| Welcome to The Cybersecurity 202! My sincerest sympathies to Sen. Tim Kaine (D-Va.) and everyone else stuck for a day or longer on I-95. Below: The Federal Trade Commission is threatening penalties if companies don't protect themselves against the log4j bug, and a phony encrypted messaging app the FBI used to lure criminals was collecting location information, too. | Texas can't find election fraud either |  Harris County, Tex., election workers prepare mail ballots for the 2020 election. (David J. Phillip/AP) | | | Another partisan-led audit of the 2020 election is underway. And, once again, it's failing to turn up anything nefarious. On New Year's Eve – when lackluster results were unlikely to get much attention – Texas officials released the first round of results from the state's $4 million, Trump-urged audit. The review showed only minor and easily explained discrepancies — nothing that could remotely have changed the election outcome in the state. Texas is traditionally a Republican stronghold, but former president Donald Trump won it by only about 5 percentage points, the smallest recent margin for a Republican presidential candidate. The audit focused on four counties including highly-Democratic urban centers such as Houston and Dallas, where Biden performed better. Texas officials announced the audit in September just hours after Trump released a letter urging Gov. Greg Abbott (R) to do so. | | While Texas's audit process followed a more conventional process than Arizona's, the results are reminiscent of the results of the roughly $6 million audit in Maricopa County, which dragged on for months amid baseless claims of election fraud by Trump and his allies and ended up reaffirming Biden's victory in the state. The key takeaway from both efforts: Claims that the 2020 election was undermined by substantial fraud or hacking have no basis in evidence, but Trump and his allies will keep making those claims no matter what happens. | | "This is just the latest instance that shows Americans can either be loyal to Donald Trump or to American democracy, but it can't be both," David Levine, an election integrity fellow at the German Marshall Fund's Alliance for Securing Democracy, told me. | | @davidalanlevine | "This is just the latest instance that shows Americans can either be loyal to Donald Trump or to American democracy, but it can't be both." | | | | | | | | Still, look closer and there's a big difference between the Texas and Arizona audits. Unlike in Arizona, Texas officials followed a conventional process in auditing the county election results (although Democrats in the state still opposed the review, calling it partisan-motivated). | - The Arizona audit was a fundamentally ham-handed affair — conducted by inexperienced and highly partisan contractors who ran roughshod over auditing and security protocols to the point Maricopa County had to replace its entire stock of election machines over security concerns.
- Texas, by comparison, was highly professional. The audit was led by Republican Secretary of State John B. Scott's office and focused mainly on traditional auditing procedures that are typically uncontroversial.
- In fact, the first phase essentially involved re-performing checks that counties are already required to do under state law and performed within days of the election — including comparing electronic counts of a sample of ballots to hand counts of the same ballots. The second phase will involve examining election records to ensure procedures were properly followed. Here are more details from the Texas Tribune.
| | Texas officials nevertheless described their review as a "full forensic audit," a phrase popularized by the Maricopa audit and often touted by Trump allies, but which has no agreed-upon meaning among election officials. "This isn't a forensic audit. … I'm reluctant to even call it an audit," Liz Howard, senior counsel for the Democracy Program at New York University's Brennan Center for Justice, told me. "It's political theater." | | @lizhoward | "This isn't a forensic audit. … I'm reluctant to even call it an audit. It's political theater." | | | | | | The Texas audit has resulted in less costly damage than the Arizona one, but it's far from harmless. | | First off, it undermines a primary tenet of election administration that audits should be conducted based on strict rules set out before an election rather than based on political considerations after an election, which might degrade public faith in the electoral process. The National Association of Secretaries of State voted nearly unanimously in August to endorse a set of principles for post-election audit procedures, including that they should be laid out in state statutes before elections. The association also urged that audits be conducted as soon as possible after elections — ideally before the election is certified so someone who was erroneously declared the winner won't take office. "In an ideal world these kinds of things would be set down in legislation and budgeted for properly, not weaponized in response to someone's political sour grapes," Levine said. The audit also diverted time and resources from election officials' other priorities, including dealing with security issues. Those issues are particularly prominent in Texas, which is one of only six states in which some voters still cast ballots without paper records — a method experts say is too vulnerable to hacking. A recently passed state law requires counties to adopt paper-record machines but not until 2026. | | |  | The keys | | A federal regulator threatened fines if companies don't protect themselves against the log4j vulnerability |  The FTC warning came weeks after the vulnerability was made public. (Alex Brandon/AP) | | | Companies that don't quickly fix the bug could harm consumers and open themselves up to mammoth financial penalties, the Federal Trade Commission said. The call marks one of the most significant government efforts to date to force companies to protect themselves against the bug, which is embedded in common open-source software and has been described as among the most serious digital vulnerabilities in history. The FTC warned it "intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future." Potential consequences: The FTC raised the specter of the credit ratings agency Equifax, which paid $700 million to settle regulatory actions after it failed to fix a known bug in its computer systems and suffered a 2017 hack that exposed personal information of more than 100 million customers. The RAND Corporation's Sasha Romanosky: | | The regulator also plans to take a broader look at open-source software, which is prone to far-reaching bugs like log4j. Such projects "are often created and maintained by volunteers, who don't always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the Internet economy," the agency said. | The FBI collected location information from users of an encrypted messaging app that catered to criminals | | The FBI previously acknowledged that it had secretly controlled the Anom encrypted messaging service and was able to read messages from alleged weapons dealers, contract killers and other criminals — many of whom are now facing prosecution. But Anom also collected location data from phones even though the app's users were led to believe such location tracking wasn't possible, Motherboard's Joseph Cox reports. The location data shows how successfully the FBI and other law enforcement agencies duped alleged criminals. It comes as law enforcement agencies have struggled to deal with encrypted messaging systems, which they say allows criminals to hide their planning and operations. "The news provides more clarity on the scope and capabilities of the backdoor managed by the FBI," Cox writes. "So far the operation, known as Trojan Shield in the U.S. and Ironside in Australia, has led to hundreds of arrests worldwide and disrupted organized crime, with major drug traffickers now either arrested or on the run." | Three Washington state lawmakers attended Mike Lindell's "cyber symposium" — on taxpayers' dime |  Cybersecurity experts have disputed Mike Lindell's assertions. (Joshua Roberts/Bloomberg News) | | | The state legislature reimbursed three Republican lawmakers a total of $4,361 for their flights and hotels to attend the conference, the Seattle Times's Jim Brunner reports. The three-day event was filled with misleading information and conspiracy theories, cybersecurity experts said. "All three lawmakers have stoked doubts about the 2020 election, claiming widespread fraud and irregularities around the nation and in Washington — even as they touted their own reelection wins last fall," Brunner writes. Two of the lawmakers are running for Congress. All three signed on to a letter calling for "forensic audits" in all 50 states and potentially decertifying election results. | | |  | Securing the ballot | | More than a dozen Republicans who question the legitimacy of the 2020 election are trying to control voting in their states |  Jody Hice, a former congressman, was endorsed by former president Donald Trump to be Georgia's secretary of state. He objected to certifying 2020 election results. (Emil Lippe for The Washington Post) | | | The 15 Republicans are running to be their states' secretary of state, NPR's Miles Parks reports. They range from candidates who have cast doubt on 2020 election results to a candidate who said the election was stolen. Election experts and current officials worry that the candidates could hurt democratic systems if they win, Miles writes. "The reasons why Trump's attempt to overturn the 2020 election failed is because there were state officials who refused to substantiate his claims of fraud," Franita Tolson, an election law expert at the University of Southern California told Miles. "These folks really are gatekeepers." | | By Craig Silverman, Craig Timberg, Jeff Kao and Jeremy B. Merrill ● Read more » | | | | | |  | Chat room | | | Columbia University's Hacked Film Festival is running a poll on the best hacker movie ever. Get your vote in before it closes. | | StateScoop's Benjamin Freed: | | RTFM Please's Sharone Zitzman: | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | Government scan | | | |  | Industry report | | | |  | Daybook | | - The Atlantic Council hosts an event on the next National Defense Strategy today at 2 p.m.
| | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
