With help from Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
— A DHS official shed more light on the department’s communications with the Iowa Democratic Party over testing a vote-counting app that misfired in this week’s caucuses.
— A Senate panel report on the Obama administration’s handling of 2016 Russian election interference received, shall we say… differing reactions from Democrats and Republicans.
— The vice chairman of the House Science Committee proposed electricity grid security legislation this week that gives DOE a list of tasks.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Is it a chilling meow, or a cute one? Maybe both? Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
ABOUT THAT DHS SHADOW APP CONSULT — A DHS official spoke with MC on Thursday about what exactly the department offered to the Iowa Democratic Party regarding its caucus vote-tabulating app, an issue that has generated some back-and-forth after the messy result reporting this week. To recap: Acting Secretary Chad Wolf said DHS had offered to have CISA test the Shadow Inc. app “from a hacking perspective,” but the party “declined.” Iowa Democratic Party Chairman Troy Price said, “We have no knowledge of DHS making that offer to us.”
The DHS official told MC that CISA approached Iowa Democrats via the DNC sometime in the fall of 2019. The approach was typical of how CISA approaches other political entities and state and local officials; it informs them of the various resources it offers and lets them choose, the DHS official said. The Iowa Democratic Party told DHS it thought that CISA could be of the greatest assistance by supporting a tabletop exercise via the Harvard University Belfer Center, home of the Defending Digital Democracy initiative. The app figured into that exercise, including crisis communications planning should the app fail to work due to some malicious attack. (The official would not comment on whom, specifically, DHS spoke to at the Iowa Democratic Party.)
“It’s not like they flat out said, ‘We don’t want this,’” the DHS official said of the offer to vet the app. Rather, the Iowa Democratic Party answered that it thought “the tabletop exercise would help us the most.” It wouldn’t be fair to say DHS had any concerns about the app because they hadn’t seen it, the official said. And although the Iowa caucuses have been broadly panned as a debacle, the DHS official saw a silver lining. “In the end, of the many lessons we can take and apply, the fact that they had resilience and a transparent process with paper records, that was really critical,” the official said. Given the lack of evidence of any hack, the official said, “there doesn’t appear to be any reason or need” for further DHS investigation.
The DHS official spoke to MC the same day that top GOP House committee leaders criticized Shadow for “choosing not to test” the app pre-rollout. The Government Accountability Office also faulted CISA for “urgently needed” election security plans not yet in place for the 2020 elections.
EPISODE III: REVENGE OF THE HINDSIGHT — The Senate Intelligence Committee on Thursday issued chapter three of its five-part report on Russia’s interference in the 2016 election. The latest installment focused exclusively on the Obama administration’s response to the digital assault and found that in addition to being flat-footed, officials were paralyzed by interagency and partisan concerns. “Frozen by ‘paralysis of analysis,’ hamstrung by constraints both real and perceived, Obama officials debated courses of action without truly taking one,” Intelligence Chairman Richard Burr (R-N.C.) said in a statement.
Former White House cyber coordinator Michael Daniel, who’s mentioned in the examination, said the report “makes a valuable contribution to the public record of events” from 2016. “The work the federal government did with State and local officials, the resources we marshaled within the federal government, and the direct engagement we had with Russia expressing our concerns contributed to the election proceeding without widespread disruption,” Daniel, the president and CEO of the Cyber Threat Alliance, said in a statement.
The report also sparked partisan recriminations. The Obama administration’s “delayed and ineffective response — combined with other missed opportunities — enabled further Russian aggression. Our report highlights the risks not only of failing to heed intelligence warnings, but also of accommodating authoritarians like Vladimir Putin,” GOP Sens. Marco Rubio (Fla.), Tom Cotton (Ark.), John Cornyn (Texas), Ben Sasse (Neb.) and Jim Risch (R-Idaho), all Intelligence panel members, said in a statement. Meanwhile, House Homeland Security Democrats tweeted that Republicans “have viewed election security with a partisan lens since 2016.”
In addition to a policy autopsy, the report contained recommendations to protect U.S. elections in the future, including setting “cyber norms” — a suggestion seized on by Rep. Jim Himes (D-Conn.), who sent a letter to Secretary of State Mike Pompeo urging him to “promote U.S. leadership in establishing comprehensive international [principles] of conduct in cyberspace.” Daniel made additional election security recommendations, such as Congress establishing a “dedicated, sustained funding source that States can draw on to improve the cybersecurity of their electoral infrastructure.”
ROUNDS AND ROUNDS — Sen. Mike Rounds (R-S.D.), who serves as chairman of the Senate Armed Services Cybersecurity Subcommittee, announced on Thursday that he will seek reelection in 2020. Rounds isn’t expected to have much trouble winning, but he does face challengers from both the left and right. Cybersecurity doesn’t figure much into his pitch to voters, although it does get some emphasis on his official site.
LET’S NOT HACK THE GRID — Rep. Ami Bera (D-Calif.) introduced a measure (H.R. 5760) this week that would direct the Energy secretary to carry out a research, development and demonstration program to safeguard the energy grid from cyber and physical attacks. It would direct the secretary to award grants to identify cybersecurity risks to information systems affecting the energy sectors; create ways to quickly identify cyberattacks; assess emerging cybersecurity capabilities that could be applied to energy systems; develop technologies that integrate cybersecurity features into the design of grid technologies; and create technologies that slash the cost of implementing effective cybersecurity technologies.
“The cybersecurity landscape is constantly evolving, with attacks on the grid becoming more frequent and more severe,” Bera told POLITICO. “We need a sustained investment in research and technologies to keep pace with rapidly evolving shifts,” he said. The bill would also direct the secretary to collaborate with the NIST director and other relevant agencies to establish consensus-based best practices to improve cybersecurity for emerging energy technologies. It would authorize over $800 million throughout fiscal years 2021 and fiscal 2025 to carry out the provisions in the measure.
APP NAMES THESE DAYS — Sen. Ron Wyden (D-Ore.) cautioned his state against using mobile voting apps and other forms of internet voting on Thursday, three days after the Iowa debacle. Oregon is exploring use of the Voatz app — piloted in several states thus far — in 2020 elections for overseas and military voters. Election security experts have criticized the idea of mobile internet voting as a hacking risk. Additionally, Wyden observed, Oregon is one of 24 states that permit military and overseas voters to submit ballots via email. “Continuing to permit the use of internet voting — against the advice of cybersecurity experts — is simply asking for trouble,” Wyden wrote in a letter to Secretary of State Bev Clarno.
TWEET OF THE DAY — O, Canada. We see thee rising fair, dear land.
RECENTLY ON PRO CYBERSECURITY — The Treasury Department said money launderers and other criminals turning to cryptocurrency is a growing concern for law enforcement. … Florida state lawmakers are advancing legislation to offer election tech upgrades for recounts. … Canada’s privacy watchdog asked a Federal Court judge to rule that Facebook broke national privacy laws.
— Financial Times: President Donald Trump laced into Boris Johnson over the U.K. decision on 5G and China.
— The New York Times: Attorney General William Barr said China winning control of 5G poses an economic and national security threat.
— CyberScoop: Barr and a deputy predicted U.S. indictments over Chinese hacking in the near future.
— NBC News: 4chan trolls disrupted the Iowa caucuses results reporting hotline.
— The Washington Post went behind the scenes on the NSA’s disclosure of a major Windows bug.
— The Atlantic: “The billion-dollar disinformation campaign to reelect the president.”
— Bloomberg Law: A judge ordered the release of a man accused of child pornography crimes who’s been in jail in a dispute over disclosing his passwords.
— Google is taking steps to make sure that Chrome pages only download secure files.
— CyberScoop: “China-linked hackers have targeted Malaysian government, officials warn.”
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).