The bill also requires supply chain reviews for cyber risk at some agencies.
Election security got a $380 million infusion in the massive, governmentwide spending bill released late Wednesday and passed by the House Thursday afternoon, providing a long-awaited boost to state election officials’ coffers just eight months before the 2018 midterms.
The money, which includes at least $3 million per state for election security, comes just days after the Senate Intelligence Committee concluded its investigation into Russian efforts to penetrate state voting systems during the 2016 presidential contest.
Additional money will be released based on states’ needs, according to a rundown from Sens. James Lankford, R-Okla., and Amy Klobuchar, D-Minn., who sponsored an election security bill.
Priorities for the funding will include replacing outdated voting machines, ensuring that all votes include a paper trail and implementing post-election audits. Funding will also go to cyber training for state election officials.
Also included in the omnibus appropriations bill was legislation to clarify how and when law enforcement can get warrants for emails and other data stored by U.S. tech companies in foreign servers.
The legislation, called the Clarifying Lawful Overseas Use of Data, or CLOUD Act, would allow police to demand overseas data but it would also allow the company storing that data and the country where the data’s stored to object in a U.S. court. A judge would then decide if the warrant should be honored, limited or scrapped in favor of ensuring good relations with the other nation.
Major tech companies have endorsed the bill, but civil liberties and internet freedom groups have largely condemned it, partly because it would expand foreign governments’ access to data stored on U.S. soil.
The bill would effectively moot a long-running battle between Microsoft and the Justice Department, which was argued before the Supreme Court last month. The dispute centers on customer emails in a narcotics case that Microsoft is storing in a data center in Dublin.
Microsoft, which has previously voiced support for the CLOUD Act, applauded its inclusion in the omnibus spending bill Thursday. Microsoft President Brad Smith called the bill “a critical step forward in resolving [an] issue that has been the subject of litigation for over four years.”
Supply Chain Reviews
Another omnibus provision would require the Commerce and Justice departments as well as NASA and the National Science Foundation to launch comprehensive reviews for cyber risk in the supply chains of new technology systems they buy.
The provision is limited to systems that are at high or moderate risk for cyber intrusions based on their function or the data they process. The reviews must include risks caused by the systems or portions of the systems being produced in cyber adversary nations such as China, Russia and Iran.
The bill also:
- Prohibits the State Department from providing assistance to the central government of any nation that materially contributes to North Korea’s ability to launch cyberattacks.
- Requires a study on how the Commerce Department’s National Telecommunications and Information Administration “can best coordinate the interagency process following cybersecurity incidents.”
- Provides $1.9 billion to fund Homeland Security’s cyber operations division, including $1.1 billion to secure civilian computer networks against cyberattacks. That’s a slight boost over the roughly $1.8 billion during the previous fiscal year.
- Includes $1.2 billion for the Commerce Department’s cyber standards agency, National Institute of Standards and Technology. That's a $247 million boost from the previous fiscal year.
- Provides $9 billion for the FBI, a portion of which will be devoted to cyber crime investigations. That’s a $236 million boost over the prior fiscal year.
- Gives a $350 million boost to support IRS customer service, including cybersecurity improvements.
- Provides $100 million for technology and cybersecurity projects as part of the Modernizing Government Technology Act.
- Provides $18 million for the Energy Department to improve the physical security and cybersecurity of the electric grid.
- Includes $45 million for cybersecurity and information technology investments at the Securities and Exchange Commission.
- Gives a $24 million boost for cybersecurity enhancements at the Treasury Department.