The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Free cybersecurity help for campaigns is on its way


with Tonya Riley


Securing political campaigns against cyberattacks is about to get a lot cheaper.

A nonprofit group that won permission in May from the Federal Election Commission to provide campaigns with free and reduced-price cybersecurity help is announcing its first slate of services this morning, including email security, encrypted messaging and security training for staff.

Defending Digital Campaigns, which was co-founded by Hillary Clinton’s 2016 campaign manager Robby Mook and Mitt Romney’s 2012 campaign manager Matt Rhoades, is basically a middleman for the services provided by cybersecurity companies. They’ll be available to presidential and congressional campaigns that meet certain polling or fundraising thresholds and to political party committees.

The DDC announcement marks one of the biggest efforts yet to prevent a repeat of the 2016 election when Kremlin-linked hackers stole and released embarassing documents from the Democratic National Committee and the Clinton campaign in an effort to help the Trump campaign, according to U.S. intelligence officials.

The announcement also comes as officials are warning that Russia has upped its game since 2016 and that China, Iran and North Korea may also try to undermine the 2020 contest.

The FEC typically bars companies from giving campaigns free services of any kind out of concern they could try to cash in on those favors after a candidate is in office. The commission made an exception for DDC, though, basically reasoning that the danger of foreign hackers upending the 2020 election outweighed those concerns.

It’s not clear whether presidential candidates’ cybersecurity protections are adequate to meet the threat, and things will be even tougher for some congressional campaigns, which are just now ramping up.

“Protecting the campaign ecosystem is really essential to protecting our democracy,” DDC President and CEO Michael Kaiser told me. “The most essential part of our democratic process is the ability for people to go out and talk about their ideas and talk about their policies and talk about how they view America's future [and] cyber incidents really have a chance to degrade that whole process.”

Kaiser declined to say what campaigns had committed to using DDC’s services but told me there was broad interest among candidates and party committees.

“I hope...campaigns will sign on, and I expect that they will,” he told me. “There's no doubt that people are aware that the threat environment is very real and people can expect the threats to escalate as we move through the [election] cycle.”

Companies partnering with DDC include the anti-phishing Area 1 Security, the encrypted messaging platform Wickr, the email security firm Agari and the software and mobile security firm Lookout, among others. DDC declined to say which services wil be offered free and which will be provided at a reduced price, but an official told me the organization will post online the total value of all services donated by the companies it works with.

DDC is asking additional cybersecurity companies to offer their services and plans to vet companies to make sure they don’t pose security risks of their own.

The organization also pledged to be fully nonpartisan and transparent about its funding. So far, the vast majority of that funding comes from two $250,000 donations from LinkedIn co-founder Allen Blue and cybersecurity venture capital investor Ron Gula, a former co-founder of Tenable Network Security — both of whom will also serve as board members, according to the company’s announcement this morning.

Gula told me the board position and donation weren’t contingent on each other. One big motivator for him making the donation, he said, was a chance to demonstrate the importance of cybersecurity to politicians making laws that affect it.

“I hope when a lot of these candidates get into office they’ll remember how important encryption is and what two-factor authentication is,” he said, referring to a common security procedure for accessing mobile devices and websites. “It’s good for the country to have politicians who are knowledgeable about cyber issues.”

The group’s other board members are Debora Plunkett, former director of the National Security Agency’s defensive arm, and Suzanne Spaulding, former chief of the Homeland Security Department’s cybersecurity division.


PINGED: The Interior Department is grounding its entire fleet of drones, all of which are made in China or have Chinese parts, until the department can review them for potential security risks, Timothy Puko and Katy Stech Ferek at the Wall Street Journal report. The decision marks one of the biggest responses by a federal agency to growing concerns that Chinese technology could be exposing the government to hacking and surveillance risks.

The Interior Department relies heavily on drones to fight forest fires, inspect dams and monitor federal lands among other tasks. The department will make an exception in emergency situations such as natural disasters, spokesman Nick Goodwin told the Journal.

Congress banned the Pentagon from buying Chinese-purchased drones earlier this year. Lawmakers introduced bipartisan legislation last month that would effectively extend that ban to civilian agencies.

PATCHED: Facebook yesterday took down three networks of Russia-backed accounts that were attempting to influence the politics of users in eight African countries, Davey Alba and Sheera Frenkel at the New York Times report. The accounts, some of which were run by locals, reached more than 1 million users collectively and posted nearly four times as much as Russia-backed pages ahead of the 2016 election.

Partnering with locals allows Russians to avoid making fake accounts and decreases their risk of getting caught, said Alex Stamos, Facebook’s former security chief and now head of the Stanford Internet Observatory. That's a model the Kremlin will likely employ in the United States before 2020, he suggested. 

“We will see a model where American groups are used as proxies, where all the content is published under their accounts and their pages,” he said.

Facebook has tied the accounts to Yevgeniy Prigozhin, a Russian businessman charged with funding the notorious Russian troll farm Internet Research Agency during its efforts to interfere with the 2016 U.S. elections. Facebook took down 50 IRA-backed Instagram accounts peddling political content to U.S. users last week.

PWNED: Two men pleaded guilty yesterday to computer hacking and extortion for a 2016 breach of Uber in federal court, Mike Isaac at the New York Times reports. The hack was a significant embarrassment to Uber, which originally offered to pay off the hackers through a bug bounty program in an effort to not disclose the breach to consumers.

Uber eventually revealed the breach in 2017 and later reached a $148 million settlement with states attorneys general.

The two hackers, Canadian citizen Vasile Mereacre and Florida resident Brandon Glover, also pleaded guilty to separate hacking and extortion charges for a nearly identical breach targeting the LinkedIn-owned video training site Lynda. LinkedIn refused to pay off the hackers and disclosed the breach to users in 2016.

Law enforcement used the guilty plea as an occasion to chastise Uber for valuing its reputation over consumer privacy.

“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” U.S. Attorney Anderson David L. Anderson said. “Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”

The pair of hackers are facing a maximum of five years in federal prison and a fine of up to $250,000 upon sentencing next year.


Acting homeland security secretary Kevin McAleenan said he would stay longer in his current role as the Trump administration continues to find his replacement. (Video: Reuters)

Senate Intelligence Committee ranking Democrat Mark Warner (Va.) thinks the White House should consider DHS’s top cybersecurity official to take over the agency, Inside Cybersecurity’s Mariam Baksh reports. “I think Chris Krebs over at DHS is doing a good job. He should be considered for secretary,” Warner told Baksh.

Other top Senate leaders declined to specifically endorse the DHS cyber chief for the post. When I asked Krebs about the suggestion, he declined through a representative to comment.

Acting DHS Secretary Kevin McAleenan has agreed to stay at his post until the White House finds a replacement.

— More cybersecurity news from the public sector:

Showing that the U.S. won’t hold it back, China launches commercial 5G service (Anna Fifield and Wang Yuan)

Almost 100 former officials, members of Congress urge Senate action on election security (The Hill)

Rules to stop China buying sophisticated U.S. tech must move faster: lawmaker (Reuters)

Senators introduce bill to strengthen cybersecurity of local governments (The Hill)


News is continuing to break after Facebook sued the Israeli spyware company NSO group Tuesday for allegedly hacking its WhatsApp messaging service to help government customers spy on journalists and activists. NSO claimed its contracts limit customers to using its tools for legitimate purposes such as tracking terrorists and conducing serious criminal investigations, but a contract with the Republic of Ghana, presented as an exhibit in WhatsApp lawsuit, includes no such language, Joseph Cox at Motherboard reports.

NSO employees are also alleging that Facebook is wiping their personal Facebook, WhatsApp and Instagram profiles in light of the ongoing litigation, the Register reports.

— More cybersecurity news from the private sector:

A DNA Database Containing Data From 23andMe and Ancestry Is Vulnerable to Attacks (One Zero)

Imperva planned to keep its CEO through a merger. Two months after a breach, he’s out. - CyberScoop (CyberScoop)

An Army “hacker con” goes big: The return of AvengerCon (Ars Technica)

Business Groups Push Back Against Proposed Facial-Recognition Bans (Wall Street Journal)


— Cybersecurity news from abroad:

Indian nuclear power plant’s network was hacked, officials confirm (Ars Technica)

With eye to China, Israel forms panel to vet foreign investments (Reuters)

Spain and GitHub Are Blocking an App That Helped Protesters Organize (Vice)


— Today:

  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Supply Chain Security, Global Competitiveness, and 5G” today at 9:30 a.m.

—Coming up:

  • Point3 Security, WomenHackerz, Women in Security (WoSEC), Gatebreachers and Women's Society of Cyberjutsu will host a capture the flag competition online and in person in Baltimore on Saturday from 12 p.m.-4 p.m.
  • The Judiciary Committee’s subcommittee on crime and terrorism will host a hearing entitled “How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors on Tuesday at 2:30 p.m. EST.
  • The Senate Judiciary Committee will host a hearing on Reauthorizing the USA FREEDOM Act of 2015 on Wednesday at 2:30 p.m. EST.