With help from Eric Geller, Mary Lee and Martin Matishak
Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
— Election Assistance Commission Republicans gave their perspective on a vote on retaining the panel’s controversial executive director, and he offered his own, too.
— The House Homeland Security Committee today marks up a bill that might lend muscle to state and local governments under a ransomware siege.
— The House Judiciary Committee had a wild election security hearing but it may have offered insights into key agency budgets and breach notification.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! NBA season starts, World Series starts. Nothing else matters. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WHAT MORE COULD YOU ASK FOR? — Republican EAC members issued detailed defenses of their embattled executive director after the four commissioners failed to reappoint to him last month, according to a recently published record of the vote. Brian Newby “turned this agency around from near death and has led the staff to produce excellent work,” Chairwoman Christy McCormick wrote as she cast her vote to give Newby a second term. McCormick attached a lengthy bulleted list of Newby’s accomplishments and said that the controversy surrounding him was “baseless” and “purely political.” The Sunflower State Journal, a news organization in Newby’s home state of Kansas, published the vote documents on Saturday.
Commissioner Donald Palmer, the other Republican, attached nearly the same list in support of Newby. But because the two Democratic commissioners voted against reappointing Newby, his term ended on Tuesday. The records of the vote also show McCormick harshly criticizing general counsel Cliff Tatum, a Democrat whose reappointment was packaged with Newby’s and thus also failed. Tatum “provided incorrect advice during Congressional hearings,” she wrote, “leading to media criticism” — an apparent reference to McCormick’s false testimony to lawmakers that EAC guidelines banned internet connectivity in voting machines.
Newby, like McCormick, dismissed criticism of his tenure as politically motivated, telling the Sunflower State Journal that congressional Democrats developed “a clear plan” to oust him. “I underestimated how political D.C. is,” he said. “I thought if I was successful in not having the agency shut down, then I would have demonstrated my value and I would be renewed.”
CONTINUOUSLY DIAGNOSE AND MITIGATE THIS — One of the handful of federal government ideas out there to help state and local governments defend themselves against ransomware attacks gets House Homeland Security Committee consideration today. The legislation (H.R. 4237) would make tools used in the DHS Continuous Diagnostics and Mitigation program available to state and local governments. The CDM program is one of the signature DHS cyber initiatives for protecting other federal agencies.
Other provisions of the bill, sponsored by Rep. John Ratcliffe (R-Texas), would codify existing elements of CDM and order a strategy for the program to counter evolving cyber threats. Also today, the Homeland Security panel marks up a draft online extremism bill.
WHAT DID WE LEARN? — While a House Judiciary Committee election security hearing on Tuesday took a partisan turn for the GOP, Democrats pressed agency officials to say whether they had enough money to protect elections. EAC Commissioner Ben Hovland readily answered that EAC “absolutely does not,” saying his agency’s nearly $8 million budget is less than Kansas City spends to repair potholes annually. “I would note that if we were a Major League Baseball player, we would be the 173rd highest paid player,” Hovland said. “We would be a middle reliever.”
Matt Masterson, senior cybersecurity adviser at DHS, said the proposed Trump administration fiscal 2020 budget cuts for the Cybersecurity and Infrastructure Security Agency would still leave the agency with enough money to maintain the support for state and local election officials that it has built over the past couple years. However, Masterson and Nikki Floris, deputy assistant director for counterterrorism at the FBI, said more resources would equal more capabilities.
On another topic, Adam Hickey, deputy assistant attorney general for the DOJ National Security Division, told the panel it was up to state officials to decide when to publicly disclose threats to their election infrastructure. But, Hickey said, “the FBI is currently reviewing guidance on how to handle victim notification in the context of elections.”
LET’S GIVE IT ANOTHER GO — Republican senators objected to dual attempts by Democratic Sens. Amy Klobuchar and Dick Durbin to bring up election security legislation — S.1356 and S.1540, respectively — on the Senate floor on Tuesday. Republican Sen. John Kennedy, who blocked Durbin’s motion, contended the bill has “more red flags than the Chinese embassy,” and expounded on his grievances against the measure, including its $1 billion price tag.
“To say we can't afford to protect the integrity of our vote, then what is a democracy worth?” asked Durbin, the Senate Minority Whip. “I happen to think a billion dollars is more realistic in terms of helping our voting system across this country,” he said. “Shame on us if the result of a presidential election is later found to have been tampered with by our enemies overseas.” Democrats are expected to continue bringing up election security measures this week on the Senate floor. But those efforts are not expected to advance as Senate leadership has questioned whether additional legislation is needed.
IF AT FIRST YOU DON’T IoT — Sen. Ed Markey (D-Mass.) and Rep. Ted Lieu (D-Calif.) on Tuesday re-introduced legislation that would create a voluntary cybersecurity certification program for IoT devices. The Cyber Shield Act would establish a panel of digital security experts from industry, academia and consumer groups that would set cybersecurity benchmarks for smart devices, including cell phones and laptops. Manufacturers could then voluntarily certify if the product meets those security goals and tout that achievement to the public with a “Cyber Shield” label. Markey and Lieu originally proposed the bill in 2017 but it never received a vote in either chamber.
TWEET OF THE DAY — Marvel: “‘Infinity War’ is the most ambitious crossover event in history.” Us: [shares this link]
RECENTLY ON PRO CYBERSECURITY — Members of the Senate Banking Committee raised concerns about security safeguards in an SEC market surveillance tool. … “President Donald Trump’s obsession with former CIA Director John Brennan could be on a collision course with an ongoing Justice Department probe as Attorney General William Barr takes a more hands-on approach to examining the intelligence community’s actions in 2016.” … Facebook CEO Mark Zuckerberg will tell lawmakers today he’s willing to delay his digital currency. … German Chancellor Angela Merkel is facing pressure to ban Huawei from the country’s 5G network.
— Former Virginia Gov. Terry McAuliffe, who emphasized cybersecurity as chairman of the National Governors Association, is joining Hunton Andrews Kurth as global strategy adviser at the law firm's privacy and cybersecurity think tank, the Centre for Information Policy Leadership.
— BlackBerry Cylance Vice President John McClurg will be promoted next week to chief information security officer, and Christopher Hummel, BlackBerry vice president of IT and business application solutions, to chief information officer.
— Runa Sandvik said Tuesday her position of senior director for information security at The New York Times had been eliminated, drawing jeers on Twitter.
— “China’s state-sponsored hackers have drastically changed how they operate over the last three years, substituting selectivity for what had been a scattershot approach to their targets and showing a new determination by Beijing to push its surveillance state beyond its borders.” The New York Times
— Cyber Command mysteriously backed away from its latest plan to call out North Koean hackers. CyberScoop
— StateScoop has a ransomware map.
— Czech officials said they took down a Russian cyber espionage network. ZDNet
— Yikes on this encrypted drug trafficker phone company. Motherboard
That’s all for today.
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Mary Lee (firstname.lastname@example.org, @maryjylee) Martin Matishak (email@example.com, @martinmatishak) and Tim Starks (firstname.lastname@example.org, @timstarks).