With help from Martin Matishak
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— At a time when so many election security issues are hotly debated, one aspect of it is so popular that both candidates in West Virginia’s secretary-of-state race want to take credit for it.
— Ransomware accounted for one quarter of the incidents that a leading cybersecurity firm has remediated this year, testifying to the increasing potency of these extortion schemes.
— Meet the first-term Illinois congresswoman who now chairs the House Homeland Security Committee’s cybersecurity subcommittee.
HAPPY MONDAY and welcome to Morning Cybersecurity! Just when your temporary MC host had started to settle into a routine of contemplative nature walks, the weather began turning against him. Is this already the last week with temperatures over 70 in D.C.? Sigh. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
A PARTNERSHIP EVERYONE IS PROUD OF — Mac Warner, West Virginia’s Republican secretary of state, and Natalie Tennant, the Democrat running to unseat him this year, both agree that the Mountain State’s partnership with its National Guard has been crucial to defending its elections from cyber threats. What they don’t agree on is who deserves the credit for that success. Their dispute reflects a bipartisan embrace of the National Guard in state election offices across the country, as officials look for all the help they can get to fend off increasingly aggressive hackers.
Warner said he first asked a National Guard officer to begin briefing him about election security threats shortly after he took office in early 2017, after learning about a suspected Russian breach of an election vendor that served his state. “Even though I didn’t have [a security] clearance, I had somebody … who could get to that classified information,” Warner told POLITICO. “And in fact, he [briefed] me a number of times when we had these attempted penetrations.”
But Warner didn’t launch that partnership. It began in 2016 under Tennant, who was finishing up her second term as secretary and preparing to face Warner in November. Tennant invited the Guard in to conduct a vulnerability assessment of her systems, which produced a series of recommendations. Warner, Tennant said, “has this desire to always say he’s first to do this or first to do that. And it’s like, ‘Wait a minute. I had National Guard members in helping to secure our elections in 2016.’”
The partnership certainly expanded under Warner’s leadership, and in 2018, West Virginia became the first state to appoint a National Guard member as its chief technology officer. Other state election officials have since recruited the help of their Guard units, and the Guard now plays a key role in defending U.S. elections. Warner described this as “another area where West Virginia’s leading the nation.”
As the Guard debate in West Virginia shows, secretaries and their challengers are eager for any opportunity to convince voters that they’re prepared to handle election security challenges. Warner tied his success with the Guard to one of his main résumé items: his 23 years of service in the Army Judge Advocate General’s Corps. “This military training that I’ve had in the past,” he said, “has enabled me to apply that now in the elections arena.” West Virginians will soon decide whether to keep entrusting election security and a myriad of other responsibilities to Warner or bring back his predecessor — and similar debates will shape the outcome of secretary-of-state races all over the country in the years to come.
LEGISLATION, GET YOUR LEGISLATION HERE — A slew of low-profile cyber-related bills are on the House’s calendar this week, with subjects ranging from technology modernization to artificial intelligence. On Tuesday, the House will hold suspension votes on H.R. 360, which would direct the Energy Department to create a cybersecurity testing program for bulk-power equipment; H.R. 359, which would require DOE to pursue a bevy of grid security partnerships; H.R. 8128, which would create a Consumer Product Safety Commission pilot project around artificial intelligence; and H.R. 5760, which would create a cybersecurity R&D program for the energy sector.
The fun doesn’t stop there. On Wednesday, the House will vote on H.R. 5901 (116), which would create “information technology modernization centers of excellence” to speed up federal agencies’ use of cutting-edge solutions such as cloud computing; and H.R. 5823, which would create a state and local cybersecurity grant program.
RANSOM WHERE? EVERYWHERE — Ransomware attacks account for a quarter of all cyber incidents that IBM’s X-Force incident response team has handled this year, the team said in a report published today. And as the technique becomes more popular, hackers are starting to get greedier: the average ransom demand right now is more than $40 million, IBM said, compared to $1,200 a few years ago. The most targeted sectors so far this year have been manufacturing, professional services and government organizations — unsurprising, IBM said, given that they share “a low tolerance for downtime.”
The most common ransomware family in the wild today is Sodinokibi, aka REvil, IBM said. It often factors into breaches that lead to both extortion and stolen data auctions. The Maze ransomware remains popular, too. And in 2020, 6 percent of all ransomware attacks that IBM saw used the EKANS malware, which contains code aimed at industrial control system equipment.
MOVING UP IN THE WORLD — Rep. Lauren Underwood (D-Ill.) on Friday was appointed to lead the House Homeland Security Committee’s cybersecurity subpanel. “From persistent attempts by foreign adversaries to influence our elections to growing cybersecurity threats amidst the ongoing Covid 19 pandemic, our country faces unprecedented threats and it is critical we have the leadership in place to tackle these growing challenges,” House Homeland Chair Bennie Thompson (D-Miss.) said in a statement. He said Underwood, who previously served as the full committee’s vice chair, “is ready to confront the multifaceted issues facing our nation.”
Last year, the freshman lawmaker hosted the panel in Illinois for a field hearing on election security to examine the steps the state took after Russian hackers infiltrated its voter registration database during the 2016 election. In a statement, Underwood said she looks forward to “advancing legislation that makes us safer,” including bills aimed at “securing our elections against foreign interference and cyberattacks.” “With the 2020 election currently underway across Illinois and the country,” she said, “this committee’s work is more critical than ever before.”
YOU’RE OUR ONLY HOPE — A bipartisan, bicameral foursome introduced legislation on Friday to deliver badly needed cybersecurity assistance to local governments, nonprofit groups and small businesses, some of the entities hardest-hit by ransomware and other digital attacks. The Improving Cybersecurity of Small Organizations Act would task CISA with issuing best-practices guidance to these organizations and the Commerce Department with advising Congress on how to incentivize better cyber protections. The SBA would have to both promote CISA’s guidance and produce biennial reports on the small business cybersecurity landscape. The House sponsors are Reps. Anna Eshoo (D-Calif.) and John Katko (R-N.Y.) and the Senate sponsors are Sens. Jacky Rosen (D-Nev.) and John Cornyn (R-Texas).
WITH GREAT POWER… — October, the month famous for seismic news that alters the course of presidential elections, is three days away. From an election security perspective, it’s probably the best time for a foreign power to release damaging information stolen during a cyberattack. As such, journalists everywhere are steeling themselves for this possibility and debating how best to cover it if it happens. On Friday, Washington Post executive editor Marty Baron sent his reporters a list of principles for reporting on hack-and-leak operations, and other newsrooms are likely to embrace similar guidelines.
Baron’s rules include emphasizing deliberation over speed in conversations about whether the material is worth covering; resisting the urge to write about something just because politicians are talking about it; providing context, including about the origins of the material and the motivations of its publishers; and limiting direct links to the material so as not to appear to validate potential misinformation.
As Ellen Nakashima, the Post reporter who broke news of the Democratic National Convention hack in 2016, pointed out, the leaked material is rarely as newsworthy as the fact that a foreign government stole and leaked it.
TWEET OF THE WEEKEND — Amen!
PEOPLE ON THE MOVE:
— The Office of the Director of National Intelligence named Lora Shiao as its new chief operating officer.
— TechNet has named DoorDash CEO Tony Xu to its executive council and added Duolingo and Getaround to its membership. The trade group also reappointed Mike Gregoire, Terry Howerton and Ed Knight to its executive council.
— The New York Times: With the election approaching, ransomware looms as a threat.
— Time explores how Signal became the default secure messenger for everyone from protesters to Trump administration officials.
— CyberScoop looks at the tech talent available to Israel and the United Arab Emirates, which are partnering to combat cyberattacks.
— Inside Cybersecurity: The Pentagon will require contractors to self-assess their compliance with a new cybersecurity certification program.
— Bleeping Computer: Twitter has told developers that a data leak may have exposed their app keys and other sensitive information.
— The Energy Department awarded a $6 million cybersecurity grant to the National Rural Electric Cooperative Association.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Heidi Vogt ([email protected], @heidivogt).
