With help Eric Geller and Martin Matishak
NOT GOOD ENOUGH — The top Democrat on the Senate Rules Committee wants more answers from voting machine vendors after two of the three largest companies skipped Wednesday’s election security hearing. Hart InterCivic sent a representative, but Election Systems & Software and Dominion did not. “I think we should try again, and I personally plan on sending them a number of written questions, since they wouldn’t come to the hearing,” Minnesota Sen. Amy Klobuchar told Eric. “They have a responsibility, when there’s only three of them, to answer our questions.” Klobuchar is the lead Democratic sponsor of the bipartisan Secure Elections Act (S. 2593), Congress’ most significant attempt yet to protect U.S. election infrastructure from hackers. Klobuchar may get her wish to bring in Dominion and ES&S — a spokeswoman for Rules Chairman Roy Blunt told MC that the panel was planning additional hearings.
Story Continued Below
One of the most striking moments of the Rules hearing came when Klobuchar asked the vendors if it was appropriate for them to continue selling electronic voting machines without paper backups, which cybersecurity experts say is a serious mistake. All three vendors said yes. The Hart executive said his firm would offer whatever local customers wanted, and another vendor representative said he didn’t “see a reason not to.” Klobuchar told Eric that she planned to follow up with the vendors about their answers. One vendor raised accessibility as a reason not to use paper; in the interview, Klobuchar noted that many states made paper backups work: “That, to me, seemed a bit of a red-herring answer.”
The vendors’ other answers to Klobuchar’s questions didn’t satisfy her, either. They promised that they let independent security researchers audit their machines, but researchers say the firms have denied their requests for decades. “We need government oversight” of voting vendors’ transparency, Klobuchar told Eric. Virginia Sen. Mark Warner sounded a similar warning in an interview with Eric outside the committee room. “When you’ve got a 90 percent [market] concentration [and] three vendors controlling the back end of our voting systems,” he said, “that’s a vulnerability.” Oregon Sen. Ron Wyden also had harsh words for the vendors at the hearing.
Despite her concern about paperless voting machines, Klobuchar said she didn’t think a bill to regulate voting technology could pass Congress. “I think it would be hard to get done,” she said. For now, her goal is the enactment of the Secure Elections Act, which she said “has a much better chance of passing” than a more regulatory measure. The bill would promote information sharing and create federal grants for election security, among other things. “We have to start somewhere,” she said. “And I think we start with this.”
HAPPY THURSDAY and welcome to Morning Cybersecurity! Well, duh. Maybe you shouldn’t take a small sample of a group and judge the entirety by it. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
BRACKETOLOGY — Democrats on the House Administration Committee will issue a report today looking at states they consider risky when it comes to potential election interference. The study singles out 18 states and breaks down their overall election security preparedness and voting systems into three tiers. Five states were put in the top tier, or “most serious” category, as they rely solely on electronic devices that leave no paper trail and make it impossible to check the results against a physical vote count. Nine states landed in the second tier. While those states may have “significant” vulnerabilities, they also may not be planning to use recently approved federal assistance to improve election safeguards. The last tier consists of four states that are using federal funds to eliminate weaknesses but may require additional money to fully upgrade their election infrastructure.
A CHANGE IS GONNA COME (EVENTUALLY) — Don’t expect widespread, wholesale replacements of voting equipment before the 2018 election despite Congress setting aside $380 million for election security this year, a top DHS official told a House panel today. “There are challenges from a procurement process,” said DHS’s Chris Krebs, and besides, “there’s not enough money to transition” whole systems in most cases. Krebs — the undersecretary at DHS’s main cyber wing, the National Protection and Programs Directorate — also told the House Homeland Security Committee that feds weren’t seeing as much foreign adversary election meddling in 2018 as opposed to 2016, but Russians definitely were still seeking to undermine democracy via influence operations. Two Homeland subcommittees today continue their cybersecurity focus with a joint hearing on supply chain threats.
PLANES, CARS AND (YES) VOTING MACHINES — The Black Hat conference has finalized its agenda for the 2018 event running Aug. 4 through 10, organizers announced Wednesday. One of the highlights: a presentation on how researchers hacked an airplane, in-flight, from the ground. Famed car hackers Charlie Miller and Chris Valasek will call attention to new auto vulnerabilities, namely those affecting self-driving cars. And Carsten Schürmann, a professor at the IT University of Copenhagen, will speak on “the worst voting machine ever.” The full schedule can be found here.
FEET, MEET FIRE — A major voting vendor’s comments to Sen. Warner at Wednesday’s Rules Committee election security hearing show why Congress should keep a close eye on those vendors, according to Edgardo Cortés, Virginia’s former top election official. At the hearing, Warner confronted Peter Lichtenheld, vice president of operations at voting giant Hart InterCivic, over Hart’s refusal to provide Cortés’ office with a test unit when Virginia was evaluating whether to stop using electronic voting machines. (The state eventually did so.) Lichtenheld said the company considered the request “moot” because, by then, Virginia localities were already moving to different machines.
Cortés, who is now an election security adviser at the Brennan Center for Justice, called Lichtenheld’s comments “disingenuous.” “The locals in Virginia that were using Hart [voting machines] did not have plans to transition to new equipment before the 2017 election,” he told MC in an email. “I’m glad that Senator Warner was so adamant about holding vendors accountable at today’s hearing and getting their public commitment to do better in the future.” Cortés’ struggle with Hart last year underscored the challenges that many state officials and independent researchers have faced in working with vendors. These companies “have not been held accountable for their role in addressing cybersecurity vulnerabilities,” said Cortés. “I hope today’s hearing is a sign that vendors will receive more scrutiny from Congress during discussions about election security.”
HOUSE INTEL BILL MOVES FORWARD — The House Rules Committee on Wednesday voted along party lines, 6-4, to approve a rule for floor debate for the fiscal 2018 and 2019 intelligence authorization bill, H.R. 6237. Panel members voted similarly to forbid a Democratic amendment that would have restored the White House cyber coordinator position, a move that was recently tried on the annual defense policy bill. The GOP-controlled committee did allow a dozen amendments to be made in order, including one revising a section that requires the Director of National Intelligence, FBI and Homeland Security Department to make a public report on foreign counterintelligence and cybersecurity threats to election campaigns for federal offices. The provision would require the report to include a list of foreign state or nonstate actors involved in such activities.
The White House issued a statement of policy during the hearing that objected to several parts of the bipartisan measure, though the administration admitted it had not seen the classified portion of the legislation. The administration has “significant concerns” with a provision that would establish a new infrastructure security center for threats to the energy sector, saying it would “create a vast infrastructure not needed to evaluate or mitigate cyber threats to critical energy infrastructure. The administration would instead continue to pursue activities to study, understand, and develop mitigations that address the cybersecurity threat to critical infrastructure.” The executive branch also took issue with the bill calling for an enterprise-wide secure voice cellular solution based on commercially available technology. “The IC requires the flexibility to develop secure communications infrastructure that can adapt to evolving technology to ensure the protection of intelligence sources and methods against the increasing challenges presented by foreign adversaries,” according to the statement. The House is scheduled to take up the bill today.
SENATE APPROVES DOJ NOMINEE — The Senate filled one of the Trump administration’s last major cyber-related vacancies on Wednesday, narrowly confirming Brian Benczkowski to be assistant attorney general for the Criminal Division. In his new role, Benczkowski will oversee the Computer Crime and Intellectual Property Section, composed of Justice Department prosecutors who investigate cyber and IP-related crime. The Criminal Division prosecutes all hackers who are not linked to foreign governments. (State-backed hackers are the purview of the National Security Division.) The Senate vote was 51-48, reflecting the sharp partisan divide over Benczkowski’s qualification to be one of the Justice Department’s top officials. Democrats pointed out that Benczkowski had never served as a prosecutor and never tried a case. They also noted that, as a partner at Kirkland & Ellis, Benczkowski represented the Russian financial giant Alfa Bank in legal matters related to Special Counsel Robert Mueller’s Russia probe. The Justice Department refused to tell Democratic senators whether Benczkowski would participate in the Russia investigation.
RECENTLY ON PRO CYBERSECURITY — President Donald Trump nominated Donald Palmer to serve on the Election Assistance Commission. … Federal government agencies are at the leading edge of creating bug bounty programs, according to a report by HackerOne. … The last impediments toward lifting the ban on Chinese telecommunications company ZTE are clearing away.
TWEET OF THE DAY — You heard the man!
PEOPLE ON THE MOVE
— Steve Grewal, the former deputy chief information officer at the General Services Administration, has joined the cybersecurity-focused advisory board for Exabeam.
— Senate Commerce Chairman John Thune invited Intel to appear at his hearing on the Spectre and Meltdown flaws, but the company declined, and he doesn’t think they should have. CyberScoop
— Google Chrome has a new feature meant to thwart Spectre attacks. CNET
— Prosecutors say former Trump campaign manager Paul Manafort has skirted an email ban while in prison. The Washington Post
— A full governmentwide Kaspersky Lab ban is due to go into effect next week, and the company is making one last stand. Nextgov
— Facebook is giving academics “full access” to study the effects of social media on democracy. The Wall Street Journal
— Spyware is becoming a key part of cartel kingpin Joaquin “El Chapo” Guzmán’s case. Vice
— The story of how a programmer hacked his own software to save the Apollo 14 mission. IEEE Spectrum
— The Congressional Budget Office sized up the cost of H.R. 3776, Cyber Diplomacy Act of 2018.
— A look at gifted USB devices. Hackaday
— “Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis.” Microsoft Secure
— The Center for a New American Security examines some applications for artificial intelligence in cybersecurity.
— Cybersecurity stocks are doing well. Quartz
— L3 bought two information security companies.
— Broadcom is near a deal to buy CA Technologies, which owns Veracode. The Wall Street Journal
That’s all for today. Like, I don’t care about szechuan sauce.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak) and Tim Starks (email@example.com, @timstarks).