Published on November 7th, 2019 📆 | 3407 Views ⚑0
Former NSA hacker Oren Falkowitz protects presidential campaigns
As a hacker working for the National Security Agency, Oren Falkowitz learned how to use a seemingly innocuous email to trick a user into giving up control of their digital lives.
Now he’s responsible for protecting presidential campaigns from falling victim to the same kind of attacks.
Falkowitz is the CEO and co-founder of Area 1 Security, a cybersecurity firm that protects dozens of businesses, nonprofits and political campaigns from phishing attempts. Four years after Russian operatives hacked thousands of emails from Hillary Clinton’s campaign and the Democratic National Committee, cybersecurity is a bigger issue than ever for White House hopefuls — and Area 1’s headquarters, in an incongruously historic Queen Anne house in Redwood City, is on the front lines.
This summer, the company persuaded the Federal Election Commission to allow it to provide low-cost services to political campaigns, which would typically be a violation of rules designed to prevent businesses from currying political favor.
About half of the major 2020 presidential candidates are now using Area 1’s services, according to Falkowitz. He says the company has already blocked attempts by foreign governments to break into campaigns’ networks — although he won’t divulge many details.
In an interview last month in his office — which has a “Make the Internet Great Again” sticker on the door and several wooden eggs signed by presidential contenders on a shelf — Falkowitz talked about the types of threats the candidates are facing and how to protect against cyberattacks. This interview has been condensed and edited for clarity.
Q: What kind of attacks are you focused on?
A: Our business is to stop what are known as phishing attacks. It’s the same technique that we use at the NSA to break into computers — an attempt to get a human like you or me to take some sort of action unwittingly, like clicking a link, entering your username and password, or downloading a file. It seems sort of trivial and innocuous. But 95% of all the damages in the world that are computer-related start with phishing — from Hillary Clinton’s presidential campaign to all the major breaches that get reported.
Q: Why do these attacks work?
A: What makes phishing attacks work is not any technical sophistication, it’s authenticity. You need to be able to create an authentic lure that people trust or move quickly through without thinking about it. I saw a really cool phishing attack the other day — an email that says, “Dear Tom, your wife has just filed for divorce and I represent her. Click here for the documents.” I mean, everybody would click on that link.
Q: What kind of attacks have you seen against presidential campaigns you work for?
A: We’ve seen them all. It runs the gamut of “reset your password,” “here’s an invoice to pay,” “I’ve seen you watching pornography” — anything to get someone to click. And they’re intensifying as the candidates move down the election process. So if you announce that you’re running for president, you don’t start getting phished the next day. But when you announce like $30 million in fundraising and people say you’re a frontrunner, you start getting attacked a lot more. Each step down the path, the intensity grows.
Q: Where are the attacks coming from?
A: They come from everywhere — from governments, from criminal groups, from organizations that are attacking everyone else.
Q: Can you say which foreign governments?
Q: How did you start working for political candidates?
A: We have a tiered pricing system with a little-to-no-cost tier for nonprofits, schools, small businesses or political candidates. And a little more than a year ago, some candidates came to us and said, “We don’t want a repeat of 2016.” But we would hit the campaigns’ election lawyers, and they’d say “no way” — the Federal Election Commission doesn’t allow you to make a special, reduced-price offer to campaigns. So we went to the FEC and got an advisory opinion: the commissioners basically said it’s okay because you offer this to other people (for the same price). That’s important, because we don’t want our customers to worry that working with us would violate some sort of campaign finance law.
Q: How does your software work?
A: What we do is comprehensive: It’s about preventing malicious email from getting to the user, making sure that you can’t click on the links, making sure that malware can’t communicate back and forth. Had the Clinton campaign, theoretically, been using our software, (campaign chair) John Podesta wouldn’t have even gotten the phishing email that he clicked on.
Q: What makes Area 1 different from other cybersecurity companies?
A: It’s my view that the cybersecurity industry is mostly made up of dilettantes, and most of the people have never spent time behind the keyboard hacking anything. And so they create solutions from what they’re seeing, not from what’s really happening. It’s part of the reason why the results are so terrible. We have the expertise of having done the phishing, as well as the understanding of how to defeat it.
Q: Should people be trained to avoid phishing attacks?
A: There’s no reason to train people to know what phishing is. It’s like trying to teach people not to text and drive or to wash their hands during the flu season. That’s all very important, but at the end of the day, seatbelts and the flu vaccine are things that actually work and are saving lives. We stop the attacks from getting to their targets in the first place.
Q: Are political campaigns paying more attention to these threats than in the past?
A: Without a doubt. I’ve been encouraged in my conversations with candidates directly, and with their staffs, that they are talking about and thinking about the issue. That was definitely not the case in 2016. But there’s a lot more work to do.
Company: Area 1 Security
Headquarters: Redwood City
Title: CEO and co-founder
Previous jobs: Analyst at National Security Agency, co-founder of Sqrrl (another cybersecurity company that was acquired by Amazon)
Five fun facts
1. Born in Boca Raton, Florida, where IBM built the original personal computer
2. Served as the 105th employee at Cyber Command, the U.S. military’s cybersecurity branch
3. First assignment at the NSA was forecasting ballistic missile launches
4. Wrote a graphic novella about cybersecurity, “Pineapple Sparkle”
5. Started and enthusiastically follows Area 1’s tradition of “Bow-Tie Thursdays”