By Joseph Marks
Democratic presidential candidate Hillary Clinton, center, accompanied by campaign manager Robby Mook. (Andrew Harnik/AP)
The proposal’s authors, Hillary Clinton’s 2016 campaign manager Robby Mook and Mitt Romney’s 2012 campaign manager Matt Rhoades, come to the issue from bitter experience. The Romney campaign was targeted by Chinese hackers, and Clinton’s campaign was upended by a Russian hacking and disinformation operation aimed at helping Donald Trump.
The bipartisan duo want to help presidential and congressional campaigns steer clear of similar hacking operations by allowing nonprofits to provide cybersecurity free of charge. But first they need the FEC to say those services don’t amount to an illegal campaign contribution.
“This is warfare,” Mook told FEC commissioners during a review of the proposal April 11. “People are trying to disrupt our democracy.”
The plan is a hit with many cybersecurity pros who say campaigns aren’t equipped to defend themselves against sophisticated, government-backed hacking operations from Russia and China, and think this might level the playing field.
Good-government advocates, however, say the proposal creates a loophole for cybersecurity and tech companies -- or other nonprofit groups -- to secretly curry favor with politicians. It's not just the bipartisan group that could offer protections for free, but any nonprofit that wants to.
“You can go to a lawmaker and say, ‘Hey, remember the time that the Russians tried to hack your campaign and we caught them and didn’t even charge you for it? You owe us,’ ” Adav Noti, chief of staff at the Campaign Legal Center, told me.
Mook and Rhoades plan to offer the services through a nonprofit corporation called Defending Digital Campaigns and would rely partly on volunteer services from cybersecurity professionals. The project grew out of a separate initiative they helped launch at Harvard University’s Belfer Center about eight months after the Clinton defeat called Defending Digital Democracy.
Cybersecurity assistance would be particularly helpful for first-time congressional candidates and non-incumbents who don’t have large war chests to hire private sector cybersecurity companies, they told FEC commissioners this month.
That’s especially important because foreign hackers could target those campaigns, looking to cut short the careers of rising stars or to stow away compromising information to be deployed later in their careers, they said.
Mook and Rhoades declined through a Belfer Center spokeswoman to comment in advance of today’s hearing.
Their FEC proposal is narrowly tailored to avoid sparking many ethics concerns.
Mook and Rhoades's organization is officially nonpartisan and would provide services to any campaign that meets minimum criteria – including third-party candidates.
For presidential races, campaigns would have to register 5 percent of support in polling from likely voters. House candidates would be eligible once they’d raised at least $50,000 in donations and Senate candidates would have to raise at least $100,000.
That still sparks concern among campaign finance advocates, however, who note that plenty of organizations might be nonpartisan but still seek special treatment from politicians.
“Influence buying is not lessened by the fact a company does it on both sides of the aisle,” Noti said.
Noti’s organization wrote one of at least three advisory opinions the FEC will be mulling today.
Its proposed opinion says it’s legal for the group to provide campaigns free cybersecurity services – but only because the prospect of those campaigns being hacked by foreign governments is far worse than the prospect of cyber pros gaining undue influence. If the threat of election hacking diminishes or the government comes up with a better way to defend campaigns, then the opinion would be invalidated.
Two other proposed opinions – both drafted by the commission itself -- focus more narrowly on whether the cybersecurity assistance is a campaign contribution. One says it’s a contribution (and thus illegal) and the other says it isn’t a contribution (and thus is legal). Other proposed opinions might be submitted in advance of the meeting.
FEC advisory opinions represent the commission’s best judgment about whether something is legal or isn’t -- but they don’t carry the weight of, say, a judge’s ruling.
Other organizations could use the advisory opinion as legal cover if they wanted to offer campaigns free cybersecurity help -- but they’d have less cover the more dissimilar they are from Defending Digital Campaigns. Groups that only wanted to offer assistance to Republicans or Democrats, for example, would not have a good case.
The FEC first received the Rhoades and Mook proposal in October but has deferred ruling on it several times to future meetings. During the April 11 meeting several commissioners praised the proposal’s goals but also fretted about the precedent for campaign contribution rules.
Chairwoman Ellen Weintraub, for example, said she worried the request would “blow a hole through” the ban on corporate contributions.
“I would like to support this endeavor,” she said. “I also have an obligation to protect the law.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Rep. Cheri Bustos (D-Ill.) speaks to her constituents from Illinois' 17th District. (Melina Mara/The Washington Post)
Rep. Cheri Bustos (D-Ill.), chairwoman of House Democrats’ national campaign committee, asked her Republican counterpart to steer clear of hacked material Wednesday, renewing a claim Democrats have made since 2016, my colleague Mike DeBonis reports.
“There is no question that agents of the Russian government and other bad actors will attempt to infiltrate both the [Democratic Congressional Campaign Committee] and [National Republican Congressional Committee] to steal information for malicious use again in this upcoming election,” Bustos wrote in a letter to Rep. Tom Emmer (R-Minn.).
The request comes after Democratic National Committee Chairman Tom Perez made a similar pledge Monday and called on his Republican counterpart Ronna McDaniel to do the same.
“The pledge that Bustos describes in her letter to Emmer covers several points, including a promise not to ‘participate, aid or encourage hackers or foreign actors,’ not to seek out hacked or stolen materials, not to use or covertly circulate known hacked or stolen materials, not to support any campaign or outside group that uses those kinds of materials, and to contact law enforcement if any related illicit activity is suspected,” Mike reported.
Newsrooms, meanwhile, haven’t created hard-and-fast rules about how to treat information leaked by foreign hackers – but they’re thinking far more seriously about the question than in 2016, CNN Business’s Oliver Darcy and Donnie O’Sullivan report.
As the 2020 campaign kicks off, “most of the news organizations that CNN Business contacted … did not reveal any sweeping changes to [their] rules about publishing hacked materials,” Darcy and O’Sullivan reported. “But they did make a case for publishing with care and context that is valuable to voters who read their stories.”
A sign above the headquarters of Kaspersky Lab in Moscow. (AP Photo/Pavel Golovkin, File)
The plan is a shift for DHS, which has typically focused on securing computer networks by finding and rooting out attackers rather than by excluding components that are especially vulnerable to hacking or are manufactured by suspect companies.
The effort was partly sparked by DHS’s 2017 decision to ban federal agencies from using the Russian anti-virus company Kaspersky, which officials feared could be a conduit for Kremlin hacking.
The supply chain plans will include early drafts of a proposal for how and when government and industry can work together to create lists of qualified manufacturers for certain highly sensitive technology systems, Bob Kolasky, who leads DHS’s National Risk Management Center, told reporters in a conference call.
Those plans will likely focus on instances where the component is vital to U.S. cybersecurity but the number of suppliers is large enough that creating qualified manufacturer lists won’t unfairly damage competition, Kolasky told me after the call. Officials haven’t worked out who will write the lists or ensure companies abide by them, he said.
Another work stream is looking at how to retrofit government and industry groups that currently share information about imminent hacking threats to also share information about supply chain threats, Kolasky said.
PWNED: The National Security Agency is recommending that the Trump administration abandon a controversial surveillance program revealed by leaker Edward Snowden that collects information about U.S. phone calls and text messages, the Wall Street Journal’s Dustin Volz and Warren P. Strobel report.
After years arguing the program was vital to national security, officials now say “the logistical and legal burdens of keeping it outweigh its intelligence benefits,” Volz and Strobel report.
“The latest view is rooted in a growing belief among senior intelligence officials that the spying program provides limited value to national security and has become a logistical headache,” the Journal reports, also citing “frustrations about legal-compliance issues [that] forced the NSA to halt use of the program earlier this year.”
NSA’s legal authority to run the program will expire in December unless Congress reauthorizes it.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: