Election Rules Are an Obstacle to Cybersecurity of Presidential Campaigns

One year out from the 2020 elections, presidential candidates face legal roadblocks to acquiring the tools and assistance necessary to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign.

Federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.”

The issue took on added urgency this week after lawyers for the Federal Election Commission advised the commission to block a request by a Silicon Valley company, Area 1 Security, which sought to provide services to 2020 presidential candidates at a discount. The commission questioned Area 1 about its request at a public meeting on Thursday, and asked the company to refile the request with a simpler explanation of how it would determine what campaigns qualified for discounted services.

Cybersecurity and election experts say time is running out for campaigns to develop tough protections.

Christopher Wray, the F.B.I. director, warned in April that Russian election interference continued to pose a “significant counterintelligence threat” and that Russian efforts in the 2016 and 2018 elections were “a dress rehearsal for the big show in 2020.”

A bill introduced last month by Senator Ron Wyden, a Democrat from Oregon, would have allowed political parties to provide greater cybersecurity assistance to candidates. But it stalled in the Senate after the majority leader, Mitch McConnell, said he would not bring any election security bills to the floor for a vote.

The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers. In most cases, they cannot afford to pay outside experts market rates for such services, as required by federal election laws.

To thwart digital threats and phishing attacks, multinational corporations spend hundreds of thousands of dollars, at minimum, on security. Jamie Dimon, the chief executive of JPMorgan Chase, has said the bank spends nearly $600 million a year on security. Bank of America’s chief executive has said the bank has a “blank check” when it comes to cybersecurity. Security experts note that — despite significantly smaller head counts — presidential candidates and their campaigns are among the most targeted organizations in the world.

“Expecting campaigns to do this on their own is asking for failure,” said Laura Rosenberger, the director of the Alliance for Securing Democracy, a group that seeks to track and expose efforts by authoritarian regimes to undermine democratic elections.

Ms. Rosenberger knows the risks faced by campaigns. As a foreign policy adviser to Hillary Clinton in 2016, she saw firsthand the real-world effects of these attacks. In what’s called a spearphishing attack, Russian hackers compromised emails belonging to John Podesta, then Mrs. Clinton’s campaign chairman, and employees at the Democratic Congressional Campaign Committee.

“If we’re putting campaigns on the front lines alone, and they’re having to defend themselves alone, then we’ve lost,” she said.

But guarding against Russia is just one of the challenges, officials and experts said.

“Russia drafted a playbook that other international actors can use,” said Nathaniel Persily, co-director of the Stanford Cyber Policy Center and a law professor at Stanford Law School. “We should not be surprised if other nation-states and stateless entities try to take a page from the Russian playbook in the next election.”

There are also concerns that domestic players could do the same thing.

Last month, the F.E.C. ruled that a nonprofit organization, Defending Digital Campaigns, could provide free cybersecurity services to political campaigns. But the ruling was narrow, and applied only to nonpartisan, nonprofit groups that offer the same services to all campaigns. Defending Digital Campaigns was founded by Robbie Mook, who ran Mrs. Clinton’s 2016 campaign, and Matt Rhoades, who managed Mitt Romney’s campaign in 2012.

But nonprofits can only do so much, experts said, and in many cases there are private companies with better technology for fending off hackers.

The case heard this week by the F.E.C. involves Area 1, which says it has developed tools to block spearphishing attacks.

In anticipation of future attacks, a number of candidates running for office in 2020 contacted Area 1 to ask for its anti-phishing services, said Oren Falkowitz, a former analyst at the National Security Agency who helped found the company.

Area 1 works with a number of large corporations and assists smaller firms and nonprofits, charging a rate lower than what it charges big clients, Mr. Falkowitz said. He noted that the pricing model was fairly standard. Other tech companies like Dropbox and Slack give away many of their services to individuals and smaller organizations, but charge larger businesses to use their products.

Lawyers for three of the 2020 candidates that contacted Area 1, who could not be named because of confidentiality agreements, told the company that they worried that by using Area 1’s services, the campaigns might run afoul of campaign finance laws.

Area 1 made a formal request to the F.E.C. to ask for an advisory opinion in April. As part of its request, Area 1 asked the commission to grant the company the same exemption the F.E.C. granted to Microsoft last year.

The F.E.C. ruled that Microsoft could offer “enhanced online account security services to its election-sensitive customers at no additional cost” because Microsoft would be shoring up defenses for its existing customers, not seeking to curry favor with political candidates, and would be acting on a nonpartisan basis out of business interests.

But on Monday, lawyers for the F.E.C. said Area 1’s request did not meet the same bar as Microsoft and the company’s services looked too much like a political contribution.

The commission has been sensitive to the influx of so-called dark money into campaigns and maintains a high bar for granting exemptions because of concerns that an exemption could create a loophole for corporations looking to influence an election.

Daniel A. Petalas, outside counsel for Area 1 and a lawyer at the firm Garvey Schubert Barer, said the draft opinion was based on a misunderstanding. In return for helping the candidates, Area 1 could gain valuable research, he said.

“Area 1’s whole purpose, their whole basis for being, is attacking the phishing issue,” Mr. Petalas said. “There’s really nowhere it’s more dramatically presented than in the election context, given what happened in 2016.”

Election security experts said lawmakers must address rules that prohibit cybersecurity firms from providing assistance to campaigns.

“The idea that this is even an issue is just insane,” Mr. Persily said in an interview Tuesday.

For now, campaigns must fend for themselves, and most are vulnerable to more phishing attacks.

“On the cyber side, campaigns obviously have to do a lot to have much, much tougher defenses than they had in ’16, and I see very little of that so far,” said Ms. Rosenberger, the former Clinton worker.