The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: California wants to let political candidates use campaign cash to secure their devices

February 22, 2019 at 7:38 a.m. EST

with Bastien Inzaurralde

THE KEY

As hackers target California campaigns, the state wants to let political candidates use some of their campaign funds to secure personal phones and computers. 

A bill, which was introduced in the state legislature Thursday, could spark a trend among states that want to protect political races from being upended by the sort of hacking operation that targeted Hillary Clinton’s presidential campaign. 

“We saw what this cyberthreat looks like on a big public level in 2016,” California Secretary of State Alex Padilla (D), who is officially supporting the legislation, told me.  He plans to promote the bill to other states’ top election officials in coming months and says it's a “no-brainer” they should pursue similar ones.

"California loves being first," Padilla said. "As the bill goes through the process here I’ll be meeting with other secretaries of state…to talk about the California experience and urge them to consider the same.” And the bill’s author, Assembly member Jacqui Irwin (D-Thousand Oaks), co-chairs the National Conference of State Legislatures’ Task Force on Cybersecurity and told me she plans to tout the bill as a model for improving political cybersecurity at the next conference meeting in June. 

The move underscores the increasing realization that protecting elections from foreign influence can’t stop with election systems -- but must include campaigns. And candidates and staffers’ personal devices are often a vulnerable entry point for hackers who can then worm their way into campaign devices and data. 

After all, there’s no evidence Russian hackers compromised state election systems in 2016, but they did breach the Democratic National Committee and the Clinton campaign — and that was enough to throw the election into chaos and to deeply damage many Americans’ faith in the electoral process, Irwin and Padilla told me.

“When voters hear stories like that, they don’t trust the outcome of the election,” Irwin said. “It undermines confidence for our electorate and it’s very difficult to have democracy if voters don’t think we have free and fair elections.”

Two of California's politicians were hacked during their primary campaigns before the 2018 midterm elections — one attack penetrated campaign computers and another compromised the candidate’s work computer. Neither of those attacks resulted in any information being publicly released and both became public after the candidates had lost their primaries, but it was enough to spark serious concern, Padilla said. A third California primary campaign was hit with a denial of service attack that shut down access to the candidate’s donations site.

The California bill would allow candidates to use campaign funds to protect their personal devices and their campaign staff’s devices, including by buying security hardware and software and hiring trainers or consultants.

California lawmakers would also be allowed to use leftover campaign funds to protect their personal devices once in office, but that privilege wouldn’t extend to office staff.

There is some recent precedent for using campaign funds for security-- but in a different context. A Federal Election Commission ruling approved in December allowed members of Congress to use excess campaign funds to protect their personal devices after they entered office. 

Sen. Ron Wyden (D-Ore.) who requested the FEC ruling, praised California’s move in an email.

“We know hostile nations and hackers are targeting personal devices and accounts, so it’s encouraging that states are starting to take those threats seriously,” Wyden told me.  

PINGED, PATCHED, PWNED

PINGED: All the Democratic candidates running for president in 2020 committed not to knowingly use hacked material surfacing online that might have been obtained illegally but President Trump’s campaign declined to make any pledgethe Daily Beast’s Sam Stein, Jackie Kucinich and Scott Bixby reported. An aide to Howard Schultz, the former Starbucks chief executive who has weighed running as an Independent, also said his campaign would make the same commitment if he were to run.

“Unlike Donald Trump who welcomed and encouraged election interference from a foreign adversary, our campaign condemns the use for political gain of information or material obtained by illegal means,” Jeff Giertz, a spokesman for the presidential campaign of Sen. Cory Booker (D-N.J.), told the Daily Beast.

PATCHED: A Georgia House of Representatives committee advanced legislation to adopt electronic ballot-marking voting machines in the state after almost seven hours of public testimony, the Associated Press's Ben Nadler reported. Republicans voted for the bill while Democrats opposed it. Election security experts and activists say using hand-marked paper ballots would be a more secure alternative to ballot-marking devices.

“What we’re concerned with is that some unobservable piece of technology will get between . . . an intention in the voter’s mind and the indelible transfer of that intention to a piece of paper. That is where the hack occurs,” Richard DeMillo, a computing professor at Georgia Tech, told lawmakers, according to the AP. “A hand marked paper ballot imposes no intermediate technology. What you see is literally the best evidence of voter intent.”

State Rep. Barry Fleming (R-Harlem), the author of the bill, said stray marks on a hand-marked paper ballot could make it hard to tabulate votes. Fleming also “said he believed electronic ballot markers better captured voter intent,” the AP reported. A hand-marked ballot system would cost about $30 million while an electronic ballot-marking system is estimated at about $150 million.

PWNED: The United States' campaign to persuade foreign allies to keep Chinese telecommunications company Huawei out of their 5G networks is being met with skepticism in India, the Wall Street Journal's Newley Purnell, Rajesh Roy and Dustin Volz reported. How India decides to roll out its nascent 5G could also affect U.S. efforts to convince other countries to shun Huawei. “India, Japan, these are all huge markets that if they were to go Huawei it would have significant impact on the global telecommunications infrastructure,” said Andy Keiser, a former staff member of the House Intelligence Committee, according to the Journal.

U.S. officials say the Chinese government could demand that Huawei abide by its requests and could therefore make the company a platform for Chinese spying. Huawei has denied those claims. But policymakers in India appear unconvinced by Washington's arguments and telecommunications companies in the country see U.S. warnings about the risks of using Huawei equipment as an exaggeration. “The perception here is that the U.S. action is more a matter of foreign policy,” Rajan Mathews, director of the Cellular Operators Association of India, told the Journal.

PUBLIC KEY

— Secretary of State Mike Pompeo told Fox Business Network that the United States may not share information with countries that use Huawei systems, Reuters reported. “If a country adopts this and puts it in some of their critical information systems, we won’t be able to share information with them; we won’t be able to work alongside them,” he said.

— Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, sent several letters to health-care groups to seek information about  steps they are taking to spot and reduce weaknesses in their computer systems. The senator said he wants to collaborate with the health-care sector to develop a strategy to mitigate cybersecurity vulnerabilities in this industry. “As we welcome the benefits of health-care technology we must also ensure we are effectively protecting patient information and the essential operations of our health-care entities,” Warner said. He sent the letters to the American Hospital Association, America's Health Insurance Plans and other groups.

— Cities across the United States should hold regular cyber exercises and plan responses to cyberattacks as many municipalities may not be sufficiently protected for such incidents, according to a report by the New America think tank. “No amount of repetition would be excessive to hammer home the point that exercises are key to maximizing efficiency and effectiveness of incident response capability and resources,” Natasha Cohen, a cybersecurity policy fellow at New America, wrote in the report. Cities should also establish partnerships with other governments in the same region to share resources, according to the report.

— More cybersecurity news from the public sector:

California to close data breach notification loopholes under new law (TechCrunch)

Lawmakers probe for Stingray info in funding bill (FCW)

PRIVATE KEY

Huawei plan to fix British security fears due in H1 this year: executive (Reuters)

A Decryption Key for Law Firm Emails in Hacked 9/11 Files Has Been Released (Motherboard)

SECURITY FAILS

— Some experts are expressing reservations about the design of Switzerland's online voting system as the country is set to hold a public penetration test on the system, Kim Zetter reported in Motherboard. The Swiss postal service and the company Scytl, based in Barcelona, developed the online voting system. Last week, technical documents as well as source code for the software were leaked online. “Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and [a] convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly,” Zetter wrote.

THE NEW WILD WEST

— China remains the main suspect in a cyberattack against Australia's Parliament and major political parties, the Sydney Morning Herald's Latika Bourke reported, citing Australian sources familiar with the matter. Australian Prime Minister Scott Morrison on Monday said “a sophisticated state actor” carried out the attack. “The hack on the Liberal, National and Labor parties was detected by the Australian Cyber Security Centre during the course of their investigation into a prior hack on the Australian parliamentary system,” Bourke wrote.

— More cybersecurity news from abroad:

Ukraine security service accuses Russia of meddling in election (Reuters)

Huawei Is Expanding in Canada, Despite U.S. Pressure (The New York Times)

The Russian Sleuth Who Outs Moscow's Elite Hackers and Assassins (Wired)

ZERO DAYBOOK

Coming soon:

EASTER EGGS

Record snowfall blankets Las Vegas:

Uncharacteristic winter weather left parts of Las Vegas under several inches of snow this February. (Video: Adriana Usero/The Washington Post)

Meet some of history's most prolific presidential losers:

What do Lyndon Larouche, Eugene V. Debs and Vermin Supreme have in common? They've all run for president and lost — often more than once. (Video: Allie Caren, Brian Monroe/The Washington Post)

The modern anti-vaxxer movement, explained:

Despite the evidence, the anti-vaccination movement is gaining strength. (Video: Luis Velarde/The Washington Post)