Insights from the Senate election security hearing

With help from Eric Geller and Martin Matishak

PLENTY TO CHEW ON — Wednesday’s Senate Intelligence hearing on election security was jam-packed with information. The biggest highlights:


— The states: One theme of the hearing was senatorial dismay at the Homeland Security Department not helping states quickly enough. Sen. Kamala Harris, for instance, pressed DHS Secretary Kirstjen Nielsen on how many of the department’s highest-level security reviews, known as risk and vulnerability assessments, have been completed. Nielsen said the number was 15, with four more currently in the works. Harris said she had heard other figures from DHS officials, but either way, Nielsen committed to completing the assessments for anyone who asks before the November 2018 elections.

The states haven’t always been easy for the federal government to deal with, senators and witnesses said. Nielsen said two unnamed states were not working with DHS to the degree the department wanted, and former DHS Secretary Jeh Johnson said he once had to call a senator to nudge a state into cooperating. Top panel Democrat Mark Warner said the public deserves to know which states are slacking, but Nielsen also warned that if the department reveals information it learned from states voluntarily, it could make the relationship even worse. The panel has seen some of states’ distrust of the feds up close: Intelligence Chairman Richard Burr said that after DHS dubbed election systems as “critical infrastructure,” they were less willing to talk to his panel for its election probe and recommendations.

— Voting machines: The security of election equipment also came up repeatedly. Nielsen called it a “national security concern” that some states don’t have a backup paper trail to enable audits of electronic votes. Sen. Ron Wyden, who said he has been “stonewalled” when seeking information from voting machine vendors about their cyber safeguards, asked Jeanette Manfra, DHS’ assistant secretary for cybersecurity and communications, “How confident are you that the election technology they sell to the states follows common cybersecurity best practices?" Manfra answered: "It’s just hard for me to judge right now. I don’t have perfect insight into the machines that the states buy." But she did say many manufacturers have submitted their equipment to federal agencies for voluntary security reviews. Sen. Angus King also asked how many vendors have foreign owners, but none of the witnesses he queried had an answer.

— Everything else: Manfra said she saw no signs of Russia or other foreign nations currently probing the election system to interfere in the 2018 races. Nielsen said 20 out of 150 top state election officials have received security clearances, a figure Sen. Susan Collins considered surprisingly low, although Manfra later said the number was 21. After the hearing, a DHS spokesman told MC that of the 41 state chief election officers who have sought clearances, 19 have received clearances. Each state has the option to get clearances for two more officials, the spokesman added. Manfra also said the department had requested a $25 million boost for election security, a reversal of the department’s position last year that it had enough resources. Johnson acknowledged that the Obama administration’s punitive response to Russia’s election hacking didn’t deter the Kremlin. And Burr said he will sign on as a co-sponsor of a bipartisan election security bill.

HAPPY THURSDAY and welcome to Morning Cybersecurity! Robot fish, because they might as well populate the ocean, too. Send your thoughts, feedback and especially tips to [email protected] and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Space is our new, free weekly briefing on the policies and personalities shaping the second space age in Washington and beyond. Sign up today to start receiving the newsletter right at launch on April 6. Presented by Boeing.

MGT ACT AND MORE MAKES THE SPENDING DEAL — The fiscal 2018 omnibus spending measure agreement released Wednesday night includes $380 million for state election security through the Election Assistance Commission. And a newly created government-wide IT upgrade fund would get $100 million to begin operations if Congress passes the bill. Congress had previously authorized the creation of a $500 million “Technology Modernization Fund” to pay for agencies’ IT projects, but had yet to appropriate any money for the fund. The omnibus’ $100 million appropriation will help fill the fund’s coffers, but is still well short of the $250 million envisioned for each of the next two fiscal years. “Better than nothing but $100m is a drop in the bucket for federal IT modernization,” tweeted one technology lobbyist.

Over at DHS, the department's main cybersecurity wing would get $1.9 billion, $110 million above fiscal 2017. Of that, $1.1 billion would go toward securing federal networks, including $71 million extra for the Continuous Diagnostics and Mitigation program that gives agencies cybersecurity tools to shore up their defenses. DHS would also get $26 million in new money for election security, approximately what the department sought as mentioned by Manfra at the Senate Intelligence hearing, and $14 million for cybersecurity education.

Elsewhere, appropriators boasted that the bill would send nearly $13 million toward improving security of the Senate’s network, an 84 percent increase. For technical standards agency NIST, “targeted funding will continue to support our nation’s cybersecurity posture through cutting-edge research.” Additionally, funding for the FBI would “enhance its investigative and intelligence efforts” related to cyber and other threats, according to the summary. And U.S. attorneys would get $4.9 million more than President Donald Trump requested for cybercrime prosecution.

At the Energy Department, efforts to protect the nation's electric grid from cybersecurity attacks would get $248 million in the package, an increase of $18 million from previous efforts.

The omnibus also contains a vague provision about government cyberattack response. It directs the head of the National Telecommunications and Information Administration, a Commerce Department agency, to study how NTIA “can best coordinate the interagency process following cybersecurity incidents.” The resulting report must be delivered to the House and Senate commerce committees within 18 months.

FIRST IN MC: GETTING THE RIGHT PEOPLE — A pair of senators today are introducing bipartisan legislation designed to bolster the federal cybersecurity workforce, which constantly thirsts for qualified personnel. Democratic Sen. Gary Peters and Republican Sen. John Hoeven, who both sit on the Homeland Security Committee, are proposing a bill that would establish a civilian agency personnel rotation initiative modeled after the military’s joint duty program. Peters said the rotation “will boost collaboration between agencies and offer more opportunities for federal employees to enhance their careers and broaden their cybersecurity expertise.” This month, Peters questioned NSA director nominee Army Lt. Gen. Paul Nakasone about cyber recruiting, and Nakasone said joint duty programs work well for training and retention.

MORE CAMBRIDGE ANALYTICA FALLOUT — Facebook CEO Mark Zuckerberg on Wednesday broke his silence about the scandal surrounding Cambridge Analytica, a data firm that worked on Trump’s election campaign and stands accused of misusing Facebook user data. “We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg wrote in a Facebook post. “I’ve been working to understand exactly what happened and how to make sure this doesn't happen again.” The social media giant recently revealed that it failed to ensure Cambridge destroyed information on some 50 million Americans that it obtained via an academic researcher. Zuckerberg acknowledged that it first learned about the violation in 2015 and laid out a series of steps to safeguard data and mend what he dubbed a "breach of trust" between the company and its users.

One Facebook source told our friends on the Pro Technology team that the atmosphere inside the company has been tense since Trump's election, and the latest situation is “not exactly helpful for employee morale.”

But that wasn’t the only news of the day concerning Cambridge Analytica. Special counsel Robert Mueller’s team is reportedly examining the relationship between Trump’s campaign and the firm. Several digital experts who worked on the 2016 campaign have met with Mueller's team for closed-door interviews. Meanwhile, The Guardian reported that the firm was offered hacked emails that contained personal information about the current leaders of Nigeria.

TECH GIANT SECURITY OFFICIALS ABANDON SHIP? — It might just be a coincidence, but at a time of ever-expanding scrutiny of Silicon Valley’s role in Russia’s 2016 election meddling, three different top tech giants this week faced reports that their chief security officers are departing. First came the story that Facebook’s chief information security officer, Alex Stamos, was leaving, although Stamos has rejected some elements of the report. Late Tuesday, Michal Zalewski, Google's director of information security engineering, announced his departure. And on Wednesday came a report that Twitter's chief information security officer, Michael Coates, is leaving the company.

GETTING WORSE, MOSTLY — Symantec is warning of an alarming rise in cyberattacks that go after specific targets in its annual threat report, out today. Targeted attacks were up 10 percent in 2017, according to the report. “These are the most sophisticated people who can do the most damage and there are more and more of them every year,” Kevin Haley, the company’s director of security response, told MC. The most surprising finding of the report, Haley said, is the “explosive growth” of cryptojacking, with cyber criminals seizing others’ equipment to mine digital currency. The good news, if any? After a breakthrough 2016 for ransomware, a “market correction” from a crowded field led to ransomware attackers in 2017 receiving less than half as much in ransom payments as they got the year before, on average.

ONE STEP FORWARD, ONE STEP BACK — While the Senate appears to be moving on election security legislation, a top House Democrat is mad that his committee won’t hold a hearing on the subject. Rep. Bennie Thompson, the House Homeland Security ranking member, on Wednesday demanded the panel Chairman Michael McCaul make good on a vow to convene his panel on the topic. In a statement, Thompson said he had received a written notice from McCaul that backed out on a promise the Texas Republican made earlier this month to hold a “full hearing” on the issue.

“Holding a focused and comprehensive hearing on election security is not a partisan or complicated request,” Thompson said. “It speaks volumes that while Chairman McCaul has been dragging his feet on this issue for over a year, the Senate is holding election security hearings today with current and former Homeland Security officials. This is all we are asking for.” In his letter, McCaul noted that Nielsen will testify before the committee on April 26. “I fully encourage all members to raise the issue when she appears,” the Texas Republican wrote.

TRUST ME, WE GET IT — The Trump administration’s top cyber diplomat on Wednesday defended the government’s efforts to deter digital adversaries, pointing to several examples of what he called muscular responses to cyber threats. “This administration is seeking to hold accountable malicious state actors. We’ve done that in a number of realms,” said Rob Strayer, the deputy assistant secretary of State overseeing cyber policy, during a panel at the Billington International Cybersecurity Summit in Washington. Strayer cited the Trump administration’s decision to blame the WannaCry ransomware attack on North Korea, point the finger at Russia for the NotPetya malware campaign and slap Russian cyber actors with sanctions.

“It’s important that we worked with our partners on this,” Strayer added, noting that the U.S. arranged for other nations in the “Five Eyes” intelligence-sharing group to join the WannaCry attribution statement. And he acknowledged criticism that simply naming bad actors wasn’t enough, telling the audience, “It’s important that we call these out, but then we also [must] implement consequences.”

Strayer’s office at the State Department, which handles both cyber issues and broader telecom policy, is in the process of being elevated. Strayer is expected to be promoted to an assistant secretary position supervising the officials handling cyber and telecom issues. Departing Secretary of State Rex Tillerson launched the reorganization in response to congressional criticism of his previous cyber office reshuffling. Strayer said Wednesday that despite Tillerson’s looming departure, State has continued planning the elevation.

JIGSAW EXPANDS SECURITY PUZZLE — Google’s parent company Alphabet wants to make it easier for anyone to run a virtual private network to hide their internet traffic from prying eyes. On Wednesday, Alphabet’s tech incubator Jigsaw unveiled a service called Outline that will let people configure VPNs on either their own physical server or on their slice of a cloud platform like Rackspace. By letting anyone set up their own personal VPN — whether locally or remotely hosted — Alphabet hopes to free people from relying on the handful of popular commercial VPNs. That could make it harder for repressive regimes to block their citizens’ access to restricted sites. “You get the reassurance that no one else has your data, and you can rest easier in that knowledge,” Santiago Andrigo, a product manager at Jigsaw, told Wired.

RECENTLY ON PRO CYBERSECURITY — Reps. Ted Lieu and Ted Yoho unveiled legislation to establish a bug bounty program at the State Department. … A judge threw out a lawsuit alleging that the White House didn’t prevent aides from using encrypted applications that deleted messages after they were read.

TWEET OF THE DAY — What ever happened to subtlety, eh?

QUICK BYTES

— Trump’s national security advisers told him not to congratulate Russian President Vladimir Putin on his election win, but he still did it. The Washington Post.

— Fired FBI official Andrew McCabe authorized a criminal probe of Attorney General Jeff Sessions over his remarks to Congress about contacts with Russians. ABC News.

— Senate Judiciary Chairman Chuck Grassley blocked Trump’s nominee for the top lawyer spot at DNI. CNN.

— “Kaspersky Lab plans Swiss data center to combat spying allegations.” Reuters.

— The Trump administration wants European regulators to exempt the use of domain registry data from major new privacy rules. CyberScoop.

— Netflix launched a bug bounty program. TechCrunch.

— Florida’s Legislature passed on funding a cybersecurity unit. Tampa Bay Times.

— Google talked cloud security. Gizmodo.

— “Secure Phone Companies Clamp Down After Sinaloa Cartel-Linked Arrest.” Motherboard.

— Sitelock says nearly 18.5 million websites at any given time are infected with malware. Security Week.

— “U.K. surgeon suspects his PC was hacked to target Syrian hospital.” Register.

That’s all for today. Can you find the fishy?

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks