Cybersecurity lobbying spending mounts as privacy, security laws take shape

The collective lobbying spending of 12 large publicly traded cybersecurity firms more than tripled to $3.94 million in 2019 from $1.21 million in 2015, according to an analysis by WSJ Pro Cybersecurity of federal disclosures collated by the nonprofit Center for Responsive Politics.

Efforts range from traditional advocacy related to specific bills to advising lawmakers on the security dimensions of current events, including the coronavirus pandemic.

The uptick in lobbying by the industry appears designed to capture commercial opportunities stemming from heightened awareness of cybersecurity threats, said John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research and training organization.

One of the lobbyists’ main messages is “help make people spend more on security,” he said.

Cybersecurity companies’ spending figures cover more than just money paid to lobbyists for talking to lawmakers. Sums can include expenses such as travel, lodging and membership dues for trade associations that lobby on companies’ behalf. Still, cybersecurity companies’ lobbying bills are dwarfed by those of larger technology companies such as Facebook Inc. and Microsoft Corp., which spend millions of dollars every quarter on lobbying.

Cloud and security services company Akamai Technologies Inc. spent $160,000 in each of the past two years lobbying Congress and the Department of Homeland Security on topics related to telecommunications, cybersecurity and data privacy, disclosures show. A company spokesperson described the sum as a retainer for lobbying agencies and declined to comment further.

Forescout Technologies Inc. spent significantly more. The company, which has supplied its device-management software to local governments, bumped up its budget for lobbying on issues including Pentagon cyber capabilities to $680,000 in 2019 from $510,000 the previous year, according to the disclosures. A spokesperson declined to comment.

Cybersecurity and the Coronavirus

The scramble to adapt to the coronavirus pandemic also has changed what cybersecurity lobbyists are doing in Washington.

Stacy O’Mara, who lobbies U.S. lawmakers as director of government affairs at security and consulting company FireEye Inc., said she has changed the focus of her efforts in recent weeks toward coronavirus-related cybersecurity measures. That includes advising congressional aides on remote-voting tools for lawmakers as they consider additional funding for state and local governments. FireEye’s annual lobbying spend has held steady at $160,000 since 2016, according to federal disclosures.

Ms. O’Mara said she aims to highlight cybersecurity challenges faced by state and local governments as they navigate telework and remote schooling.

“We are talking with staff right now and providing threat briefings to help them understand what is actually going on with the states and what they need to build up their capabilities,” Ms. O’Mara said.

FireEye, which previously focused much of its lobbying on Pentagon spending, has begun holding biweekly briefings that encourage remote Hill staffers to keep cybersecurity threats top of mind during the public-health crisis, Ms. O’Mara said. FireEye spokeswoman Melanie Lombardi said Ms. O’Mara’s efforts to build relationships have directly or indirectly brought $10 million of revenue to the company since 2017.

Other security firms, such as the risk-management company Rapid7 Inc., have tilted at specific areas of larger bills. The company helped push for the Library of Congress to carve out an exemption for security researchers under the Digital Millennium Copyright Act, said Jen Ellis, the company’s head of public affairs. Rapid7, which has spent $180,000 annually on lobbying since 2016, according to filings, successfully argued along with other companies that the exemption would give researchers more freedom to study copyright material without express permission of its owner.

Rapid7 has lobbied—so far, unsuccessfully—for a similar tweak to the Computer Fraud and Abuse Act, an antihacking law, Ms. Ellis said. She expects much of her attention to return to privacy topics, including the possibility of a federal privacy law. Ms. Ellis said she plans to argue for bolstered security requirements in any such statute.

Amplified Voices

Some companies do their lobbying through trade groups, which can amplify the voices of companies that share the same views.

In a letter dated April 20, software trade association BSA and six other trade groups urged House Speaker Nancy Pelosi (D., Calif.) and Minority Leader Kevin McCarthy (R., Calif.) to include additional cybersecurity funding for state and local governments in future pandemic relief packages. The funding, proposed by senior Democrat lawmakers on the House Homeland Security Committee, would amount to $400 million.

In March, several technology trade groups weighed in on Defense Department cybersecurity standards that require certifications for contractors, saying they lacked clarity in certain sections. At the state level, trade associations also asked the California attorney general’s office to delay enforcement of the 2020 California Consumer Privacy Act, considered the strictest privacy rule in the U.S., due to confusion created by the pandemic. The attorney general’s office appeared to leave the door open to tweaking the implementation schedule given the health crisis.

“The software industry really needs to be at the table for those policy discussions,” said Craig Albright, vice president of legislative strategy at BSA. He says Congress members often miss the technical nuance that companies represented by trade groups can provide.

Privately held cybersecurity companies, such as industrial cybersecurity firm Dragos Inc. and training company KnowBe4 Inc., also have cracked open their checkbooks to exert influence on issues such as critical infrastructure cybersecurity and education efforts, according to lobbying disclosures.

Even if lobbying doesn’t result in policy changes or budgets that are directly beneficial to a company, it buys face time with policy makers and aides who may consider legislation in the future, said Robert Lee, founder of Dragos. Lobbying efforts by the company have run to at least $350,000 since 2017, according to disclosures.

Mr. Lee testified about threats to critical infrastructure from nation-state hackers before the Senate Energy Committee in 2018.

Lobbying can be beneficial in providing technical know-how to policy makers, he said, but can carry a certain stigma in the public eye. “I don’t think anybody says the word ‘lobbying’ and doesn’t hurt their soul a little bit,” he said.

―The Wall Street Journal