The U.S. government says it’s on high alert for cyberattacks from foreign countries in this election year. Yet private cybersecurity firms have often been the ones sounding the alarm, and in some cases, they are selling their services to the U.S. intelligence community.
“We’ve seen Iran impersonating political candidates,” said Sandra Joyce, the head of global intelligence at FireEye, a leading cybersecurity company.
“They’ve even fabricated letters that look like they’re coming from concerned citizens. They get themselves published in newspapers. Well-known newspapers. But they’re influence operators from Iran. They’re not concerned citizens from Texas,” she added.
Whether it’s Iran, Russia or other foreign actors, cybersecurity companies and research groups have been often been more public than the government in identifying potential foreign threats.
“The government doesn’t have a monopoly on tracking, identifying or exposing some of these vulnerabilities,” said Graham Brookie, who runs the Digital Forensic Research Lab at the Atlantic Council in Washington. “The threat is evolving and threats are becoming more diffuse, more complex and in some ways more open.”
The U.S. government says it welcomes help from tech companies, according to Shelby Pierson, who works for the acting director of national intelligence, Joseph Maguire. She was appointed last year to a newly created position that puts her in charge of coordinating election security across the intelligence community.
“There is a whole consortium of players in this landscape which include private security firms,” Pierson told NPR in an interview. “Those organizations will actually have deeper and technical insight into those networks before the intelligence community will.
“Pierson said the government sometimes buys services from cybersecurity companies, and she cited a couple of the biggest players in the industry.
“FireEye and CrowdStrike, for example, have done really good work, where based on the analysis, expertise and information analysis that they do, those are products and services that they can sell to the U.S. government.”
The cyber firm Area 1 Security said it recently detected Russian military intelligence breaking into the computer systems of Burisa. That’s the Ukranian gas company where Hunter Biden, the son of Democratic presidential candidate Joe Biden, used to be on the board.
This raised suspicions that the Russians are looking for dirt on the Bidens.
Area 1 has received a lot of media attention for this report — which is good for a private company. However, the tight-lipped U.S. intelligence community hasn’t offered its own assessment.
So what’s the government’s position on the report — does it agree, disagree, or just prefer to remain silent?
“Of course, these topics are news and newsworthy,” said Brookie, of the Atlantic Council. But he warned that we’re going to see a wide range of opinions on how much public attention a potential threat should receive.
Tech companies have incentives to publicize threats they’ve uncovered. The media is looking for scoops. Yet the government might be inclined to say little or nothing.
“And we, collectively between government and media and tech have not shown that we know what to do with that,” Brookie said.
The government is wrestling with the issue, said Pierson.
“Some of my [government] colleagues have said, ‘Maybe we shouldn’t necessarily spook the herd and share all this information,'” she said. “Maybe people go, ‘You know what, this is all rigged. That’s so much disinformation. I’m not going to vote.’ That would be worst case scenario. And frankly, doing the work of our adversaries for them.”
However, a number of government agencies have pledged to be more open than in the past. The FBI, for example, recently expanded its policy for issuing notifications when it detects a cyberattack.
Private cybersecurity firms say they often hire people who have worked in the intelligence community. And the companies stress that they cultivate close relationships with the government.
“We definitely work in lockstep with law enforcement and the intelligence community,” said Karim Hijazi, the head of Prevailion, a cybersecurity company in Houston. “We want to make sure that we’re not misstepping.”
His firm put out a report earlier this month saying Iran is probing the computer systems at oil and gas companies.
As all this plays out, many Americans say they’re concerned about election security. A poll by NPR, the PBS NewsHour and Marist found 41 percent of those surveyed believe the U.S. is not well prepared, or not prepared at all, to protect the November ballot from interference.
Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.