When Atlanta’s city government computers were infected by SamSam ransomware last year, the effects were wide-ranging. The city had to postpone its court proceedings. No one in Atlanta could apply for city jobs or pay parking tickets or water bills. In an effort to contain the damage, Atlanta shut down the wireless network at Hartsfield-Jackson Airport. In Baltimore, earlier this year, a similar ransomware attack prevented home buyers from completing real estate purchases, city employees from accessing their email accounts, and residents from paying property taxes, water bills, and parking tickets. Baltimore and Atlanta were only two of several U.S. city governments hit by crippling ransomware attacks in the past few years, along with Riviera Beach, Florida; Lake City, Florida; and LaPorte County, Indiana, to name just a few.
These attacks revealed the widespread vulnerabilities of public sector computer systems and cost millions of dollars to recover from, but their most profound effect may lie in just how deeply they inconvenienced hundreds of thousands of people. It’s a powerful reminder of the extent to which poor cybersecurity at all levels of government can affect everyone’s daily lives—and perhaps also a wake-up call to voters about how important these issues are.
In the upcoming elections cycle, at least two candidates with experience in cybersecurity are running for state-level elected offices. They hope to capitalize on the newfound awareness of cybersecurity as not just a national security issue but also a critical component of helping a city—or a state—function on a day-to-day basis. Voters are genuinely interested in hearing about ideas to strengthen state and local cybersecurity right now, the candidates say, but it’s unclear whether that interest will last until Election Day. People tend to care about cybersecurity most at the moment when they’re unable to pay their utility bills or sell their house, not necessarily when everything seems to be running fine.
Sheri Donahue, the Democratic candidate in the upcoming Kentucky election for state auditor of public accounts, told me, “It’s amazing when we go out and speak and you see everyone’s heads start nodding for sure when we get to talking about cybersecurity.” Unlike most politicians (see, for instance, Donald Trump in 2016: “The security aspect of cyber is very, very tough. And maybe it’s hardly do-able. But I will say, we are not doing the job we should be doing”), Donahue knows of what she speaks—she’s a former Navy engineer who worked on auditing and securing military systems before moving on to do cybersecurity for the health insurance company Humana. She’s well versed on network segmentation—making sure that malware that infects one part of a network can’t easily spread to all the other parts of that network—and strategies for making digital backups. She’s spoken with two of the three vendors that sell voting machines to Kentucky and grilled them on their security practices and controls. She was livid to learn that one of the Kentucky counties kept its voting machines in a public storage unit in between a primary and general election. “I thought, oh my Lord, who knows who has had access to those machines?” If she’s elected Kentucky auditor, she plans to scrutinize every one of the servers that the state doesn’t have backups for, to push for exercises in business continuity and disaster recovery and cybersecurity training. The goal is to avoid repeats of an incident earlier this year in Scott County, Kentucky, when the school district almost lost $3.7 million in a phishing scam after someone posing as an outside vendor emailed a fraudulent invoice.
In Virginia, Democrat Laura Galante is running for a position in the state House of Delegates after a career conducting threat analysis at the Department of Defense, security firm Mandiant (now part of FireEye), and the Atlantic Council’s Cyber Statecraft Initiative.
If elected, she’s eager to push cybersecurity benchmarking initiatives for cities and towns in Virginia. She also wants to explore security and privacy protections for telehealth in the state. She thinks her cybersecurity background gives her an edge in appealing to voters in Virginia’s 18th District. “It’s allowed me to talk to the large veteran population and the defense contractors. That actually goes a long way,” she said.
How far that cybersecurity advantage actually goes will be put to the test in November, when both Donahue and Galante will face off against Republican incumbents. If there’s a reason to be optimistic about their chances, it’s Hala Ayala, who was elected to the Virginia Statehouse in 2017 after working as a cybersecurity specialist at the Department of Homeland Security. Ayala’s path to state government is a model for candidates like Donahue and Galante, but also a caution for how hard it can be to improve security in office.
Ayala has introduced legislation to strengthen “internet of things” device security, require businesses to dispose of consumer records, and implement reasonable security practices; legislation to create a cybersecurity task force for Virginia; legislation to require security training for state employees; and legislation to allow minors to remove content they’ve posted on online platforms.
But she’s struggled to garner support for these initiatives in the Virginia House. “I’m talking about national security threats in a state body that is only used to dealing with stuff like budget and transportation,” Ayala said. And Virginia, which is home to the Pentagon and many major defense contractors, arguably has more national security expertise and experience than most other states. Ayala thinks that part of the challenge is simply that she’s the first person in the Virginia House with deep cybersecurity experience. More colleagues with similar backgrounds might make it easier to actually change state policies.
That’s also the agenda of Shaughnessy Naughton, who runs the 314 Action Fund, a PAC that supports scientists and engineers running for public office and has endorsed Ayala, Donahue, and Galante, as well as 27 other candidates. Naughton, who trained as a chemist, ran for the U.S. House in Pennsylvania in 2014 and 2016 and lost both times in the Democratic primary. Now, she fundraises through 314 Action (314 as in 3.14 as in pi … get it?) for other scientists trying to break into the political arena. Naughton says that roughly 7,000 scientists have reached out to the group since its founding in summer 2016, many of them health care professionals but also a growing number of engineers and technologists. According to 314 Action Fund’s communications director, Ted Bordelon, the group is on track to raise $20 million during this election cycle, after raising $5 million in the last cycle.
Naughton’s clearly excited that there are candidates with technical experience running for state office. Is it possible voters in Kentucky and Virginia are excited about it as well? Reading the news, it does sometimes feel like a moment when voters could be focused on cybersecurity more than ever before. Between Russia’s online election meddling and the growing number of cities that have been brought to their knees by ransomware, perhaps people across the country are coming around to the idea that cybersecurity actually affects them, personally, just like health care and taxes and education. On the other hand, even as I write that sentence, it seems almost laughably absurd that anyone would decide their vote based on cybersecurity over those other issues. And one of the things people who work in cybersecurity are most prone to overestimating is the extent to which anyone else cares about cybersecurity, so I’m a little surprised when Donahue and Galante tell me what positive reactions they’ve gotten from discussing these topics on the campaign trail. If it’s a winning strategy, it doesn’t seem to be one that’s catching on, however.
“We have our statewide offices up for election this year,” Donahue said. “I am the only candidate this year in our state who has talked at all about cybersecurity.”