The Cybersecurity 202: Pressure still on McConnell after $425 million election security deal

Senate Majority Leader Mitch McConnell. (Photo by Melina Mara/The Washington Post)

THE KEY

Democrats and activists plan to keep pressing Senate Majority Leader Mitch McConnell (R-Ky.) for major election security reforms — even after he endorsed delivering an additional $425 million to state and local election officials.

That money, which was part of a last-minute government funding deal, marks a major turnaround for McConnell, who for months refused to consider any new election security spending and only recently endorsed a far smaller cash infusion of $250 million. 

But it doesn’t include any of the election security mandates that McConnell has long resisted and that cybersecurity experts say are vital, such as paper ballots and post-election audits.

Without those mandates, Democrats worry the Kremlin will still be able to upend the 2020 election by attacking the least-protected voting districts. Those concerns are also hyper-charged as intelligence and law enforcement agencies are already warning that not just Russia but also “China, Iran, and other foreign malicious actors” are all eager to compromise the election. 

“Mitch McConnell refused to agree to safeguards for how this funding is spent, which means state and local governments will continue buying machines with major security problems,” said Sen. Ron Wyden (D-Ore.), who has called for strict security mandates on states. “Until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.”

Sen. Mark Warner (D-Va.) applauded the new funding on Twitter, but warned it is “*not* a substitute for passing election security reform legislation that Senate GOP leadership has been blocking all year.”

Some election security advocates, meanwhile, credited McConnell’s shift to a biting campaign that targeted the majority leader personally and during which activists and even House Speaker Nancy Pelosi (D-Calif.) branded him as “Moscow Mitch,” accusing him of being willing to accept Kremlin interference if he thought it would benefit Republicans.

“McConnell and other Republicans were under tremendous pressure to do something, and I don’t think the Moscow Mitch label hurt. I think the criticism clearly stung and was probably very helpful in getting their support for this,” Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me. 

“Moscow Mitch felt the pressure,” said Brett Edkins, political director for Stand Up America, which organized hundreds of calls to Senate Republican offices supporting election security funding and bought billboards mocking McConnell outside his Kentucky political offices.

McConnell deeply resented the smears and accused his critics of being part of an “outrage industrial complex” engaged in “modern-day McCarthyism.”

Republicans, meanwhile, were eager to present yesterday’s deal as a responsible compromise that allows states to decide how best to spend their money rather than the federal government. 

The deal also requires a 20-cents-on-the-dollar match by states that receive election security money, which was a key sticking point for Republicans who wanted to “make sure that states know that they need to invest in their own elections,” a person familiar with the negotiations told me.

McConnell hasn’t yet commented on the new funding. 

This is the second round of election security money from Congress, which delivered $380 million to states before the 2018 midterms, bringing the total value of state and federal money to about $900 million. That’s a hefty sum but amounts to less than half of the $2.2 billion needed to fully upgrade the nation’s aging and vulnerable election infrastructure, according to a Brennan Center estimate.

It also comes close enough to the 2020 election that it’s probably too late for many states and localities to use the money to buy new voting machines that will be ready for those elections. Instead, they’re likely to use the money for things that don’t require a complex certification process — such as conducting post-election audits, hiring cybersecurity experts to advise on Election Day and developing plans to respond to hacking if it occurs. 

“It’s fair to say there are probably many states who, if this money had come earlier, would have replaced voting machines and are now going to wait until after 2020,” Norden told me. “But there’s no question this is an important step.”

Some congressional Democrats and many state officials have urged Congress to provide a steady stream of election security funding so officials can keep machines consistently upgraded and respond to evolving threats. 

That said, states won’t look askance at the new money, Iowa Secretary of State Paul Pate (R), president of the National Association of Secretaries of State, told me. 

“A regular, steady stream is more useful to allow for better strategic planning, but I don’t think states are going to complain about receiving funds to help secure and improve elections,” he said. 

Pate also noted the funding is far from a cure-all.

“Election cybersecurity is a race without a finish line,” he said. “The threats are constantly evolving and we have to evolve with them.”

PINGED, PATCHED, PWNED

The Huawei logo. (Hannibal Hanschke/Reuters)

PINGED: A bill the House passed would devote $1 billion to small and rural phone and Internet providers to rip out and replace gear from the Chinese firm Huawei, which White House officials say could help spy for the Chinese government.  

The law would also prohibit telecommunication providers from using federal money to buy new equipment from Huawei and some other providers, mirroring a recent Federal Communications Commission push to ban those companies.

“Companies like Huawei and its affiliates pose a significant threat to America’s commercial and security interests because a lot of communications providers rely heavily on their equipment,” Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) and ranking Republican Greg Walden (Ore) wrote in a statement.

The bill also requires communications providers to submit an annual report to the FCC informing the agency whether they purchased rented, leased or used national security-threatening equipment in the past year.

A similar Senate bill would provide just $700 million to replace Huawei gear and hasn’t yet reached a floor vote. 

New Orleans Mayor Latoya Cantrell and Louisiana Gov. John Bel Edwards. (Gerald Herbert/AP)

PATCHED: New Orleans municipal and traffic courts remained closed yesterday after a cyberattack caused the city to declare a state of emergency on Friday. The city detected both phishing attempts and ransomware, but has yet to receive a ransom demand from hackers, city Chief Information Officer Kim LaGrue told reporters.

The city is still working to fully recover a number of systems, but officials said they’d only lost a “minimal” amount of data.

The hack is just the latest in a string of ransomware attacks on American cities, including, recently, the Florida city of Pensacola. The governor of Louisiana, John Bel Edwards, declared a state of emergency in July and again in November after hackers targeted state computer systems.

 WhatsApp logo. (Dado Ruvic/Reuters)

PWNED: Researchers at the cybersecurity firm Check Point are sounding an alarm about a WhatsApp bug that allowed hackers to crash the apps of every member of a group chat by sending a message loaded with malicious computer code. WhatsApp fixed the issue after Check Point researchers notified the company in September, but users still need to update their apps to make sure they’re protected, Check Point said. 

To launch the attacks, hackers would need to surreptitiously join a group chat and then send a seemingly innocuous message that would crash the app. The attack is particularly dangerous because of the prevalence of group chats, which can grow to more than 250 members.  

WhatsApp also added new controls to prevent people from being added to groups without their knowledge, WhatsApp software engineer Ehren Kret said in a statement.

PUBLIC KEY

Swiss energy company BKW’s Muehleberg nuclear power plant. REUTERS/Arnd Wiegmann/File Photo

The Department of Homeland Security’s top cybersecurity leader defended a bill that would give the department increased legal powers to find out the identities of potential hacking victims that could put national security in danger if they were attacked — such as energy plants and telecommunications companies — in an op ed on the blog Lawfare.

Chris Krebs also pushed back against critics who have said it goes too far and could damage companies’ privacy. 

“All our cybersecurity programs and services are completely voluntary,” he wrote. “No one has to work with us, though many in the public and private sectors choose to because they find the information and services we provide beneficial to their organization’s security.”

— More cybersecurity news from the public sector:

PRIVATE KEY

— Cybersecurity news from the private sector:

THE NEW WILD WEST

— Cybersecurity news from abroad: