minimal security requirements before 2020.
Chris Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, is working with Congress on honing the election security provisions in the final draft of H.R. 1, he told reporters on the sidelines of the NASS conference. Krebs stopped short of endorsing all of the bill’s current security provisions, but said it had many “good elements.”
He also pushed back on claims of federal overreach on election security.
“I’m not aware of anyone in the federal government, particularly in the executive branch, who’s interested in taking over elections,” he said. “That’s a state-level responsibility and, as we’ve said all along, we’re here in support of state and locals.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Christopher Krebs, then undersecretary of the Department of Homeland Security's National Protection and Programs Directorate, in Arlington, Va., on Oct. 19, 2018. (Evan Vucci/AP)
Our @CISAgov team trained over 100 communications leaders, managers, and dispatchers, evaluated wireless capacity coverage at ops centers and developed interoperable comms plans for local, state, and federal partners to support #TheBigGame.— Chris Krebs (@CISAKrebs) February 3, 2019
Brian Harrell, assistant director for infrastructure security at CISA, told CyberScoop that “we have always maintained our commitment to…providing federal resources and expertise during this highly visible, special security event,” even though the agency was hit by a funding lapse during the partial federal government shutdown.
Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, on Capitol Hill in Washington on Jan. 29. (Aaron P. Bernstein/Bloomberg)
The Hawaii location is vital for gathering cyber threat data and other signals intelligence because the curvature of the earth affects how far certain signals can travel uninterrupted, McLaughlin reported. A station in the U.S. or Europe, by contrast, "could be far less effective at sweeping up clear digital information from the Pacific," she noted.
The center's location also makes it's easier to hire local people with useful language skills, Priscilla Moriuchi, director of strategic threat development at Recorded Future, told McLaughlin. “Having a facility where people are closer physically and timewise to the countries that they’re following in the Asia Pacific, it’s almost hard to understate that,” said Moriuchi, who is a former head of the NSA’s East Asia and Pacific cyberthreats office.
The Duke Energy Corp. coal-fired Asheville Power Plant in Arden, N.C., on Sept. 13, 2018. (Charles Mostoller/Bloomberg)
“Among the violations identified by NERC, Duke failed to protect sensitive information on its most critical cyber assets and allowed employees without proper clearances to access computerized records for more than four years, the documents say,” according to the Journal. “Duke also allowed contractors, employees and former employees without proper clearances to gain unescorted access to sensitive locations, like substations and computer server rooms, sometimes for many months.”
Jill Stein, former presidential Green Party candidate, in New York on Dec. 5, 2016. (Mark Lennihan/AP)
— The federal government is ahead of other sectors in its implementation of the email authentication system called Domain-based Message Authentication Reporting and Conformance, or DMARC, Nextgov's Aaron Boyd reported. The company Valimail said in a report that the federal government is also a leader in the effectiveness of its DMARC policy. “The U.S. federal government occupies a substantial leadership position in the effective use of email authentication—and has remained there over the past several quarters,” the report said.
— College student Joel Ortiz who accepted a plea deal of 10 years in prison is thought to be the first person convicted of a crime for a phone number hijacking technique called SIM swapping, Motherboard's Lorenzo Franceschi-Bicchierai reported. “Ortiz is one [of] a handful of SIM swappers who have been arrested in the last year for hijacking phone numbers and using them to then hack into emails, social media accounts, and online Bitcoin wallets,” according to Motherboard. “Other people who have been arrested are Xzavyer Narvaez, who’s accused of stealing around $1 million in Bitcoin; Nicholas Truglia, who’s also accused of stealing millions in Bitcoin; and Joseph Harris, one of the most infamous SIM swappers who allegedly stole more than $14 million in cryptocurrency.” Ortiz stole more than $5 million in cryptocurrency by SIM swapping.
— More cybersecurity news from the public sector:
Craig Federighi, Apple's senior vice president of software engineering, speaks about Group FaceTime in San Jose on June 4, 2018. (Marcio Jose Sanchez/AP)
— More cybersecurity news from the private sector:
- The Center for Strategic and International Studies holds an event titled “China's Digital Silk Road” tomorrow.
- CPX 360 cybersecurity summit in Las Vegas tomorrow through Wednesday.
- ARC Industry Forum in Orlando tomorrow through Thursday.
- Senate Armed Services Committee hearing on worldwide threats on Wednesday.
- The Center for Strategic and International Studies holds an event titled “Mitigating security risks to emerging 5G networks” on Wednesday.
- Texas Technology Summit in Houston on Wednesday.
- The Center for Strategic and International Studies holds an event on digital surveillance on Feb. 13.
Trump's Super Bowl Sunday interview, annotated:
Lawmakers call for Northam's resignation:
This is what’s left of communities abandoned after the Fukushima disaster: