The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: FEC poised to limit who can give political campaigns free cybersecurity help

Placeholder while article actions load

with Tonya Riley


The Federal Election Commission appears poised to draw strict limits this week on which organizations can provide free cybersecurity help to political campaigns targeted by foreign hackers.

The FEC just recently gave the go-ahead to a nonprofit run by former campaign directors for Hillary Clinton and Mitt Romney, upending rules that typically consider such free services illegal campaign contributions. But commissioners appear ready to reject a similar request from a small for-profit company that protects against phishing attacks, according to two draft opinions commissioners will debate at a meeting Thursday. 

Cybersecurity pros argue that political campaigns need as much help as they can get if they want to avoid a replay of the Russian hacking operation that rocked the 2016 election. But campaign finance hawks are wary of opening the floodgates to all security organizations out of concern they’ll try to barter for political favors later.

“The concern is that a company provides free stuff to a candidate and the candidate gets into office and the company comes back and says, ‘Hey, you owe us,’ ” Adav Noti, chief of staff at the Campaign Legal Center told me.

Noti’s group wrote an early draft of the advisory opinion the FEC approved in late May allowing the nonprofit Defending Digital Campaigns to offer free cybersecurity services on a strictly nonpartisan basis. The reasoning, in a nutshell, was that the danger of Russian or Chinese hackers running roughshod over the 2020 campaign outweighed the danger of the nonprofit benefiting politically. 

But that reasoning shouldn’t extend to a private company, Noti told me, because a company’s main goal is making money and improving its standing – not improving democracy.

“Corporations just have no business giving money or free services to candidates under the law,” he said. “That’s exactly the sort of corruption of the democratic process these laws are here to correct.”

Yet security pros such as Oren Falkowitz -- CEO of Area 1 Security, the company seeking to provide the services -- say that limiting companies' contributions could leave presidential and congressional campaigns underprotected against an onslaught of attacks from Russian hackers looking to upend the 2020 contest or from other U.S. adversaries looking to follow the Russian playbook.

They argue campaigns won’t spend enough money on their own digital defenses — especially this early in the race — because all their money is going toward advertising and other campaign priorities that will keep them in the race.

“Candidates need to be able to protect themselves and to be able to pick the product they want," Falkowitz, a former NSA analyst, told me. "If they’re unable to get access to those products and if they don’t have the financial resources, we’re not going to like what happens.”

Falkowitz told me he hopes to change commissioners minds during the meeting. He insists his company isn't looking for political favors. Rather, Area 1 wants to boost its profile by demonstrating it can protect political campaigns.

"Our motivation for providing these services to candidates is not based on altruism or patriotism. We're a business…and the best customers to work with are the ones getting attacked the most.”

According to the report by former special counsel Robert S. Mueller III, Russian hackers sent about 90 sophisticated phishing emails to members of Hillary Clinton’s campaign team. “If you’ve proved that you can protect presidential candidates, those are the most attacked people. You’ve shown the value of your product,” Falkowitz said. Protecting campaigns will also confer a sense of pride on Area 1 employees, the company argued in its FEC request

And by tracking the phishing threats facing campaigns, Area 1 would also gather valuable data about sophisticated Russian and Chinese phishing efforts that it can use to better protect its other customers, Falkowitz said.

The company offers free and reduced-price services to some customers for the same reason, he said — including an aviation start-up that he said is frequently targeted by Chinese hackers.

Falkowitz compared his company’s request to a 2018 advisory opinion in which the FEC determined Microsoft could offer upgraded cybersecurity services to federal political campaigns and party committees — if they were already paying for the company’s software.

In that case, the FEC said Microsoft was offering the free services “based on commercial rather than political considerations” — partly because the company also offered free services to other categories of nonpolitical clients such as local governments, teachers and students.

The commissioners also recognized, however, that Microsoft had a business interest in avoiding bad headlines if high-profile users — who were already paying customers — were hacked.

That wouldn’t apply to Area 1 because the campaigns aren’t already using its products, commissioners noted in one of their draft opinions.

FEC advisory opinions are basically guiding principles for what’s legal under election law. So, the DDC opinion opens the door for more non-profits to offer free cybersecurity services -- as long as they’re doing it on a totally non-partisan basis. But a ruling against Area 1 would shut the door on those same services from private companies.

If campaigns can’t get enough free cybersecurity help from DDC and similar groups, Noti said, then Congress should either appropriate money so the government can pay for the cybersecurity services or change the law so companies can provide them legally.

“What’s not an option is for a government agency like the FEC to disregard the statute it’s charged with enforcing,” he said. 


PINGED: Federal authorities are investigating a Twitter handle that claimed to be run by hackers responsible for a ransomware attack that’s crippled the city of Baltimore for nearly a month, the Baltimore Sun’s Ian Duncan reported.

Before it was suspended Monday, the account was taunting Baltimore Mayor Bernard C. “Jack” Young by saying it had obtained personal data about Baltimore citizens, Duncan reported. The handle sent a similar threat via direct message to a Sun reporter, he wrote.

“‘That was not a simple ransom. It’s more,’ the account posted May 12, along with an image of what appear to be faxes sent to the city, along with technical data,” Duncan reported.

The account also sent a direct message to Ars Technica reporter Sean Gallagher saying it had not used a leaked NSA hacking tool in the Baltimore attack, Gallagher reported.

The New York Times reported the hackers used that tool to move through Baltimore’s networks, but the NSA disputed that claim in a briefing to an area congressman, Rep. Dutch Ruppersberger (D-Md.).  

Sen. Chris Van Hollen (D-Md.) also said the NSA malware was not used in the attack after a briefing with NSA officials Monday, Cyberscoop’s Shannon Vavra reported.  

PATCHED: After a two-year wait, the State Department has announced plans to create a new cybersecurity bureau. But Congress isn’t pleased so far.

Unlike an earlier cyber office, which then-Secretary of State Rex Tillerson shuttered in 2017, the new bureau would limit its mandate to a narrow definition of cybersecurity. According to a notice obtained by The Post, the new bureau will focus on “cyberspace security and the security-related aspects of emerging technologies” — not the way cybersecurity affects economic affairs, human rights and other key diplomatic issues.

That didn’t sit well with some lawmakers who’ve introduced legislation to broaden the department’s cyber work rather than narrow it. House Foreign Affairs Chairman Eliot Engel (D-N.Y.) told me he planned to put a hold on the effort. 

“This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber issues needs to elevate engagement on economic interests and Internet freedoms together with security,” Engel said.

Chris Painter, the first and only leader of State’s earlier cyber office, told me the proposed structure “misses a key opportunity to enhance coordination” and “reads like … the product of a bureaucratic internecine turf war rather than a reasoned strategic approach to these issues.”

Check out more from Politico’s Eric Geller, who broke the story:

PWNED: The medical testing company LabCorp acknowledged a data breach that affected 7.7 million patients Tuesday, cybersecurity blogger Brian Krebs reported.

The report came just days after Quest Diagnostics acknowledged a breach of nearly 12 million patients. Both breaches came via the third-party billing company American Medical Collection Agency, Krebs reported.

“The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies,” he reported.

The data in the LabCorp breach could include names, birth dates and addresses but does not include Social Security numbers or insurance information, Krebs reported.


Cybersecurity news from the public sector:

House judiciary's top Republican urges hearings into Russian... (Reuters)

House subcommittee approves funding bill with $600 million for election security (The Hill)

House bill would boost CISA funding by $335 million (CyberScoop)

New York's Privacy Bill Is Even Bolder Than California's (Wired)


Cybersecurity news from the private sector:

Jewish dating app JCrush exposed user data and private messages (Tech Crunch)

NSA warns Microsoft Windows users to update systems to protect against cyber vulnerability (The Hill)

Norsk Hydro core profit better than expected despite cyber attack (Reuters)

Bank heist with FIN7 traits went down while leaders were on the run, research suggests (CyberScoop)

'Sign In With Apple' Protects You in Ways Google and Facebook Don't (Wired)

Only 5.5% of all vulnerabilities are ever exploited in the wild | ZDNet (ZDNet)


Cybersecurity news from abroad:

Russia's Yandex resists pressure to share encryption keys with state (Reuters)


Here are four big issues that computer crime expert and University of Southern California Law Professor Orin Kerr expects the Supreme Court to resolve in the next five years: