Colorado launches election safeguards

With help from Eric Geller and Martin Matishak

ONE DOWN, 49 TO GO — At least one state will be ready to audit its results in the 2018 midterms using a sophisticated process recommended by cybersecurity experts. Colorado announced today that it had hired the election security firm Free & Fair to develop software for what are known as “risk-limiting” audits, which involve checking a small sample of paper ballots against their electronic tallies to determine if the results were tabulated correctly. “If a voting system has been maliciously altered in some way, [this audit] should give the public great assurance that we are going to know that, and we will adjust the result accordingly,” Dwight Shellman, a Colorado election official who is helping to coordinate the new auditing process, told Eric for a story that posted this morning.


Risk-limiting audits are cheaper and more efficient than older audit methods because they use statistical processes to select and analyze a smaller sample of ballots than was previously necessary. Stephanie Singer, the project lead at Free & Fair, told Eric that Colorado would only have to check 142 ballots out of the 2.85 million cast statewide in 2016 to determine whether the results were correct, compared to the 32,000 ballots required under a normal audit. “This is just a commonsense quality control maneuver,” said Singer. “If you had any kind of machine that did a job and you were depending on its output, you would every so often run tests on the machine to make sure that it’s doing what it says it’s doing. It’s really, really just basic quality control.”

Digital security experts have warned for months that states are lagging in their preparations for the 2018 midterms, even as Russia is said to be gearing up for another season of hacks and influence operations. J. Alex Halderman, a computer science professor at the University of Michigan and leading election security expert, recently told the Senate Intelligence Committee that voting machines without paper records were a serious threat because they made reliable audits impossible. Halderman told MC that Colorado’s new system was “an excellent model for other states to follow.”

Will other states follow Colorado’s lead? That will depend on whether they can upgrade their voting systems to support risk-limiting audits. “Many, many states are still using legacy voting systems that are 10 or 15 years old and are rapidly reaching their end of life,” said Shellman. Colorado’s approach represents “a marked improvement,” he added, “and I think other states will get there when they’re technologically able to be there.”

HAPPY MONDAY and welcome to Morning Cybersecurity! [MILD "Game of Thrones" spoilers to come.] C'mon, Euron Greyjoy. You are the current king of the Iron Islands. You can do better than shopping at Hot Topic. Send your thoughts, feedback and especially tips to [email protected] , and be sure to follow @timstarks , @POLITICOPro , and @MorningCybersec . Full team info is below.

WE’RE NOT GIVING UP — The Trump administration is still considering cybersecurity discussions with the Russian government, despite the backlash that greeted President Donald Trump’s suggestion of forming an “impenetrable Cyber Security unit” with the Kremlin. “We are not discussing a partnership here,” Homeland Security Adviser Tom Bossert stressed during a gaggle with reporters late last week. “We wouldn’t have the conversation about partnership. But we had to have a dialogue, and that's where we'll start.” Trump’s suggestion of an operational partnership generated widespread criticism , and he quickly tweeted that he knew it couldn’t work. The White House later said a joint National Security Council/State Department effort to set up a cyber working group was on hold.

But Bossert was clear that Trump’s recent meeting with Russian President Vladimir Putin presented an “opportunity to continue a dialogue” on cyber issues, including norms like protecting critical infrastructure. He stressed that the United States would have “appropriate reservations” and expectations for how such a dialogue would work. Cyber experts said those expectations would be crucial to making substantive progress. “The previous discussions with the Russians were broken off when it was clear that the Russians saw more benefit in competition than collaboration,” Chris Finan, a former Obama NSC cyber official, told Cory and Eric for a story that ran late last week. David Edelman, a former Obama official who negotiated cyber discussions with Russia at the State Department and NSC, warned that in the past, Moscow had “tested the limits of our information exchange mechanisms, attempting to extract information on political opponents, dissidents, exiles and even our own cyber capabilities.”

The Trump administration is likely to start small, Bossert said. The initial focus would be on what constitutes “acceptable behavior in cyberspace and what norms and expectations that we'll have moving forward,” he said. But a former White House official said Trump needed to be realistic. “Talking requires one to be open to the possibility of movement to the middle,” said the former official, who requested anonymity to speak candidly. “If you create a vehicle like that and it becomes clear there’s no chance of movement from the other side, then it no longer makes sense to be talking.”

IN CONGRESS THIS WEEK — Most of the week’s Hill cybersecurity action focuses on fiscal 2018 spending legislation. The House Appropriations Committee will mark up the homeland security funding measure Tuesday . Then it will turn to the bill funding the State Department Wednesday . Republicans have touted the same parts of both measures that Democrats have criticized: cybersecurity spending in the Homeland Security bill, and money for countering Russian aggression in the State bill. This week should bring a decision from House Republicans about whether they will combine all 12 spending bills into one package that would give GOP members the chance to offer a slew of amendments. On the Senate side, the Intelligence Committee will hold a nomination hearing Wednesday on Robert Storch to be inspector general of the National Security Agency, Susan Gordon to be principal deputy director of national intelligence and Isabela Patelunas to be assistant secretary for intelligence and analysis at the Treasury Department.

DEFENSE POLICY SAILS THROUGH HOUSE — The full House on Friday easily approved its version of the fiscal 2018 defense policy bill. Before the 334-81 vote, lawmakers adopted by voice vote a handful of cybersecurity amendments, including a provision from Rep. Robert Pittenger that would block the Pentagon from entering contracts with telecom firms determined to be complicit in North Korean cyberattacks. They also approved a bipartisan measure from Rep. Brendan Boyle expressing a sense of Congress that it's in DoD's interests to help Ukraine augment its digital capabilities and another from Rep. Brian Fitzpatrick that directs the Defense secretary to define “deterrence” in cyber operations and how it impacts the department’s overall digital strategy.

All eyes now turn to the Senate, which was supposed to consider its draft of the sprawling policy roadmap after it addressed legislation repealing and replacing Obamacare. However, after Senate Armed Services Committee Chairman John McCain announced he would spend next week in Arizona recovering from surgery, Senate Majority Leader Mitch McConnell said the chamber would defer a vote on the healthcare bill, jumbling the chamber’s calendar.

REMEMBER THIS? — Congressional Democrats used their weekly address Sunday to spotlight the election security task force they announced last month, and ask Republicans to join them. Top House Homeland Security Democrat delivered the address, saying the task force would give members of Congress a chance to hear from cybersecurity and election experts. “While elections are the exclusive responsibility of states, the federal government has a responsibility to step up and help where needed to support states as they work to prevent the Russians or other bad actors from disruption and interfering with our elections,” Thompson, the task force’s co-chairman, said. “We hope House Republicans will join us. Unfortunately we have a president who shows no interest in preventing last year’s election interference from happening again,” he continued, adding that in Congress, “Republican leader have displayed no appetite to tackle this critical hls issue, or even hold hearings.”

DEMS SLACK-JAWED OVER DON JR. — The top Democrats on the House and Senate Intelligence Committee expressed disbelief that President Trump didn’t know about a meeting last year between top members of his campaign, including his son Donald Trump Jr., and a Russian lawyer. “Frankly, it's a little bit unbelievable that neither the son or the son-in-law ever shared that information with their dad, the candidate,” Sen. Mark Warner said during an interview with CNN’s “State of the Union.” The Virginia Democrat noted that senior administration had changed their story about the June 2016 meeting several times, beginning with the explanation that it was focused on adoption policy, and the number of people who attended the session in Trump Tower. “We don't know because we don't know really what happened at the meeting,” according to Warner. “What we do know is Donald Trump Jr. did not tell the truth a variety of times.”

Rep. Adam Schiff, the ranking on House Intelligence, went further, saying the panel “can’t accept anything Don Jr. says” about the meeting. “Of course we can't accept much the president says about this either,” Schiff added on ABC’s “This Week.” He said the meeting is “evidence in black and white” that the Trump campaign was looking to get dirt on Hillary Clinton via Moscow. "This is about as clear ... evidence [a you could find of intent by the campaign to collude with the Russians, to get useful information from the Russians,” according to Schiff.

SPEAKING OF… — One of the men in the meeting with Trump Jr. once stood accused of hacking into a Russian mining company, according to The Daily Beast. The story focuses on Rinat Akhmetshin, a lobbyist who has publicly discussed the meeting. “In court papers filed with the New York Supreme Court in November 2015, Akhmetshin was described as ‘a former Soviet military counterintelligence officer’ by lawyers for International Mineral Resources (IMR), a Russian mining company that alleged it had been hacked,” according to the piece. “Those documents accuse Akhmetshin of hacking into two computer systems and stealing sensitive and confidential materials as part of an alleged black-ops smear campaign against IMR. The allegations were later withdrawn.” U.S. officials are probing Akhmetshin, according to our POLITICO colleague Ali Watkins.

RECENTLY ON PRO CYBERSECURITY — The House Intelligence Committee postponed testimony from longtime Trump confidante Roger Stone as part of its Russia probe. … Trump campaign digital chief Brad Parscale said he would voluntarily meet this month with the House Intelligence panel as part of the same investigation. … A top White House official couldn’t confirm whether Beijing has adhered to the U.S.-China deal prohibiting cyber theft of intellectual property. … Democratic FEC members sought stronger action by the commission to respond to Russian election meddling, but Republican urged a more cautious approach. … Virginia Gov. Terry McAuliffe, leader of the National Governors Association, said 35 states have signed up for a cybersecurity pact. … The Australian government “ announced a bill that would require internet companies to accommodate government demands for access to encrypted data.”

TWEET OF THE DAY — But he called it “impenetrable”!

PEOPLE ON THE MOVE

— Katherine Charlet is the inaugural director of the Carnegie Endowment for International Peace's Washington-based technology and international affairs program. She most recently served as the principal director and acting deputy assistant secretary of defense for cyber policy.

QUICK BYTES

— U.S. officials tell The Washington Post that the United Arab Emirates was behind the disruptive hacking of Qatari government sites.

— “Private Email of Top U.S. Russia Intelligence Official Hacked.” Foreign Policy .

— The parent company of Ashley Madison, Ruby Corp. , announced a settlement with plaintiffs over the dating site’s breach.

— Lloyd's of London warns that a catastrophic cyber attack could cost more than $120 billion of economic damage, more than many traditional natural disasters. Financial Times.

— “South Carolina May Prove a Microcosm of U.S. Election Hacking Efforts.” The Wall Street Journal .

— A DHS official said his department’s specialists are decoding a sophisticated hacking campaign that targeted the energy, manufacturing and nuclear sector. E&E News .

— Reuters examines how Kaspersky Lab has come under fire during difficult U.S.-Russia relations.

— “An advisory group is preparing two separate reports on what the government can do to protect against armies of compromised zombie computers that carry out cyber mischief, known as botnets, a representative said Friday.” Nextgov .

— Russian hackers are trying to get into the U.K. electricity grid, according to The Times of London .

— Crowdstrike says Australia is being targeted by Fancy Bear, Deep Panda and Charming Kitten. Australian Broadcasting Corporation .

— Atlantic Council cybersecurity fellow Benjamin Flatgard got The New York Times wedding section treatment.

That’s all for today. At least Arya got to do THAT.

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks