The Cybersecurity 202: A top official urged Congress to guarantee election security funding

“The nature of cybersecurity threats, the ongoing nature of those threats and the fact that it is a national security issue means there’s real value to having a piece of federal funding that is dependable that can be planned around,” EAC Chairman Benjamin Hovland told members of the House Appropriations Subcommittee on Financial Services and General Government.

The hearing comes as a Democrat-led Congress tees up a new round of efforts to improve election security in the aftermath of a fiercely disputed 2020 election. 

Democrats have made passing a sweeping elections package a priority now that they control the Senate. The package includes permanently authorizing the EAC’s budget as well as new requirements for states to update their voter registration systems and additional funding to make upgrades possible. 

“The fact these dedicated election officials were able to achieve this feat amid a global pandemic is even more remarkable. However, now is not the time to proclaim “mission accomplished,” said subcommittee Chair Mike Quigley (D-Ill.). “The threats to our democracy are constant and ever evolving. Our enemies will not be taking a break, so neither can we.”

That includes combating election fraud claims that overshadowed the “herculean” efforts of election officials during the coronavirus pandemic, Hovland says. With adequate resources, the commission could “establish a one-stop shop for voter information, for fact-checking,” he said.

Hovland told lawmakers consistent funding for the agency is essential to avoiding a repeat of the problems that plagued the commission between 2010 and 2019, when its funding was halved. During that time, essential projects including new voting machine security guidelines were delayed. The agency has slowly rebounded with significant increased in funding for fiscal years 2020 and 2021, doubling its staff and creating new programs including a new cybersecurity training program for election officials.

Lawmakers included $400 million in the March 2020 pandemic relief package after Republicans failed to sign on to a larger funding package or federal requirements for state election security. The EAC was able to allocate some of the money to help states upgrade their systems ahead of the election. But states will be looking to do a lot more before 2022.

Some states are in the process of modernizing infrastructure such as voting roll systems, which they deemed too risky to alter during an election year, Hovland noted. A consistent source of funding would allow states to prioritize such improvements before they become a serious source of concern.

Despite the last-minute infusion of funding into election security in 2020, historically sporadic investments by Congress into election security have left states wary of what kind of federal assistance they will get before the next election, Hovland said.

“I know a lot of states wonder is this the end of federal money? Do I need to hold on to this?” he said.

Some outside groups also want to see more funding for the EAC.

A new report from the nonpartisan nonprofit Center for Democracy and Technology also calls for increased funding for the commission as part of election cybersecurity improvements. The report comes a week after the EAC approved a new set of certification standards for voting machines. 

Consistently funding the EAC would allow the commission to expand its scope to certifying the security election infrastructure beyond voting machines to voter registration systems and e-poll books, the report suggests.

BSA, The Software Alliance, is urging the Biden administration and Congress to work together with the tech industry to create a way for information about supply-chain threats to be shared.

The group, whose members include Intel, Microsoft and Oracle, also wants the Biden administration not to strong-arm allies grappling with decisions about how to handle technology that could pose a national security risk. It criticized “overly blunt” Trump administration supply-chain policies, including a campaign to pressure allies to ban Huawei. The report said they were “challenging or impractical to implement, harmful and confusing to U.S. industry, and all without ultimately advancing any real supply chain security.”

Jones Day, which had extensive ties to Trump’s administration, said hackers accessed the files by exploiting a breach of file transfer company Accellion that the firm used, the Wall Street Journal’s Tawnell D. Hobbs and Sara Randazzo report. But the hacker claiming credit for the attack said they hacked the firm’s servers directly.

It’s unclear how many or which Jones Day clients were affected by the breach. The firm served as the Trump campaign’s outside counsel in 2016 and 2020. The firm also represents Google and Chinese tech giant Huawei. 

It comes just weeks after another major law firm, Goodwin Procter, said it was hacked as a result of the Accellion cyberattack.

Nitin Natarajan is joining the Cybersecurity and Infrastructure Security Agency, or CISA, as its No. 2 official, Politico’s Eric Geller reports. As deputy director, he’ll be responsible for CISA’s day-to-day operations. Natarajan worked in former president Barack Obama’s National Security Council as its critical infrastructure policy director.

Meanwhile, Tim Maurer, the director of the Carnegie Endowment for International Peace’s Cyber Policy Initiative, has been named Secretary of Homeland Security Alejandro Mayorkas’s senior cybersecurity counselor, CyberScoop’s Tim Starks reports. 

The moves come as CISA and the Department of Homeland Security work to staff up critical cyber positions in the wake of the attack on SolarWinds and other software. Rob Silvers, Biden’s reported pick to lead CISA, has not yet been formally nominated.

The chances that companies could get hit by “vendor email compromise attacks” like the one that Russian hackers conducted in the SolarWinds attack increased by more than 80 percent between the third quarter of 2020 and January, researchers from Abnormal Security found. 

Once hackers exploit a vendor, they can use its systems to send clients fraudulent messages that may phish for credentials.

The attacks have serious consequences, as the fallout on the attack against SolarWinds shows. The highest potential cost to an organization identified by Abnormal Security topped out at $1.6 million.

The United Kingdom’s law enforcement agency accused a member of the Chuckling Squad of hacking Sandler, the Metropolitan Police, DJ Chantel Jeffries and stealing $1 million in cryptocurrency, Motherboard’s Joseph Cox reports. The group affiliations of the hackers, who authorities last week said had been arrested after being suspected of deactivating cellphone SIM cards so phone numbers could be transferred to them, were not previously known. 

Congress got some new intelligence and cybersecurity leadership:

• Rep. Stephanie Murphy (D-Fla.), a former national security specialist at the Department of Defense, will be the vice chair of the House Armed Services Committee’s intelligence and special operations panel. Rep. Ruben Gallego (D-Ariz.), a Marine Corps veteran, will lead the panel.
• Sen. Joe Manchin III (D-W.Va.) will lead the Senate Armed Services Committee’s cybersecurity panel.

• The Cyber Threat Alliance hosts a virtual event featuring former National Security Council cybersecurity coordinator Michael Daniel, Fortinet CEO Ken Xie, Palo Alto Networks vice chairman Mark McLaughlin and Microsoft executive vice president Christopher Young today at noon.
• Former DARPA director Victoria Coleman, former acting deputy defense secretary Christine Fox and American Enterprise Institute resident fellow Klon Kitchen testify at a House Armed Services Committee cyber panel hearing on Feb. 23 at 11 a.m.