By: Amy Larsen*
April 28, 2020
During this period when the nation’s attention is fixed on countering COVID-19’s spread, it is useful to recall a major national security threat revealed by the last election cycle emanating from foreign hacking of domestic political campaigns. Crises like the current pandemic have a long legacy of coinciding with disinformation tactics, akin to those leveled against the Democratic National Committee (DNC) in 2016. In the 1980s, the KGB’s infamous Operation Infektion undermined America’s image abroad, while sowing distrust of the country’s public health institutions at home. Through magazines, wire services, newspapers, television, and radio broadcasts, Soviet conspiracies positing U.S. origins of HIV/AIDS swept the globe. The disease’s characterization as an offensive weapon developed by a power-hungry North American hegemon appeared in over 80 countries and more than 30 languages. Amid the rise of cyberwarfare, the federal government should heed this historical episode’s lesson. The atmosphere of anxiety prompted by current circumstances is fertile ground for hackers to seize data and disperse divisive disinformation, as occurred within the first few weeks of the COVID-19 pandemic.1“Foreign hackers have tried to breach US Health and Human Services networks, and use fears about the virus to infiltrate computers for financial gain. The cybersecurity firm FireEye reported on March 25 that Chinese hacker group APT41, a group affiliated with the Chinese government that also seems to work for its own members financial gain, began waging a cyber intrusion campaign across multiple countries and multiple economic and government sectors in January as the Wuhan outbreak emerged. FireEye called it ‘one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.’” Our current election cycle may present both similar and particular vulnerabilities in the cyber domain.
During an era in which individuals, companies, and government agencies around the world are being forced to adapt to an increasingly digitized reality where information is transferred in the blink of an eye, the U.S. Federal Election Commission (FEC) is no exception. This means confronting the threats that challenge the core functions of such an agency, and in so doing, venturing tentatively into previously unfamiliar domains such as cyberspace. Meanwhile, nonprofit organizations and efforts like Foresight2020 are also responding to new opportunities and unfulfilled needs to secure the digital infrastructure that undergirds America’s democracy.
Reevaluating Campaign Contributions that Enhance Cybersecurity
The fourth word of the FEC’s mission, “to protect the integrity of the federal campaign finance process,” is often obscured amid contentious debates about who can contribute money to which kinds of organizations involved in politics. Before 2016, few could have imagined that this agency, so often focused on the minutiae of arcane domestic regulations, would make a foray into national security. Yet evidence continues to surface demonstrating that cybersecurity breaches have deeply impacted American elections. These risks grow as speedily as the internet itself expands. Individual and organized crime, terrorists, and nation states aim to steal, manipulate, destroy, or deny access to sensitive data, thereby distorting political processes. Long before the well-known hack of the DNC in 2016, similar thefts of information succeeded against the campaigns of then-Senators Barack Obama and John McCain in 2008. They recurred with less notoriety in 2012.
Furthermore, intelligence assessments conducted by the federal government have consistently and uniformly suggested these interruptions will continue. For instance, the 2019 Worldwide Threat Assessment published by the Director of National Intelligence lists “Cyber” and “Online Influence Operations and Election Interference” as two of the top global threats faced by the United States, noting that “[o]ur adversaries and strategic competitors probably already are looking to the 2020 US elections as an opportunity to advance their interests. More broadly, US adversaries and strategic competitors almost certainly will use online influence operations to try to weaken democratic institutions, undermine US alliances and partnerships, and shape policy outcomes in the United States and elsewhere.”
These trends have led the FEC to relax its previous holdings in a crucial area of election law. The Federal Election Campaign Act prohibits corporations from making contributions to federal candidates as well as political committees that contribute to federal candidates. These legal strictures are rigorously enforced, with “contribution” being construed as any “direct or indirect payment, distribution, loan, advance, deposit, or gift of money, or any services, or anything of value…in connection with any [federal] election.”252 U.S.C. § 30118(b)(2); see 11 C.F.R. § 114.2(b). However, following an outcry after the 2016 national elections, the FEC has engaged with arguments from the private sector and civil society regarding whether political campaigns may accept low-cost or free cybersecurity services or trainings from companies with sophisticated products.
After petitioning the FEC for clarification on this issue last year, Area 1 Security, a cybersecurity company that helps clients detect and block phishing attacks, received a green light. In a hearing and accompanying advisory opinion in July 2019, the FEC concluded that “because Area 1 is proposing to charge qualified federal candidates and political committees the same as it charges its qualified non-political clients, the Commission concludes that its proposal is consistent with Area 1’s ordinary business practices and therefore would not result in Area 1 making prohibited in-kind contributions to such federal candidates and political committees.” The FEC’s Advisory Opinion also resolved a larger question, holding that such assistance would therefore “not constitute an in-kind contribution, as long as the cybersecurity firm already offers discounted solutions to similarly situated non-political organizations, such as small nonprofits.”
This finding was the most recent link in a somewhat disjointed chain of advisory opinions issued by the FEC pertaining to cybersecurity offerings marketed to political candidates and committees. In May 2019, the FEC ruled that a nonprofit, Defending Digital Campaigns (DDC), was allowed to provide free cybersecurity services to political candidates, while limiting the scope of which organizations could provide such services to similarly situated nonpartisan, nonprofit groups that offered these services to all campaigns. In 2018, the FEC had similarly permitted Microsoft Corp. to provide “a package of enhanced online account security services at no additional charge on a nonpartisan basis to its election-sensitive customers, including federal candidates and national party committees.” It reasoned this would not create conflicts of interest because Microsoft was assisting current customers rather than attempting to curry favor among political candidates who were not yet clients.
Cumulatively, the FEC’s 2019 advisory opinions now authorize two important means of addressing cybersecurity threats: For-profit companies focused on cybersecurity may offer discounted services to campaigns if they also offer similar discounts to non-campaign entities. In addition, nonprofit organizations whose sole purpose is to dispense cybersecurity services at little to no cost to political campaigns may do so without sanction. The FEC’s justification for these changes was explicit: “the Commission concludes that the current threat of foreign cyberattacks presents unique challenges… and that this highly unusual and serious threat militates in favor of granting DDC’s request.”
These broader reforms have been paired with proposals for smaller, more immediate, technical measures. In her February 6, 2020 testimony before the U.S. House Committee on the Judiciary’s Subcommittee on the Constitution, Civil Rights and Civil Liberties, FEC Commissioner Ellen L. Weintraub put forward a practical step. “If Congress decides to keep [“Cromnibus accounts,” which “allow contributors to give hundreds of thousands of dollars to the national party committees”], one improvement would be to allow the party headquarter building funds to be used to pay for cybersecurity defenses for parties and candidates.” Nine months earlier, the Association of State Democratic Committees had unanimously passed its “Resolution on Protecting Our Elections from Foreign Manipulation,” backing this proposal.
Foresight2020 Addresses A Crucial Need
Part of the reason the FEC has ventured into cybersecurity relates to campaigns’ unique vulnerabilities. Campaigns’ priorities are often far removed from securing their digital infrastructure. Rather, they are typically focused on introducing candidates to the public and spreading their message. Last April, Matt Rhoades, who managed Mitt Romney’s 2012 presidential campaign, explained to the FEC, “when you’re first setting up and… raising those precious hard dollars, the last thing you want to do is to spend them on something to secure your networks.” Cash-strapped dark horses and front-runners alike face enormous constraints on their resources as they attempt to break through to the top tier of candidates and maintain a lead. Ensuring the security of internal campaign networks and data often takes a back seat, as the pressure to conserve a war chest inevitably results in risk-taking and difficult trade-offs.
In addition, skilled cybersecurity workers have not previously enlisted in campaigns in significant numbers. Traditionally, the work of professional campaign staff and volunteers has not required establishing and maintaining significant digital protections. Yet today, understanding and defending against campaigns’ particular vulnerabilities is crucial to their success. According to the website of Foresight2020 (foresightpartners.us), a nonpartisan cyber defense and preparedness training that the author, Amy Larsen, co-founded last year, “Security is not a one-size-fits-all endeavor. Organizations have different security needs, depending on their respective industries and what’s at stake… Defensive and preparatory actions need to be tailored to specific contexts, requiring candidates and advisors to have knowledge of cyber threats and the unique environment in which campaigns operate.”
To date, Foresight2020 has delivered in-person and virtual trainings to over 50 candidates running for federal office, their staff, and current office holders around the country, with additional virtual training sessions for 200 more scheduled in the month ahead. While the FEC’s rulings have endorsed the provision of such crucial cybersecurity trainings to vulnerable candidates by nonprofits free of cost, nonprofits should not be expected to carry the full weight of attempting to protect political campaigns from cyber intrusions.
Capacity May Be Limited in the Private Sector
Neither should the private sector be expected to take on the monumental task of securing political campaigns on top of core business activities as a pro bono or corporate social responsibility effort, though the FEC has partially permitted it to lend a hand. In its statement regarding phishing services, the FEC noted, “Most relevant to the present circumstances… the Commission concluded that a corporation may provide cybersecurity services to federal candidates and national party committees that were existing customers of the corporation at no additional cost.” In reaching this judgment, the Commission found that the corporation offered its cybersecurity services “in the ordinary course of business” and made the same offer available to its similarly situated non-political customers, including public-sector entities, educational institutions, teachers and students, small and large businesses, start-up companies, and 501(c)(3) nonprofit organizations. These steps, which typically extend or top off existing systems, provide needed support. But this approach will not fix fundamental gaps in campaign cybersecurity.
“[T]he ordinary course of business” is also a key phrase, given that elections of all varieties are held across the United States every year. State and local elections across the country often occur in off-year cycles and frequently rely on nonstandard primary procedures. In its “State and Local Election Cybersecurity Playbook,” the Defending Digital Democracy Project noted “how difficult it is to defend the multifaceted nature of the elections process. In the United States, elections are among the most complex and decentralized operations in either the public or private sectors.” The federal election cycle is just the most visible layer of complex, interlinking systems. Given that every two years, the entirety of the House of Representatives competes for re-election, along with one-third of the Senate, thousands of campaign organizations will need cybersecurity services this year and in the future. If private corporations become overextended or decide not to provide comparable services “available to its similarly situated non-political customers” beyond their existing customer base, the reach of the FEC’s exemption may be blunted. Since startups must be prudent in providing discounts if they lack a large customer base, and because larger corporations may primarily count better-endowed campaigns among their existing client base, the FEC’s ruling could, standing on its own, exacerbate unequal access to cybersecurity resources.
The debacle at this year’s Iowa democratic caucus demonstrates another important, if rarely acknowledged, reality about for-profit solutions offered at low cost. They are often riddled with bugs. The app that caused the difficulty was created by a company, Shadow Inc., which describes its central goal as “build[ing] political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.” To meet expectations about cost while attempting to serve this purpose, the makers sidestepped routine tests that ordinarily ensure digital infrastructure works properly.3“Officials at the Democratic National Committee, who were alarmed that the rushed app might not be ready for rollout, pressed Iowa to pay for an independent security review of the Shadow app, which found very basic bugs, a person familiar with the matter said.” By avoiding app store review processes, a vulnerability of software unvetted by market forces could lead to ill-timed failures in the future as well, as occurred across Iowa’s caucus sites. This bypass could also lead to severe breaches of cybersecurity, for instance, if software harbors malware or pathways to illicit data transfer. Cutting costs to deploy remedies at scale will remain a risk for campaigns and political parties that select cheaper options to address their needs.
Institutional Changes Should Overtake Foresight2020
It is a rare organization that roots for its own obsolescence, but that is Foresight2020’s idealized vision of its future. Ultimately, policymakers must recognize the best path forward is to institutionalize and professionalize the organization’s work. Providing at least a basic level of cyber defense preparedness training to first-time Congressional and Senate candidates should become a precept of election regulations at all levels of government. In the early 1990s, few could have imagined that elected office-holders in municipal and federal government would be trained, as a matter of course, in cybersecurity recognition and defense after being sworn into their new roles.4“Similarly, the National Conference of State Legislatures has a task force on cybersecurity ready to educate incoming elected officials. Many state and local governments have made progress, hiring chief information security officers (CISOs), enacting risk-based, data-driven cybersecurity practices, and investing in best-of-breed technology.”
But such cyber trainings are needed well before would-be officeholders get elected. Rather than relying on nonprofits and a limited number of private companies to provide cyber trainings and materials to political campaigns, more sustainable solutions should follow from institutional changes to the political party system. On the one hand, the nonpartisan nature of the relevant cyber defense and preparedness training materials makes providing equal resources at least theoretically feasible. In addition, all parties have an interest in protecting themselves and their candidates, and would likely adopt trainings and workshops if they were easily accessible. One downside of locating cybersecurity tools within party entities like the DCCC, however, might be that the party organization could be tempted, or awkwardly forced, to choose which primary candidates receive these resources. This could lead to internal party rancor, frustration, jockeying, or charges of picking winners and losers. But these dynamics have always been baked into running national parties, which must dispense resources according to their shifting priorities. In addition to training videos and materials being made available to candidates universally, political parties could employ a team of candidate-agnostic or nonpartisan cyber experts to field technical and other digital security questions as they arise on the front lines.
At the same time, the centralization of threat reduction, incident response, and coordination of public-private information sharing should continue to be a core undertaking of the federal government. The FBI, for instance, uses the ic3.gov portal to collect reports of potential phishing attempts and distribute announcements of patterns of attempted hacks.5For instance, the most recent report was entitled“Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments.” However, there is evidence the COVID-19 crisis may be hampering the expansion of these efforts. InfraGard, the FBI’s public private partnership with the tech sector, has recently suspended new applications to extend its network.6As of April 16, 2020, the InfraGard webpage features this notice: “Due to extenuating circumstances, the processing of InfraGard applications will temporarily be suspended. We apologize for any inconvenience this may cause.” During such crises, of course the opposite response is needed. These services must be expanded and bolstered, since threat detection efforts and their corollary alerts are only effective if participation is high on the front end. Campaign-specific training for those on the receiving end of such a collection portal is also necessary, and plans to surge these programs during election years would allow the FBI to more efficiently recognize attack patterns during critical seasons of democracy.
Doing Our Part in 2020
Shoring up campaign cybersecurity in 2020 will likely confirm the essential need for these services in future elections as well. The unprecedented circumstances of this year, which combine the aftermath of COVID-19’s initial spread with economic, financial, and public health shocks, along with an increasingly remote workforce, will highlight the need for campaigns and others to maintain seamless, yet secure, communications within and among networks. At least in the short run, the provision of cyber defense trainings and materials to vulnerable campaigns by organizations like Foresight2020 and DDC will be shaped by the availability of grant funding to support in-person and on-demand trainings. In addition, the lack of regulation or guidance to suggest which candidates and staff should be trained, and at what stage of their campaigns, may result in the uneven delivery of resources. Favored candidates may be unintentionally prioritized by nonpartisan organizations, for instance, simply because their campaigns receive more media attention and are better-known.
Recent proposed legislation offers hope of wider, systemic reform. In May 2019, Senator Ron Wyden (D-OR.) introduced the Federal Campaign Cybersecurity Assistance Act, which was referred to the Senate Committee on Rules and Administration, where it has unfortunately remained since the month it was introduced. This bill would allow national party committees to offer cybersecurity assistance to candidates running for office, as well as to state parties. Senator Wyden also introduced the Protecting American Votes and Elections (PAVE) Act in May 2019, which would mandate the use of paper ballots in U.S. elections and prohibit all internet, Wi-Fi, and mobile connections to voting machines in order to minimize the potential for cybersecurity intrusions. This bill would also grant the Department of Homeland Security the authority to set minimum cybersecurity standards for voting machines across the country, while authorizing a one-time $500 million grant program for states to purchase ballot-scanning machines to count paper ballots. Finally, the bill would compel states to perform risk-limiting audits of all U.S. federal elections to detect cyberattacks. At the moment, this bill also remains with the Senate Committee on Rules and Administration. These initiatives represent steps that are necessary to secure elections in the future, and should be taken up immediately.
In the meantime, Foresight2020 and others make open-source trainings and materials available to all levels of candidates at any stage of their races. Ensuring the integrity of political campaigns requires at least this, along with assistance from for-profit companies, as a temporary stop-gap measure until the federal government considers a more holistic and sustainable approach to securing campaigns and elections in cyberspace. At present, the United States occupies a unique strategic moment in which it can harness its powers of hindsight – by applying the lessons of recent electoral cycles – and foresight – by identifying both the threats and opportunities that lie around the next electoral corner – in order to update safeguards to the democratic process in the era of cyber threats. As the saying goes, it would be a shame to let this crisis go to waste.
Interested campaigns can learn more about Foresight2020 at foresightpartners.us.
Amy Larsen works on national security and cybersecurity as an attorney within the Global Risk + Crisis Management practice at Morrison & Foerster LLP. Amy previously served in the last White House under Vice President Biden, worked as a Lantos Fellow in Rep. Nita Lowey’s office on the U.S. foreign affairs budget, was hired as an Obama campaign field organizer in Colorado, and served as a Harvard Juster Fellow at the State Department’s U.S. Mission to the EU in Brussels where she focused on international trade, sanctions, and speechwriting. Amy co-founded Foresight2020, a cyber defense and preparedness training for politicians, and Congressional and Senate campaigns. She is Partner within the Truman National Security Project, an Aspen Security Scholar, and a Fulbright Scholar (South Korea). Amy currently serves on the Board of the New York Lawyer Chapter of the American Constitution Society, as well as on the Advisory Board of Govern for America. Amy holds a B.A. from Yale, an M.P.A. from the Harvard Kennedy School of Government, and a J.D. from NYU Law, where she served on the Moot Court Board. All views expressed in this article are her own.
*The author gratefully acknowledges the research assistance and editing provided by Dr. George Bogden. George is a JD candidate and Dean’s Award Scholar at New York University’s School of Law. Previously, he served as the first Associate Director of the Center for the Future of Liberal Society at the Hudson Institute. He received M.Phil. and D.Phil. degrees in international relations from the University of Oxford, where he was awarded a Clarendon Scholarship. During the last year of his doctoral studies, he served as a Fulbright Public Policy Fellow in Kosovo. Before beginning his graduate studies, he received his B.A. in political science from Yale, serving as the university’s Fox International Fellow in Istanbul the following year.
Suggested Citation: Amy Larsen, Foresight, Hindsight, and the Merits of a Comprehensive Approach to Protecting Political Campaigns from Cyberattacks, N.Y.U. J. Legis. & Pub. Pol’y Quorum (2020).
- 1“Foreign hackers have tried to breach US Health and Human Services networks, and use fears about the virus to infiltrate computers for financial gain. The cybersecurity firm FireEye reported on March 25 that Chinese hacker group APT41, a group affiliated with the Chinese government that also seems to work for its own members financial gain, began waging a cyber intrusion campaign across multiple countries and multiple economic and government sectors in January as the Wuhan outbreak emerged. FireEye called it ‘one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.’”
- 252 U.S.C. § 30118(b)(2); see 11 C.F.R. § 114.2(b).
- 3“Officials at the Democratic National Committee, who were alarmed that the rushed app might not be ready for rollout, pressed Iowa to pay for an independent security review of the Shadow app, which found very basic bugs, a person familiar with the matter said.”
- 4“Similarly, the National Conference of State Legislatures has a task force on cybersecurity ready to educate incoming elected officials. Many state and local governments have made progress, hiring chief information security officers (CISOs), enacting risk-based, data-driven cybersecurity practices, and investing in best-of-breed technology.”
- 5For instance, the most recent report was entitled“Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments.”
- 6As of April 16, 2020, the InfraGard webpage features this notice: “Due to extenuating circumstances, the processing of InfraGard applications will temporarily be suspended. We apologize for any inconvenience this may cause.”