SOURCE: Dan Yorke State of Mind (10/17)
By Alex Kuffner
NARRAGANSETT, R.I. — The former head of oceanography and meteorology for the Navy argued for more funding for research to understand the impact of climate change while delivering the keynote speech at a science symposium at the University of Rhode Island on Tuesday.
“It’s not just science at stake. It’s our survival,” Rear Admiral (Ret.) Jonathan White said to hundreds of people at the event at the Graduate School of Oceanography campus in Narragansett.
White is president and CEO of the Consortium for Ocean Leadership, a Washington, D.C.-based group that advocates for ocean research, education and policy. His name was mentioned last year in connection with the top position at the National Oceanic and Atmospheric Administration, but President Donald Trump instead nominated Accuweather CEO Barry Myers.
Standing in front of images of the destruction wrought last week by Hurricane Michael at Tyndall Air Force Base, in Florida, and flooding around Naval Station Norfolk, in Virginia, he said that climate change is a threat to coastal military installations and, in a larger sense, to national security overall.
“Our military, the more and more they have to deal with infrastructure and the effects of climate change, whether it’s helping others or trying to get in and out of our bases, the less ready they are going to be to go on missions … all over the world,” he said.
It was a point that was also raised by U.S. Rep. James R. Langevin, who has pushed for an assessment of the military’s vulnerabilities to climate change.
“The dangers to national security are real and we must support the researchers who improve our understanding of the threat and ways to mitigate it,” he said.
The symposium’s focus was not just on security issues but on the effects of sea-level rise, more powerful storms and increased rainfall on coastal communities in general.
By Derek Hawkins
A slight majority of digital security experts surveyed by The Cybersecurity 202 say the United States should follow in the European Union’s footsteps and pass a law that requires companies to disclose data breaches quickly.
Europe’s General Data Protection Regulation requires companies with customers in the E.U. to notify regulators of a breach within 72 hours or face a severe penalty. Fifty-four percent of experts we surveyed supported a similar law in the U.S. The Network is our panel of more than 100 cybersecurity leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Some experts said they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States. “Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach affecting personally identifiable information they control,” said Rep. Jim Langevin (D-R.I.), who has introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live.”
“Europe now plays by one set of rules, while the United States plays by over 40,” added Jeff Moss, who founded the Def Con and Black Hat hacking conferences. “This is a costly, confusing and at times contradictory mess that only a national breach notification law can resolve.”
The issue has been in the spotlight in recent weeks. In late September, Facebook reported that hackers stole information that could have allowed them to take over of tens of millions of accounts. After learning of the breach, Facebook disclosed it within 72 hours even though the company did not have all the information about the breach. Google took a different approach. The search giant learned that a software bug exposed data on half a million accounts on its social media service Google in March but did not disclose it until this month — and was criticized for not being transparent.
Survey respondents disagreed on how much time companies should be given to disclose their breaches. Langevin’s bill, for instance, would offer companies more leeway than GDPR. Instead of three days, they’d have 10 days to notify regulators after discovering a breach, and 30 days to notify consumers. “These timelines allow flexibility for companies to determine the scope of a breach while ensuring prompt notification so people can protect themselves,” he said.
There are competing bills on Capitol Hill, though: Legislation introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) would mirror GDPR, requiring companies to disclose a breach within 72 hours of discovering it.
And other experts said 72 hours would be the right time frame. Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said that window would help the victims of a data breach take quick action to protect themselves from attackers who seek to misuse their information. “Attackers want to monetize the private data the companies store,” he said. “People have a right to know and protect themselves from subsequent attacks using this data, whether it is phishing or fraud. Having a standard like 72 hours will help all companies being on a level playing field and build processes to respond in a timely way.”
Harley Geiger, director of public policy at the cybersecurity firm Rapid7, agreed — provided that the countdown begins “when the company concludes a breach has occurred, not on discovery that an incident or attack occurred.”
“The company will need time to identify and investigate the incident, determine whether data was accessed or exfiltrated, and conclude based on the evidence that a breach has actually occurred,” Geiger said. “Reporting ‘a breach’ to regulators or the public prior to that process can be counterproductive for all sides, including consumers.”
The hack disclosed by Facebook late last month illustrates the complications of reporting a breach early. While Facebook took just three days to notify privacy regulators and the public that hackers may have compromised up to 50 million user accounts, the social media giant had only just begun to investigate the incident at the time of the announcement, and Facebook officials weren’t able to offer users a clear picture of the risks. In an update Friday, Facebook revealed that the hack affected about 20 million fewer users than it previously estimated — but that hackers had stolen more sensitive information than the company initially indicated, including search histories and location data.
Mark Weatherford, a former cybersecurity official in the Department of Homeland Security, supports a breach notification law but cautioned that figuring out the scope of an incident is complex and time-consuming work. “While there needs to be a trigger that starts the process, reporting too soon leads to mistakes, revisions and recriminations that might be avoided by waiting until enough information is gathered,” he said.
Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative, said a U.S. breach notification law should be coupled with measures that provide recourse to breach victims and impose consequences on companies. “Timely notification is important. But without some guidance on what regulators — and victims — should do, it feels somewhat toothless,” she said. “They should specifically address the needs of breach victims and establish some sense of corporate responsibility.”
Yet 46 percent of respondents said the United States shouldn’t impose a breach notification standard similar to the one in Europe.
“Unfortunately, GDPR does not take into account the reality of incident response and will lead to multinational companies disclosing breaches before they can provide accurate information or even be sure their attacker has been flushed from their network,” said Alex Stamos, Facebook’s former chief security officer who is now an adjunct professor at Stanford University. “Any U.S. law should balance promoting speedy disclosure with accurate disclosure.”
Jessy Irwin, head of security at Tendermint, agreed. “Being required to report a breach so early in the investigative process, when new facts emerge and information changes rapidly, will cause much more harm than it prevents on all fronts, especially if reporting has the potential to compromise an organization’s ability to effectively coordinate with law enforcement,” she said. “This kind of instant-gratification breach reporting legislation sets up smaller teams with fewer resources for major, major failure.”
There isn’t a one-size-fits-all solution, some experts argued. “Timing isn’t always the most important part of transparency,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “And — as most people in the business know — 72 hours isn’t enough time to unravel what has really happened in even a moderately complex breach. The intention behind the law may be good, but this provision is just not sensible.”
Giving companies flexibility is reasonable, as long as they’re acting in the interest of the breach victims, said Cindy Cohn, executive director of the Electronic Frontier Foundation. “While we have been concerned about companies sitting on this bad news, there are also legitimate reasons for delay, like when either the company or law enforcement is trying to identify and catch the perpetrators or when important facts about the situation (how many people are impacted) are still unclear,” she said. “Fiduciary responsibility framing can help give some clarity here; the company must act in the interest of those whose data is impacted, not its own here.”
There could be risks to consumers, too. Some experts worried that a 72-hour timeline could wind up overwhelming users with unnecessary notifications that their information was compromised just to meet the standard. “The deadline is going to produce a lot of half-baked breach reports and lead to ‘breach notice fatigue,’ ” said Stewart Baker, former general counsel of the National Security Agency.
SOURCE: Providence Journal Editorial
PROVIDENCE, R.I. — Rhode Island benefits from experienced, hardworking leadership in Washington. For that reason, we encourage our readers to vote to re-elect U.S. Representatives David Cicilline and James Langevin. As Democrats, they could become more powerful after January, if pollsters’ predictions hold true and control of the U.S. House flips to their party.
Representative Langevin, who serves Rhode Island’s Second District, sits on the House’s Homeland Security and Armed Services committees. Far from being content to serve as a partisan back-bencher, he has been a been a strong and assertive voice on defense and security matters. He supports internet privacy protections and wants to harden cyberprotections for the critical infrastructure of Rhode Island and the country.
He has correctly identified diagnosed weaknesses in America’s cyberdefenses, even as cyberspace is increasingly a battlefield for nation-states, terrorists and criminals. He has demonstrated a grasp of the havoc that could follow a widespread, malicious attack, and consistently advocated for greater cooperation among the interdependent public and private sectors.
Mr. Langevin also has advocated for broader and deeper health care services for all, especially the disabled. As a paraplegic, he provides a unique and personal perspective on issues ranging from stem-cell research to study of the most effective ways for people to undergo rehabilitation after becoming paralyzed.
He is popular, too, with Rhode Islanders, enjoying sizable electoral majorities after successful stints as a state representative and Secretary of State.
Representative Langevin is opposed by military veteran and Republican Sal Caiozzo, who is an advocate for veterans harmed by toxins while serving. Mr. Langevin’s experience and willingness to reach across the aisle suggest he is the better choice.
In the First Congressional District, which includes Providence and Newport, former Providence Mayor Cicilline enjoys a huge party registration advantage over Republican challenger Patrick Donovan and should coast to victory.
Mr. Cicilline has been an advocate for trying to limit the spread of guns in America. He has aggressively pushed for expanded background checks for gun purchasers and a ban on assault weapons.
In Washington, Mr. Cicilline’s articulate tongue has served him well. He has been willing to appear on conservative TV programs, making the case for his party’s values and helping to bridge the yawning partisan chasm in the nation’s capital. He has also spoken out for manufacturing in America. And he has been a champion of newspapers and a free press.
Mr. Cicilline could well be leadership material. A respected member of the Congressional Progressive Caucus, he is competing for the new elected position of assistant majority leader. Little Rhode Island can use all the power it can get in Washington.
We believe Rhode Island voters would be well-served by returning its incumbent U.S. House members to office.
SOURCE: CyberScoop 2018 Leet List
As a co-founder of the Congressional Cybersecurity Caucus, Rep. Jim Langevin has helped shaped the policy debate on Capitol Hill on issues ranging from federal bug bounty programs to information sharing. The Rhode Island Democrat talks about what galvanized his interest in cybersecurity and his hopes for bipartisanship on the issue, among other topics.
CyberScoop: What sparked your sustained focus on cybersecurity?
Rep. Jim Langevin: A lot changed for me the day a couple of scientists from Idaho National Lab came and gave me a briefing on the Aurora threat [in 2007].
In the SCIF, we saw the video of the generator blowing itself up. They described to me how it could be done. It’s, at first, hard to get your arms around, but then as they further explained, this could affect not only just one generator but several, and not only just one power generation facility, [but] potentially it could shut down a whole sector of the country’s electric grid as a result of a SCADA attack. And that was very alarming.
CS: That was 2007. More than 10 years later, we hear the word “cyber” more on Capitol Hill, for better or for worse. How have your fellow lawmakers improved in paying attention to and talking about cybersecurity, and how do they still need to get better?
JL: Members of Congress have become more aware of the problem in the same way that the American people have become more aware of the problem, in many cases because of the high-profile cyber-intrusions or events that have occurred.
We’ve been at this for a long time. I’d love to say that it is because of the work that I did, or that we did together, to raise awareness. That was a part of it, of course, but unfortunately, most of it is because of the large number of cyber-intrusions and threats that the country has faced, the personal and private information that’s been stolen and compromised, the theft of intellectual property, and the list goes on and on.
CS: Do you find yourself being an educator with fellow lawmakers on cybersecurity? Do other members heed the advice of colleagues who have been paying attention to the subject longer?
JL: There are different times that a bill that I have sponsored or co-sponsored, and it’s come up for a vote, that I have members say they voted for the measure because they have a lot of respect for me on this topic and they know that I spend a lot of time on this issue.
Each member of Congress specializes in a different topic. We’re not all experts on every topic. Certain people are go-to people on any range of issues, and cyber happens to be something that I spend a lot of time on.
CS: Have we had a galvanizing moment that generates widespread momentum to drive better cybersecurity policy — the proverbial “Cyber 9/11,” to use a tortured metaphor? Was the 2016 election that moment?
JL: It was a moment, and certainly one of those things that has gotten people’s attention. But it wasn’t a Cyber 9/11, per se. I am still worried about that type of event occurring. It’s still possible, even though it may be remote at this point. It’s still a possibility. … It’s one of those things that keeps me up late at night — you wonder when or if that date will ever come. It’s probably more of a “when” not “if.”
I’ve often said that you will never have modern warfare again without some type of a cyber component to it.
The United States continues to get better at being better organized and defended against a Cyber 9/11. But you can never say never, that it won’t happen. But between the work that the Department of Homeland Security is doing, the work that U.S. Cyber Command is doing, [and] NSA, we have nation-state capabilities to defend the country. But there’s still more work to do. Remember, most of critical infrastructure is still in private hands and we haven’t completely figured that piece out yet as to how we [might] adequately defend the country if there were a Cyber 9/11.
CS: Cybersecurity has often been described as a bipartisan issue. But with all of the politicization of the aftermath of Russian hacking and information operations during the 2016 election, is cybersecurity still a bipartisan issue in 2018?
JL: I believe it is. … Some make it a partisan issue, but I don’t see it that way. Case in point: I have a bipartisan election security bill, the Paper Act, with Congressman Mark Meadows [a Republican from North Carolina].
We both see this as an American issue — not a Democrat or Republican issue, it’s an American issue – that we need to do a better job with, securing our elections infrastructure.
CS: Congress has recently moved to set up bug bounty and vulnerability disclosure programs at multiple federal agencies. What have you learned from talking to experts on what works in setting up these types of programs at agencies?
JL: What I’ve learned over the years in working on the cybersecurity issue and [from] meeting with cybersecurity researchers is that they want to help … they want to help make the internet more secure and function the way it’s intended to.
Bug bounty programs are a great way to leverage that private sector talent, as we saw with the Pentagon’s bug bounty program. It was set up the right way. You get trusted researchers who want to do the right thing, provide them a vehicle where they can lend their talents, I think [it] is a good model. I’d like to see other government departments and agencies do a similar bug bounty program.
We also need to have a vulnerability disclosure program at each of the departments and agencies so that when cybersecurity researchers do find a vulnerability they’ve got somebody they can report it to – and they know that it’s going to be acted upon.
By Sean Lygaas
In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.
“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.
In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.
The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.
DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.
The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.
Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.
But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.
“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.
Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.
Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.
“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.
Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.
By Daniel Ross
A rock seawall protecting the Air Force’s Cape Lisburne Long Range Radar Station on the North East Alaska coast is under increasing duress from extreme weather patterns affecting Arctic sea ice. early $50 million has been spent replacing vulnerable parts of the wall already.
In 2013, a late summer monsoon rainstorm struck Fort Irwin, in California, flooding more than 160 buildings and causing extensive damage that took weeks to clean up. Some buildings were out of commission for months.
The 2012 Waldo Canyon Fire, one of the most destructive wildfires in Colorado’s history, only narrowly missed Peterson Air Force Base. The fire cost some $16 million to battle.
These are just some of the findings that make up a U.S. Department of Defense vulnerability report, published earlier this year, looking at the impact of climate change on more than 3,500 military installations. Its conclusion? That more than half of these installations are affected by flooding, drought, winds, wildfires, storm surges and extreme temperatures. Drought proved the single biggest challenge to the military, affecting nearly 800 bases. Next up was wind, which affected more than 750 bases, while non-storm surge-related flooding impacted a little more than 700 bases.
“As an institution, the military sees climate change as a threat to what they do on multiple levels,” said Michael Klare, professor emeritus of peace and world security studies at Hampshire College. “It’s a threat to their bases. It’s a threat to their operations. It creates insurgencies. t creates problems for them. They’re aware of that, and they want to minimize those impediments.”
Indeed, climate change has long been on the military’s radar. It was the George W. Bush administration, for example, that required the Defense Department to procure 25 percent of its energy for its buildings from renewables by 2025. Even President Ronald Reagan received military memos warning of global warming. While in 2014, the department published a roadmap establishing an outline to deal with the threats from climate change within the military, as ordered by then-President Barack Obama.
Although President Trump’s administration is known for its climate change denialism, major figures within the military are still noticeably vocal about the issue. In February, Director of National Intelligence Dan Coats warned in a Worldwide Threat Assessment that the impacts from global warming—more air pollution, biodiversity loss and water scarcity—are “likely to fuel economic and social discontent—and possibly upheaval—through 2018.” Defense Secretary Jim Mattis has been called the “lone green hope” for his long-established views on the threat of global warming.
Given the immediate threat of rising sea levels, the U.S. Navy is leading the charge to better understand these impacts at the ground level. Last year, a Navy handbook provided a planning framework for incorporating the threat of climate change into development projects at Navy installations. To put this into context, a 2016 Union of Concerned Scientists (UCS) analysis of 18 military installations along the U.S. East coast and the Gulf of Mexico found that by 2050, most of these bases will experience 10 times the number of floods than they do currently. In about 80 years, eight of the bases could lose as much as 50 percent of their land to rising seas. Naval Air Station Key West, in Florida, could be almost entirely underwater by the end of the century.
“We did use the high sea level rise scenario because generally, the military has a low tolerance for risk,” said Shana Udvardy, UCS climate preparedness specialist and a co-author on the study. “And we’re basically on track for the high scenario because of the rate of ice sheet melting. It’s very likely to happen, and it’s after mid-century that we’ll really see the changes in the extent and frequency of tidal flooding.”
According to U.S. Geological Survey scientist Curt Storlazzi, who has studied the effects of global warming on military installations on the Marshall Islands for the Defense Department, the twin impacts of rising sea levels and storm waves will increase the magnitude of flooding there by “double” in the next couple of decades. “That’s going to negatively impact both the military and civilian populations,” he said. “That’s the big takeaway—most civilian and defense infrastructure doesn’t do well with salt water.”
The Center for Climate and Security, a non-partisan group of defense and national security experts, continues to study the myriad threats of climate change on the military. In this recent report, the group outlined how extreme weather patterns will expand the department’s role in tackling national and global security threats, highlighting how humanitarian assistance and disaster relief missions are “increasingly important responsibilities for military commanders around the world.”
But former Rear Admiral David Titley, professor of meteorology at Penn State University and an expert in climate change, the Arctic and national security, argues that the military as a whole has yet to really grapple with the problem of climate change in any long-term strategic way, nor has it looked at how to cost-effectively prioritize resources—views mirrored in a recent Government Accountability Office report.
Change could be on its way in this regard. Rep. Jim Langevin, the ranking Democrat on the Emerging Threats and Capabilities Subcommittee, pushed through an amendment in the 2018 defense spending bill directing the Defense Department to identify the 10 military installations most vulnerable to climate change and to identify ways to mitigate the forecasted damage. “You would argue that that’s where you put your first dollar towards buying down the risk,” Titley said. “There may be bases that have higher climate vulnerability, but the impact may not be that big a deal relative to others.”
Langevin also included a provision in the 2019 defense spending bill requiring the department to factor energy and climate resiliency efforts into major military installation plans. But Titley is circumspect about the Defense Department’s overall ability and willingness to institutionally get to grips with the problems climate change poses. “We’ll see whether the department of defense actually does that or not,” said Titley. “There’s no real leadership on this issue.”
Miriam Pemberton, a research fellow at the Institute for Policy Studies, a progressive think tank, said that the military’s public overtures on climate change ring a little hollow when stacked up against the actual dollars directed toward green initiatives within the military—efforts like biofuel to power aircraft carriers and solar energy in combat zones.
According to an Institute report from last year, “Combat vs. Climate,” the ratio in military spending in 2017 to deal with regular security threats versus climate change was 28:1—a slight improvement on the 2015 ratio of 30:1. But as the report finds, “spending 28 times as much on traditional military security as on climate security is hardly commensurate with the magnitude of this ‘urgent and growing threat,’ as the military has defined it.”
Further, while the military’s budget grew by $61 billion in 2018, the amount of money the department continues to funnel toward green initiatives and renewable energies hasn’t grown proportionately, said Andrew Holland, the American Security Project’s director of studies. Nor does the military, he said, see its primary mission as tackling climate change. Indeed, the military is the world’s largest institutional consumer of fossil fuels. Last year, the department used more than 85 million barrels of fuel to power ships, aircraft, combat vehicles and contingency bases. The cost? Nearly $8.2 billion.
“We have a military whose job is to fight and win America’s wars,” Holland said. “But where you can take clean energy initiatives that fight climate change and also increase the military’s operational ability to fight and win those wars, that’s a double win.”
Another obstacle is that there’s no “line item for climate change” within the defense spending bill, said the UCS’s Shana Udvardy. “So, it’s really up to each installation to figure out where they’re going to get the resources, and which resources they’re going to allocate to these types of adaptation measures,” she said. What’s more, both Udvardy and Holland agree that the military has recently grown increasingly secretive about its green initiatives, for fear of retaliation by the White House.
Trump has already pulled out of the Paris Climate Accord, for example, and signed an executive order rolling back all Obama-era climate change related actions within federal agencies. There are notable signs that this has trickled down to the Defense Department—the latest National Defense Strategy had been scrubbed clean of any reference to climate change, for example.
“None of us have any clue as to how bad it’s going to be,” said Michael Klare, about the impacts from global warming. “But this something that the military does understand better than most people—it’s not the polar bears we should be worried about, it’s about whole societies that are going to collapse and send out waves of migration, which we’re seeing already.”
By Jacqueline Thomsen
Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away.
Lawmakers have repeatedly demanded agencies step up their efforts to prevent election meddling but in the end struggled to act themselves, raising questions about whether the U.S. has done enough to protect future elections.
A key GOP senator predicted to The Hill last week that a bipartisan election security bill, seen as Congress’s best chance of passing legislation on the issue, wouldn’t pass before the midterms. And on Friday, House lawmakers left town for the campaign trail, ending any chance of clearing the legislation ahead of November.
Lawmakers have openly expressed frustration they were not able to act before the 2018 elections.
Rep. Tom Rooney (R-Fla.), who introduced the House version of the election security bill, said it was “disappointing.”
“If you want to call it a message that we’re sending to the American people, that we’re doing everything that we can to ensure that the integrity of the vote is sacred,” he said, “If we have these opportunities to do something and we don’t, then that definitely sends the wrong message. That maybe we just don’t care or whatever.”
Rep. James Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus, said not passing the legislation was “a missed opportunity” to better protect U.S. elections.
“Every community needs to be on guard, alert and realize that the Russians are a very well-resourced and capable bad actor that are again trying to interfere with our elections,” he said.
Sen. James Lankford (R-Okla.), one of the bill’s cosponsors, told The Hill that the text of the bill is still being worked out after recent changes prompted concerns from state election officials and the White House.
It had appeared the bill would make it across the finish line but last month Reuters reported that the White House had stepped in to hold up the bill. A GOP Senate aide told The Hill at the time that it was paused over a lack of Republican support and over concerns raised by outside groups.
The White House did not return multiple requests for comment, and a spokesperson for Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.), who delayed the bill’s markup, declined to comment further.
Lankford said the White House told him it had not held up the bill. But he added that “they didn’t talk to me about it in advance.”
Like other lawmakers and experts, Lankford pointed out that even if the bill had passed ahead of the midterms, it would still be too late to implement any of the measures ahead of November’s elections.
“The bigger issue is not the legislation,” Lankford said. “The bigger issue is what the administration has done in the meantime to try to actually get all this done.”
The Department of Homeland Security has offered some cybersecurity support to state election officials, and President Trump signed an executive order earlier this month authorizing sanctions against those found interfering in U.S. elections.
Lawmakers also included $380 million for states to update and secure their election systems in an appropriations bill passed in March. That funding was initially authorized under the Help America Vote Act of 2002, passed in response to the 2000 presidential election, but this year’s grants were the first authorized under the law since fiscal 2010.
However, when Democrats tried to pass more election security funding earlier this year, Republicans knocked down the measure, arguing that substantial funds had already been allocated.
Other security bills have also been introduced after the 2016 elections, but the bipartisan bill spearheaded by Lankford and Sen. Amy Klobuchar(D-Minn.) was touted as the best shot to legislation on the books shielding U.S. election systems from cyber attacks.
Even so, it remained the subject of extensive debate: The original bill included a pilot program for states to conduct audits on limiting risks, which would examine a number of ballots to ensure that systems weren’t compromised.
But that program became mandatory in a later version of the bill, costing it support from state officials and advocacy groups who argued the measure would be too great of a burden.
Voting groups have also voiced disappointment at the lack of action, but were quick to praise Klobuchar and Lankford’s bipartisan push to pass legislation.
Vermont Secretary of State Jim Condos (D), the president of the National Association of Secretaries of State (NASS), told The Hill that while many states are already implementing the measures that would be included in the bill, it was disappointing to not have them on the books. NASS has not taken a public stance on the legislation.
He said that the bill would “send a strong message” to bad cyber actors like Russia, which interfered in the 2016 election, as well as to Americans that their election systems are secure.
“I think this would go a long way to helping us let the public know that our systems are strong and, on top of that, that everyone takes [the issue] seriously,” Condos said.
It is unclear if Congress will be any closer to overcoming the hurdles to legislation after the midterms.
But advocates insist they will keep pushing for a solution.
“This is a time for unity where the country has to unite to fight off foreign meddling in our election because that undermines our democracy,” said Marian Schneider, the president of Verified Voting.
But she also noted that the Lankford-Klobuchar bill was originally introduced in December 2017 and that lawmakers had months to finalize the text.
“I think there’s an unfortunate thing going on here that whenever elections is the topic or is the subject area that it becomes politicized,” she said.
By Maggie Miller
House Minority Leader Nancy Pelosi (D-CA) appointed Rep. James Langevin (D-RI) to the newly created Cyberspace Solarium Commission on Tuesday, while the House passed four cyber-related bills including one to create a vulnerability disclosure program at the Department of Homeland Security.
Pelosi named Langevin and former Rep. Patrick Murphy (D-PA) to the commission, created under the 2019 National Defense Authorization Act. The House minority leader is required to appoint two members of the Commission, one of whom must not be a current member of the House.
“Cyberspace is the future, and will grow even more important to driving American leadership and innovation in the years to come,” Pelosi said in a statement. “Guided by Rep. Langevin and former Rep. Murphy, this Commission will be a vital tool in keeping America safe, strong and free.”
Langevin, the co-founder and co-chair of the Congressional Cybersecurity Caucus, said in a statement he was “honored” to be appointed, and called for the commission to develop a “strategic framework” for international cyber “stability.”
“It is imperative that we use the opportunity afforded by the Solarium Commission to develop a strategic framework that encompasses these challenges and ensures the United States continues to benefit from global cyber stability,” Langevin said. “It is my expectation that such a strategy will encompass all elements of national power – economic, diplomatic and military – and help contextualize cyber in the broader national and economic security discussion.”
The Speaker of the House is designated to appoint three members, with the Senate majority leader to designate three, and the Senate minority leader to pick two members. Other members of the commission automatically include the FBI director, the deputy secretaries of the departments of Defense and Homeland Security, and the principal deputy director of National Intelligence.
The commission is charged with developing a “strategic approach” to defend the U.S. in cyberspace against “cyber attacks of significant consequences.”
Bills move in House
On Tuesday, the House approved four cybersecurity bills, including H.R. 6735, the Public-Private Cybersecurity Cooperation Act. The bill sponsored by House Majority Leader Kevin McCarthy (R-CA) directs the DHS secretary to establish a “vulnerability disclosure policy” for DHS internet sites within 90 days of the legislation being signed into law.
The House Homeland Security Committee approved the bill earlier this month, and Chairman Michael McCaul (R-TX) spoke on the floor in favor of passage, saying it would give a “legal avenue” to allow researchers from the private sector to identify cyber flaws in DHS’ systems.
“Between 2011 and 2013, Iranian hackers attacked dozens of American banks and even tried to shut down a dam in New York,” McCaul said. “In 2014, Chinese hackers stole over 22.5 million security clearances, including my own, from the Office of Personnel Management. In 2016, Russia meddled in our Presidential election, and because we use computer networks in our personal and professional lives, almost everyone is a target. With each passing day, cyber threats continue to grow. But the government cannot face these threats alone. We need help from the private sector.”
McCaul also spoke in favor of another bill passed Tuesday, H.R. 6620, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act, sponsored by Homeland Security cyber subcommittee ranking member Cedric Richmond (D-LA). This bill would require DHS to prepare a threat assessment related to unmanned aircraft systems, and was previously approved by the House Homeland Security Committee.
“The threats we face from drones are constantly evolving as the technology becomes more accessible across the globe,” McCaul said on H.R. 6620. “We need to do more to confront these dangers.”
The House passed two more bills: H.R. 5433, the Hack Your State Department Act, sponsored by Rep. Ted Lieu (D-CA), to establish a “bug bounty” program at the State Department; and H.R. 6229, the National Institute of Standards and Technology Reauthorization Act, sponsored by Rep. Barbara Comstock (R-VA), which supports cyber programs at NIST.
House Democratic Leader Nancy Pelosi, D-Calif., has appointed Rep. Jim Langevin, D-R.I., and former Rep. Patrick Murphy, D-Pa., to the recently created Cyberspace Solarium Commission, a 14-member public-private panel charged with developing consensus and actionable strategy to protect and defend the U.S. in cyberspace. Legislation creating the commission was approved as part of the FY 2019 National Defense Authorization Act (NDAA). Rep. Langevin is a co-chair of the Congressional Cybersecurity Caucus and ranking member of the House Armed Services Committee’s Emerging Threats and Capabilities Subcommittee. Murphy was a congressman from 2007 to 2011, and is a former under Secretary of the Army.