House Democrats propose major election security legislation

With help from Eric Geller and Martin Matishak

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services, click here.


— House Democrats unveil their government ethics, voting access and election security legislation today. One of its 10 sections is devoted to election security, with provisions including voting machine vendor cybersecurity standards, paper ballot requirements, grants and a bug bounty program.

— A pair of senators is introducing legislation to establish a new federal office to combat foreign tech theft and supply chain threats. The bill would create a White House Office of Critical Technologies and Security.

— House Dems also are maneuvering to end the government shutdown, which is beginning to influence cyber policy. Symptoms are emerging at NIST, where industry is unclear on making public comments on pending agency action, and DHS, which only recently got congressional approval to reorganize its main cybersecurity wing.

HAPPY FRIDAY and welcome to Morning Cybersecurity! In a miserable season for the Washington Wizards, this dude has been a real bright spot. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

ELECTION SECURITY SMORGASBORD — Today, House Democrats are formally debuting H.R. 1 (116), which includes a substantial helping of election security. A section-by-section summary of the bill, sponsored by Rep. John Sarbanes, dictates that states must use paper ballots and that they must be “counted by hand or optical character recognition device.” That’s just one of the provisions it absorbs from last year’s bill co-introduced by House Homeland Chairman Bennie Thompson, who co-chaired the Democrats’ election security task force.

Notably, the bill also establishes security standards for vendors. It authorizes the Election Assistance Commission to distribute grants for improving election systems, paper ballots, post-election risk-limiting audits and election infrastructure innovation. DHS would conduct a threat assessment before elections, while the administration would have to develop an election security strategy and form a commission to counter threats. The bill also would require voting system testing nine months before federal elections.

Another provision would mimic a bill sponsored by Rep. Mike Quigley last Congress setting up an election security bug bounty program. And Rep. Earl Blumenauer and Sen. Ron Wyden of Oregon, known for its vote-by-mail system, celebrated the inclusion of aspects of their legislation to expand voting by mail.

FIRST IN MC — Sens. Mark Warner and Marco Rubio will introduce legislation today aimed at fighting technological threats from nations such as China. The bipartisan bill would establish an Office of Critical Technologies and Security at the White House to coordinate efforts across federal agencies and develop a national strategy to combat state-sponsored technology theft and reduce risks to supply chains. The office would also work to raise awareness of threats to the American public and the private sector posed by reliance on foreign products, like those manufactured by Chinese telecom companies ZTE and Huawei.

JUST DHS — The latest compromise bid to end the government shutdown passed the House on Thursday evening, but there’s no sign it will break the impasse. The key feature is a continuing resolution (H. J. Res. 1), passed by a vote of 239-192, that would keep only DHS open through Feb. 8 while Congress negotiates with the White House. It doesn’t, however, include border wall money that President Donald Trump is insisting upon as part of reopening the government. The Democrats’ two-part plan also included a measure (H.R. 21), passed 241-190, that would provide fresh funding for the other eight shuttered departments.

THE TOLL ON THE HOMELAND — Suzanne Spaulding lived through a 2016 government shutdown as undersecretary of the main DHS cybersecurity wing, the National Protection and Programs Directorate. That division, renamed and reorganized into the Cybersecurity and Infrastructure Security Agency under legislation signed into law late last year, is probably struggling with several things right now, she told MC, given that personnel not deemed essential to protecting life and property aren’t working.

Among them is the reorganization itself. “CISA was just established, and there's a lot of work being done right now to stand that up and not miss a beat,” Spaulding said. “You really do need to have folks who are implementing all of the policies and procedures and documents as you transition from one kind of an organization to another with as little disruption as possible. There’s no way those people are exempt.”

That said, some people currently deemed nonessential might be back later; Spaulding said that as tasks accumulated in 2016’s shutdown, the case for bringing people back grew commensurate to the increased risk. Some tasks, though, will just pile up, leaving important work delayed and congressional deadlines missed, she said. The shutdown might also set back DHS cybersecurity work with state and local officials and industry.

DHS on Thursday did not provide answers to questions about which “critical” cybersecurity “capabilities” were “ceased” during the shutdown. House Homeland Democrats are concerned: “We need the government fully funded so CISA can operate. We can't afford to have our cyber efforts put on hold,” they tweeted.

ANYBODY HOME? — As the partial government shutdown enters its 14th day, the cybersecurity community is grappling with a little-noticed aspect of shuttered federal agencies: how and when to file public comments on those agencies’ pending actions. In the cyber realm, the problem is most acute for documents published by the technical standards agency NIST. The agency gave interested parties until Jan. 14 to offer feedback about developing a Privacy Framework. Other NIST publications are open for comment until Jan. 7 and Feb. 15. Meanwhile, the Bureau of Industry and Security gave the public until Jan. 10 to suggest “emerging technologies” that merit placement on an export control list, with artificial intelligence a possible category.

The shutdown has sidelined staffers at NIST, BIS and elsewhere who are responsible reviewing these comments; they are either not working or not allowed to do nonessential work. “I am hearing questions from a lot of people about all of the important comment periods underway and what will happen to them when the deadline comes and that part of the [government] is still out,” said an industry source who requested anonymity to speak candidly.

Some organizations are treating the existing deadlines as still operative. “Even though no one may be there to read the responses,” said Ari Schwartz, coordinator of the Cybersecurity Coalition, “there is also no one there to reassure us that our submissions will be accepted if they come in late.” NIST, BIS and the Commerce Department, which houses the two agencies, did not respond to requests for comment.

TWEET OF THE DAY — This is why finger workouts are so crucial.

PEOPLE ON THE MOVE

— Former Rep. Trey Gowdy, who previously chaired the House Oversight Committee, joined the law firm of Nelson, Mullins, Riley and Scarborough. Gowdy will helm the white collar defense and government investigations team. He’s joined by Cindy Crick, his congressional chief of staff, and Sheria Clarke, the Oversight Committee’s former staff director.





— House Speaker Nancy Pelosi selected Rep. Adam Schiff to chair the House Intelligence Committee. POLITICO

— How Intel has rebounded from Spectre and Meltdown, via Wired.

— Haaretz probes an Israeli offensive cyber firm “named after an Amazon fish known to parasitize the human urethra.”

— The PewDiePie-themed hacker is calling it quits. Bleeping Computer

— Chrome patched a 3-year-old flaw. ZDNet

— A cybersecurity researcher canceled a briefing on hacking Apple’s FaceID, with his employer dubbing the work “misleading.” Reuters

— “Health agency looks to bolster cybersecurity with new guidelines for industry.” CyberScoop

— A popular weather app is harvesting data and sending it to Chinese servers. BBC

— The “Town of Salem” game suffered a data breach that exposed information on 7.6 million users. Forbes

That’s all for today.

Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks