Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
The election just ended, but Democrats are already promising that their control of the House of Representatives will bring some serious changes to cybersecurity policy.
Democrats have been critical of the Trump administration’s approach to cybersecurity over the past two years, from the president’s decision to eliminate the job of national cybersecurity coordinator to his inconsistent position on Russian interference in the 2016 elections. They’ve pressed Republicans to make serious improvements in election security, develop a solid deterrence strategy for cyberspace, and more.
When Democrats take control of the House in January, they’ll have more power to shape the agenda in Washington. While cybersecurity is not always the flashiest talking point during an election, lawmakers positioning themselves for potential committee chairmanships in the next Congress are planning to dig deep on cybersecurity issues in the new year.
A spokesman for Rep. Bennie Thompson (Miss.), the top Democrat on the House Homeland Security Committee, said in an email that election security, the lack of cybersecurity leadership from the White House and supply chain security are top-of-mind.
Democrats plan to focus on these issues as part of a larger strategy of “rigorous oversight” of the Trump administration in the next Congress, the spokesman said. As my colleagues Karoun Demirjian, Tom Hamburger and Gabriel Pogrund reported, Democrats are prepared to open multiple investigations against Trump next year — including an examination of the president’s ties to Russia. (President Trump promised “a warlike posture” if that happens and said any efforts to investigate him would jeopardize bipartisan deals.)
Thompson’s spokesman accused Republican lawmakers of doing the bare minimum of oversight to “give cover to the Administration.”
“Congress cannot be a rubberstamp for the Administration,” the spokesman said. “We will focus on our diverse homeland security issues but also on defending and protecting our democracy, the rule of law and also on issues affecting people’s lives.”
We can expect that strategy will play out on the following cybersecurity issues that are sure to emerge in the next Congress:
Democrats have been calling for upgrades to outdated election infrastructure and pushing for a bill that would give states more money to improve aging and insecure systems. We can expect these efforts to continue in the next Congress. In the House, here’s one key player to watch: Rep. Adam B. Schiff (D-Calif.), who is expected to become chairman of the House Intelligence Committee.
As the 2020 election approaches, Schiff will likely intensify previous efforts to improve election security and disinformation.
He’s also been one of the most constant critics of the Republican-led committee’s probe to investigate Russian interference in the 2016 election — and told the Atlantic in an interview published Wednesday that he plans to probe several uncomfortable topics for the Trump administration, including Russia. “The congressman declined to detail the next steps of a possible investigation into Russia’s interference in the 2016 election, but indicated that he sees the work as correcting the failures of the House Intelligence Committee’s earlier Republican-led probe. That inquiry existed alongside investigations by [Robert] Mueller and the Senate Intelligence Committee, and petered out last spring amid partisan acrimony.” The comments in an interview before the election were published the same day that Attorney General Jeff Sessions was fired.
Increased scrutiny of Russia– and the Trump administration’s response — could have broader implications for how the U.S. handles election security moving forward. Schiff has previously been critical of the lack of coordination in the federal government on cybersecurity issues. He’s also called for a real-time communication channel between the Department of Homeland Security and technology companies to identify campaigns on social media tied to Russia, according to a Reuters report.
Democrats and Republicans broadly agree that consumers need a federal privacy law. But the devil may be in the details, and we could see partisan lines emerge on what such a privacy framework should include.
Lawmakers are under the gun to pass a federal privacy law before 2020, when a sweeping California privacy law is set to go into effect. Republicans and technology companies want to preempt that law, which technology companies say was passed too quickly and will be challenging to enforce. Many Democrats also don’t want to see Americans have different privacy rights based on what state they live in, but they have said they will not support a watered-down national privacy bill.
“Democrats have said the bar is high,” said Craig Albright, vice president of legislative strategy for The Software Alliance, a trade group representing technology companies. “We think a federal law doesn’t mean a weak law.”
We can also expect Democrats to leverage hearings to provide more oversight of the tech companies’ privacy practices.
China and other foreign adversaries
Intellectual property theft and securing the supply chain are likely to be important issues for the next Congress. Lawmakers have long cited the risks of doing business with foreign IT companies like ZTE and Huawei, which are tied to the Chinese government.
In recent weeks, the Trump administration has stepped up its efforts to curb Chinese espionage. As we reported last week, the administration introduced a broad new program focused on deterring espionage — in addition to a flurry of sanctions on people and companies the U.S. alleges stole trade secrets from an American company. As Axios has reported, the Trump administration is expected to continue to elevate cybersecurity issues with China to underscore that Russia isn’t the only “bogeyman.”
This could put more pressure on Democrats in the house to address supply chain security. Thompson was among the members of the Homeland Security Committee who sponsored a bill that would give DHS authority to ban contractors that pose cybersecurity risks. That bill passed the House this fall and went to the Senate. But the committee could seek to take broader action on the issue.
It remains to be seen who will lead the Democrats’ supply chain security efforts on the Senate side. Senator Claire McCaskill (D-Mo.) had introduced a bill addressing supply chain security threats with James Lankford (R-Okla). But McCaskill lost her Senate seat on Tuesday to Republican Josh Hawley. McCaskill’s bill would have established a council responsible for evaluating supply chain risks, according to The Hill.
Tune in: The first in a series of Technology 202 live events is today at 9 a.m. Eastern. My colleagues and I will be interviewing top tech executives, White House officials and Rep. Ro Khanna. Sign up to get the livestream.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: “The future of the special counsel investigation into Russian interference in the 2016 campaign was thrown into uncertainty Wednesday after President Trump ousted [Sessions], giving a political loyalist oversight of the probe,” The Washington Post’s Rosalind S. Helderman, Matt Zapotosky and Carol D. Leonnig reported. “Trump named as acting attorney general Matthew F. Whitaker, Sessions’s chief of staff, who as a legal commentator last year wrote that special counsel Robert S. Mueller III appeared to be taking his investigation too far. A Justice Department official said Wednesday that Whitaker would assume final decision-making authority over the special counsel probe instead of Deputy Attorney General Rod J. Rosenstein.”
It appears that Mueller has focused his attention on Roger Stone lately, my colleagues reported. “The longtime Trump friend and former adviser is under scrutiny for claims he made in the 2016 campaign that suggested he was in contact with WikiLeaks,” Rosalind, Matt and Carol wrote. “In the final months of the White House race, the group published Democratic emails that prosecutors allege were hacked by Russian military operatives.” Moreover, the special counsel’s team is also awaiting answers from Trump. “By mid-November, the president’s attorneys plan to turn over Trump’s written answers to roughly a dozen questions the special counsel has posed — including the president’s knowledge of the hacked Democratic emails and his advisers’ contacts with Russians during the campaign and transition, according to two people familiar with the decision,” according to my colleagues.
PATCHED: Expect Trump’s claims about Chinese interference in American politics to resurface now that Democrats have claimed the House, Yahoo News reported. “There are clearly potential political benefits for the Trump administration in raising the specter of Chinese meddling, particularly after an election that didn’t go the White House’s way,” wrote Yahoo News’s Bethany Allen-Ebrahimian, Hunter Walker and Jenna McLaughlin. “But there are also legitimate concerns about Beijing’s activities even if most analysts and experts don’t believe China’s actions rise to the level of an election interference campaign.”
Before Tuesday’s election, Trump and Vice President Pence had both claimed that China sought to influence the 2018 midterms but did not provide much evidence to back up such allegations. “Still, there is no question the Chinese government has engaged in a sweeping, long-term strategy to influence the leaders and politics of Western democracies, including the United States,” according to Allen-Ebrahimian, Walker and McLaughlin. “Researchers have uncovered efforts to cultivate relationships with campaign donors, business leaders with political sway, academics and community leaders in order to shape public opinion in Beijing’s favor and to shut out dissidents and other critical voices. There is little public evidence, however, of a broad campaign to interfere in the midterms.”
PWNED: As countless cybersecurity jobs go unfilled, employers seek new ways to attract or train talent to protect their systems, for instance by valuing hands-on experience more or hiring hackers, Paulette Perhach reported in the New York Times. “According to the chief economist for LinkedIn, Guy Berger, there was a shortage as of September of 11,000 people with cybersecurity skills in the San Francisco Bay Area, 5,000 in New York and almost 4,000 in Seattle, the areas with the largest concentration of need,” Perhach wrote. “LinkedIn regularly issues work-force reports based on its analysis of jobs data in the United States. Some major corporations have openly taken to hiring hackers to help protect them.”
Universities and colleges are also altering the way they teach cybersecurity skills to expand the reach of their programs, according to the Times. For example, Perhach wrote that Georgia Weidman, who founded the cybersecurity companies Bulb Security and Shevirah, “is working with the Tulane School of Professional Advancement in New Orleans to build an online class for its Applied Computing Systems & Technology degree program. At New York University, the Center for Cybersecurity has been operating for 20 years and graduates about 50 students annually. But this year, it created an online master’s program to help make the training more affordable in hopes of attracting more people to the field.”
— Trump said his administration will “make a full report” on the integrity of the midterms and complained that federal agencies’ efforts to bolster election security have received little news coverage. “We have been working very hard on China and Russia and everybody else looking into our elections or meddling with our elections,” Trump said during a news conference. “But people tend not to write about it, but we have worked very hard, as you probably heard.”
From Voice of America’s Jeff Seldin:
— Some voting machines had a bad Election Day. “Across the country, reports poured in Tuesday amid heavy voter turnout of equipment failing or malfunctioning, triggering frustration among voters and long lines at polling places,” the Associated Press’s Christina A. Cassidy and Michael Liedtke reported. “Scanners used to record ballots broke down in New York City. Voting machines stalled or stopped working in Detroit. Electronic poll books used to check in voters failed in Georgia. Machines failed to read ballots in Wake County, North Carolina, as officials blamed humidity and lengthy ballots.” Moreover, as Cassidy and Liedtke noted, the “clock is ticking to make upgrades, with the presidential election just two years away. Selecting and buying new voting machines can easily take a year and a half or longer, and that’s assuming a state has money to spend.”
— Seeking to get Americans to pay attention to the threats to U.S. critical infrastructure, the president last week proclaimed that November 2018 is Critical Infrastructure Security and Resilience Month. “The threat to our critical systems is continuous and outpacing our defenses,” Homeland Security Secretary Kirstjen Nielsen said in a statement on Wednesday. “We have already seen attempts by countries such as China, Iran, North Korea, and Russia to use their power in cyberspace to compromise and disrupt our infrastructure, and advance their own interests.”
— More cybersecurity news from the public sector:
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out.
— “Microsoft wants to work with Congress to establish cybersecurity measures for civilians, the company’s president told CNBC Wednesday,” Chloe Taylor of CNBC reported. “Speaking to CNBC at the 2018 Web Summit in Lisbon, Portugal, Brad Smith said Microsoft wanted to address the ‘fundamental question’ of safeguarding the population against cyber threats — but he said the outcome of the midterm election would not hinder that mission.”
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— “The Mueller-indicted Russian troll farm known as the Internet Research Agency is apparently declaring victory in the U.S. election and warning the ‘citizens of the United States of America’ that ‘your intelligence agencies are powerless,’” the Daily Beast’s Kevin Poulsen reported. The website that featured the message “at first appeared to be a lampoon,” according to the Daily Beast. “But on Tuesday night it posted a previously unseen list of 100 IRA Instagram accounts that Facebook confirmed as authentic,” Poulsen wrote. “It’s still not entirely clear if the website is intended as self-parody, a parody of U.S. perceptions of Russian information operations, or an earnest effort to terrify the American citizenry and cast doubt on the midterm results.”
— More cybersecurity news from abroad:
Was there really a “blue wave” on Election Day?
Trump asks Pence to be his 2020 running mate:
How environmental ballot initiatives fell short in the midterms: