Updates on election security legislation, Trump’s view on Russia, vendor security

With help from Eric Geller and Martin Matishak

THE MORE THE MERRIER — Leaders of the Senate Armed Services cybersecurity subcommittee on Tuesday became the latest cosponsors of a bipartisan bill (S. 2261) to boost election security. Sens. Mike Rounds and Bill Nelson added their names to an already impressive roster of lawmakers, including Senate Intelligence Chairman Richard Burr and ranking member Mark Warner. The chief sponsors are Sen. James Lankford, who sits on the Intelligence and Homeland Security committees, and Amy Klobuchar, the ranking member on the Rules Committee, which has jurisdiction over federal elections.


The bill’s path to passage remains unclear. The Rules Committee has not yet advanced it, and as for a floor vote, Klobuchar’s office is leaving it to Lankford’s team to deal with Senate Majority Leader Mitch McConnell. But President Donald Trump’s recent comments about Russian meddling and special counsel Robert Mueller’s new indictments will help move things forward, according to a Senate aide who requested anonymity to discuss complex negotiations. The Rules Committee’s recent hearing with voting system vendors and federal officials may also help raise the profile of election security for lawmakers.

In the House, the closest companion measure is Rep. Mark Meadows’ PAPER Act (H.R. 3751). But Meadows’ bill is significantly narrower — as its name suggests, it focuses on helping states adopt paper ballots. The Senate aide said the House bill would have to be amended to serve as a true companion bill. The Secure Elections Act, for example, includes a provision strengthening federal-state information sharing, a priority of Lankford’s based on his Intelligence Committee experience. Klobuchar’s office has reached out to Meadows’ team to discuss possible ways forward. Ben Williamson, a Meadows spokesman, told MC, “I would assume they could be reconciled, but if it got to that point there would likely be another bill leadership would consider pairing with the Senate version.”

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! The Deep State is real. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

JUST RELEASED: View the latest POLITICO/AARP poll to better understand Arizona voters over 50, a voting bloc poised to shape the midterm election outcome. Get up to speed on priority issues for Hispanic voters age 50+, who will help determine whether Arizona turns blue or stays red.

What role will Hispanic voters over 50 play in Arizona this fall? Read POLITICO Magazine's new series "The Deciders" which focuses on this powerful voting bloc that could be the determining factor in turning Arizona blue.

MAKING SURE CDM DOESN’T GO THE WAY OF THE CD — Rep. John Ratcliffe today will drop a bill codifying into law DHS’s multibillion dollar, multi-phase Continuous Diagnostics and Mitigation program — one of the department’s key programs for fortifying cyber defenses for federal agencies — and the legislation insists on DHS baking regular improvements and new technologies into it. The draft measure from Ratcliffe, who chairs the House Homeland Security panel’s cybersecurity subcommittee, says that the DHS secretary “shall regularly deploy new technologies and modify existing technologies” via the program and supply cybersecurity risk information, analyses and reports to federal agencies.

“Our goal with this new legislation is to help boost the long-term success of the CDM program by ensuring it keeps pace with the cutting-edge capabilities in the private sector,” Ratcliffe said via a statement to MC. “We’re also safeguarding agencies from getting stuck with technologies that will soon become outdated or unsupported by their vendors.” He said the idea was to support work already underway at DHS.

WHAT THE STATES AREN’T DOING — A POLITICO survey of states’ planned expenditures from the $380 million election security pool Congress allocated this March found most haven’t taken steps to fix their most glaring weaknesses. For instance, only 13 states plan to spend money to buy new voting machines. At least 22 states, including all five that rely exclusively on paperless devices, said they had no plans to replace machines before the midterm elections. Pros can read the whole story here.

In that vein, Rep. Robin Kelly sent a letter to Illinois Gov. Bruce Rauner demanding information about the state’s effort to shore up its election system before the midterms. The missive comes about a week after Democrats on the Committee on House Administration issued a report that found Illinois was one of handful of states that might not be using the recently released federal funds — Illinois requested $13.2 million — to address the biggest weak spots in their systems. “This assessment of Illinois’ cyber preparedness is deeply disturbing and cause for great concern,” wrote Kelly, the ranking member on the House Oversight Committee’s IT subpanel. She asked the GOP governor to provide a plan on how the EAC funds would be spent as well as for updates on the state’s cybersecurity efforts related to elections and if the Land of Lincoln has considered blockchain technology to enhance security and manage critical voter data.

JUST KIDDING — President Trump on Tuesday said he misspoke in denying Russian meddling during a joint press conference Monday with Russian President Vladimir Putin. Trump stunned the world when he stood beside Putin and said “I don’t see any reason why it would be” Russia that interfered in the 2016 election. But on Tuesday, the president went into damage-control mode. “In a key sentence in my remarks I said the word ‘would’ instead of ‘wouldn’t,’” Trump told reporters. “I accept our intelligence community's conclusion that Russia's meddling in the 2016 election took place.” But then he added: “Could be other people also. A lot of people out there. There was no collusion at all.” The president also promised that his administration was “doing everything in our power to prevent Russian interference in 2018,” adding, “We're going to take strong action to secure our election systems and the process.”

Trump’s jumbled backpedaling came as the National Association of Secretaries of State urged his administration to provide a clear message of support for the nation’s election officials as they rushed to shore up their digital defenses ahead of the midterms. State officials “across the nation are working hard each day to safeguard the elections process with their own IT teams, private sector security companies, and the federal government, among others,” NASS said in a statement. “We ask, however, the White House and others help us rebuild voter confidence in our election systems by promoting these efforts and providing clear, accurate assessments moving forward.”

ES&S CORRECTS RECORD — The largest voting system vendor in the U.S. has admitted to providing inaccurate information about remote access features in software used to manage its voting machines. From 2000 to 2006, Election Systems & Software included pcAnywhere remote access software in the “election management system” that it sold to “a small number of customers,” ES&S told Sen. Ron Wyden in an April 5 letter first reported Tuesday by Motherboard. Election management systems are installed on internet-connected computers that are used to program voting machines. Cyber experts have pointed to this as a weak point where hackers — possibly piggy-backing on remote access software — could tamper with the voting process.

The vendor initially denied ever including pcAnywhere in its election management program when asked by The New York Times Magazine in February. “None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the company said at the time. But the Times dug up documents that contradicted ES&S’s initial statement, which prompted Wyden to seek clarification.

Its election management systems no longer include pcAnywhere, the company told MC in a statement. “In accordance with [Election Assistance Commission] guidelines implemented in 2007, ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today,” the statement said. ES&S also said that the remote access software installed on the management computers “was not designed to and did not come in contact with any voting machines.” “ES&S voting machines across the nation do not have any form of remote access capability,” the statement said. “ES&S has never installed remote connection software on any vote tabulation device it has ever delivered to a customer—nor has it ever been possible to do so.”

FULL SPEED AHEAD, MR. BOATSWAIN — Rounds told Martin that he is “pleased” with the attention the U.S. Navy and the Defense Department is giving the investigation into how Chinese hackers pilfered troves of data about the country's submarine efforts from a government contractor. “It would be fair to say that … the agencies responsible most certainly have drawn attention to the issues,” according to Rounds, who chairs the Senate Armed Services Cybersecurity subpanel. “They have not tried to coat this over,” he said, adding he “liked” the approach being taken by the Pentagon.

Rounds declined to say what steps DoD and the service are taking, but when asked if it involved vetting the contractor again or looking at new ways to vet contractors, the South Dakota Republican replied: “All of the above.” He said that Armed Services would refrain from proposing legislative prescriptions until the investigation is complete and the Pentagon provides more updates. “I don't think there's a timeline on that as much as there is they have to get their work and then they'll come back and share with us a focus on where to go,” Rounds said.

MELTDOWNS UPON MELTDOWNS — Prompted by industry’s handling of the Spectre and Meltdown chip flaws, the leaders of the House and Senate commerce panels on Tuesday asked the authors of a popular guide on coordinated vulnerability disclosure (CVD) to update their manual. The industry response raises “questions about the coordination of the CVD process and also suggests the lack of precision in describing the availability or implementation of patches could give both companies and users a false sense of security,” wrote Sen. John Thune and Rep. Greg Walden in a letter to Carnegie Mellon University's Computer Emergency Response Team Coordination Center.

Thune and Walden wrote that those questions and others arose during a letter exchange between their committees and major tech firms. Among their other questions was "whether the CVD process was adequately coordinated to ensure that companies, particularly those providing critical infrastructure, had enough time to test and implement patches prior to public disclosure of the vulnerabilities and that the U.S. government received timely notice of the CVD process" and "whether companies used precise terminology in describing the availability, not application of patches."

WHAT IS YOUR MAJOR MALFUNCTION? — Leaders of the House Vietnam Caucus released a letter today to the heads of Facebook and Google urging them not to store data in that country if it means the government can improperly seize it under a new cybersecurity law. "The broad and vaguely worded law would allow the communist authorities to access private data, spy on users, and further restrict the limited online speech freedoms enjoyed by Vietnamese citizens," wrote caucus co-chairs Chris Smith, Alan Lowenthal and Zoe Lofgren, alongside other members. "It could also be a serious impediment on Vietnam's economic potential and fundamentally impact foreign particularly American businesses in the country as internet companies are required to store data locally and disclose user data at the request of government authorities." The lawmakers also expressed concerns about the law being used to conscript major U.S. companies into censorship of political speech.

DOMAIN FRONTING Sens. Wyden and Marco Rubio have entered the battle over the technique of “domain fronting,” which some communication services and apps employ to dodge foreign censorship. "Regrettably, your decision to ban the practice of domain fronting will prevent millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet," the pair wrote in a letter Tuesday to the heads of Alphabet and Amazon. Access Now, the digital rights group that has been pressing those same companies, welcomed the senators’ urgings.

TWEET OF THE DAY — Ah, 2001. Computer worms were so much more innocent back then.

QUICK BYTES

— NSA and Cyber Command boss Paul Nakasone has directed the two agencies to work together to counter Russian election interference. The Washington Post

— “Meet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim’s weakness? Phone numbers.” Motherboard

— Trump approved the timing of the indictments of 12 accused Russian election hackers, Bloomberg reports.

— White House Chief of Staff John Kelly gave congressional Republicans carte blanche to criticize Trump’s news conference with Putin. Vanity Fair

— Professor Thomas Rid goes deeper on that Democratic server. POLITICO Magazine

— The Defense Department is tying contracts to a company’s cyber defenses. Nextgov

— Democrats tried to shift the focus of a House Judiciary hearing from alleged social media bias against conservatives to Russian cyberattacks. The Hill

— Congressional Republicans are open to more Russia sanctions. CNN

— The National Security Council’s intelligence chief is departing. Daily Beast

— A Russian cybercrime suspect is being extradited to France. CyberScoop

— The Government Accountability Office’s inspector general has recommendations on information security.

— The second part of the Interior Department watchdog report on dam cybersecurity. FCW

— The LuminosityLink malware author pleaded guilty. CyberScoop

That’s all for today. It’s everywhere!

Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks