The FEC made its advisory opinion one month after lawyers for the commission advised it to block a request by the company, Area 1 Security, which had sought to provide services to 2020 presidential candidates at a discount. The FEC lawyers said that Area 1 would be violating campaign finance laws that prohibit corporations from offering free or discounted services to federal candidates. The same law also prevents political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.”
The FEC’s green light clears one major administrative roadblock that 2020 candidates faced as they sought assistance from Area 1 in defending against the attacks and disinformation campaigns that plagued 2016. The decision is limited to Area 1 because it already offered similar services to other organizations at the same cost.
Cybersecurity and election specialists say time is running out for campaigns to develop the defenses capable of warding off attacks from sophisticated nation-state actors like Russia and others. In April, Christopher A. Wray, the FBI director, warned that Russian election interference continued to pose a “significant counterintelligence threat” and that Russian efforts in the 2016 and 2018 elections were just “a dress rehearsal for the big show in 2020.”
The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers. In most cases, they cannot afford to pay outside experts market rates for such services, as required by federal election laws.
The FEC opinion issued Thursday said Area 1 could provide anti-phishing services to candidates because the company was not offering the campaigns special, discounted pricing, but simply offering the same lower-tier cost that was offered to other organizations of similar size and financial resources. Lawyers for the FEC initially worried that a ruling in favor of Area 1 would create loopholes for other companies looking to offer discounted services to candidates.
Cybersecurity experts say that before the 2020 voting, awareness of hacking threats and disinformation campaigns has increased, but so too has the sophistication of attacks and influence networks online over the past three years.
Ed Felten, an election security expert and computer science professor at Princeton University, said this week that campaigns and voting equipment were unlikely to be prepared to deflect another nation-state cyberattack in the 2020 cycle.
“The bad guys have had more time to spend on this, and more time to develop new tricks,” he said.
At the same time, Felten and others say, the security of election systems is no better off than four years ago.
Sen. Mitch McConnell, the Senate majority leader, has declined to bring election security bills to the Senate floor. That includes a bill introduced last May by Sen. Kamala Harris, D-Calif., a 2020 presidential hopeful, that aimed to mandate new cybersecurity standards, including hand-marked paper ballots, for all federal elections.
This week, a Texas county said it would use paperless voting systems for 2020, a move that some experts have criticized as insecure. Officials in Taylor County defended the move on Monday, saying there were no state or federal mandates that counties use paper backups. They added that the new machines were “highly secure” and had “no remote access.”
Felten and other security experts said weak points in those systems could easily be exploited. Many companies that maintain such machines, and manage software upgrades to them, are mom-and-pop shops that lack the sophistication to monitor or deflect serious threats.
Such attacks are not just hypothetical. Americans still lack a clear understanding of the impact successful Russian attacks had on the 2016 election. Both the special counsel report and leaked National Security Agency documents show that Russian hackers infiltrated the United States’ vast back-end election apparatus, including voter registration databases and electronic pollbook vendors, in 2016.
Among the vendors hacked, NSA documents revealed, was VR Systems, a Florida company that sells electronic check-in systems to states like North Carolina, which experienced significant pollbook failures in Democratic-leaning counties on Election Day.
Now, 16 months from the 2020 election, it is still unclear what, if anything, Russian hackers did with that access in 2016. VR Systems consistently denies its systems were sabotaged. Last April, after the special counsel’s report on election interference, North Carolina state officials acknowledged that they lacked “the necessary technical expertise to forensically analyze the computers.” The Department of Homeland Security started an examination of North Carolina’s 2016 election equipment last month.
This article originally appeared in The New York Times.