Nicole Perlroth and Matthew Rosenberg
c.2019 New York Times News Service
One year from the 2020 elections, presidential candidates face legal roadblocks to acquiring the tools and assistance necessary to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign.
Federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.”
The issue took on added urgency this week after lawyers for the Federal Election Commission advised the commission to block a request by a Silicon Valley company, Area 1 Security, which sought to provide services to 2020 presidential candidates at a discount. The commission is expected to decide on Area 1’s request at a public meeting Thursday.
Cybersecurity and election experts say time is running out for campaigns to develop tough protections.
Christopher Wray, the FBI director, warned in April that Russian election interference continued to pose a “significant counterintelligence threat” and that Russian efforts in the 2016 and 2018 elections were “a dress rehearsal for the big show in 2020.”
A bill introduced last month by Sen. Ron Wyden, D-Ore., would have allowed political parties to provide greater cybersecurity assistance to candidates. But it stalled in the Senate after the majority leader, Mitch McConnell, R-Ky., said he would not bring any election security bills to the floor for a vote.
The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers. In most cases, they cannot afford to pay outside experts market rates for such services, as required by federal election laws.
To thwart digital threats and phishing attacks, multinational corporations spend hundreds of thousands of dollars, at minimum, on security. Jamie Dimon, chief executive of JPMorgan Chase, has said the bank spends nearly $600 million a year on security. Bank of America’s chief executive has said the bank has a “blank check” when it comes to cybersecurity. Security experts note that — despite significantly smaller head counts — presidential candidates and their campaigns are among the most targeted organizations in the world.
“Expecting campaigns to do this on their own is asking for failure,” said Laura Rosenberger, director of the Alliance for Securing Democracy, a group that seeks to track and expose efforts by authoritarian regimes to undermine democratic elections.
Rosenberger knows the risks faced by campaigns. As a foreign policy adviser to Hillary Clinton in 2016, she saw firsthand the real-world effects of these attacks. In what is called a spearphishing attack, Russian hackers compromised emails belonging to John Podesta, then Clinton’s campaign chairman, and employees at the Democratic Congressional Campaign Committee.
“If we’re putting campaigns on the front lines alone, and they’re having to defend themselves alone, then we’ve lost,” she said.
But guarding against Russia is just one of the challenges, officials and experts said.
“Russia drafted a playbook that other international actors can use,” said Nathaniel Persily, co-director of the Stanford Cyber Policy Center and a law professor at Stanford Law School. “We should not be surprised if other nation-states and stateless entities try to take a page from the Russian playbook in the next election.”
There are also concerns that domestic players could do the same thing.
Last month, the FEC ruled that a nonprofit organization, Defending Digital Campaigns, could provide free cybersecurity services to political campaigns. But the ruling was narrow, and applied only to nonpartisan, nonprofit groups that offer the same services to all campaigns. Defending Digital Campaigns was founded by Robbie Mook, who ran Clinton’s 2016 campaign, and Matt Rhoades, who managed Mitt Romney’s campaign in 2012.
But nonprofits can only do so much, experts said, and in many cases there are private companies with better technology for fending off hackers.
The case being heard this week by the FEC involves Area 1, which says it has developed tools to block spearphishing attacks.
In anticipation of future attacks, a number of candidates running for office in 2020 contacted Area 1 to ask for its anti-phishing services, said Oren Falkowitz, a former analyst at the National Security Agency who helped found the company.
Area 1 works with a number of large corporations and assists smaller firms and nonprofits, charging a rate lower than what it charges big clients, Falkowitz said. He noted that the pricing model was fairly standard. Other tech companies like Dropbox and Slack give away many of their services to individuals and smaller organizations, but charge larger businesses to use their products.
Lawyers for three of the 2020 candidates that contacted Area 1, who could not be named because of confidentiality agreements, told the company that they worried that by using Area 1’s services, the campaigns might run afoul of campaign finance laws.
Area 1 made a formal request to the FEC to ask for an advisory opinion in April. As part of its request, Area 1 asked the commission to grant the company the same exemption the FEC granted to Microsoft last year.
The FEC ruled that Microsoft could offer “enhanced online account security services to its election-sensitive customers at no additional cost” because Microsoft would be shoring up defenses for its existing customers, not seeking to curry favor with political candidates, and would be acting on a nonpartisan basis out of business interests.
But on Monday, lawyers for the FEC said Area 1’s request did not meet the same bar as Microsoft and the company’s services looked too much like a political contribution.