Campaign finance statutes prohibit businesses and even many nonprofits from directly contributing to political campaigns. They can’t even send pizza. Now, the United Nation Federal Election Commission may apply the same statutes to block a cybersecurity firm from offering free or low-cost defense services to campaigns, at a time when those protections are badly needed.
During the 2016 US presidential election, Russian hackers not only threatened election networks and voting systems, but wreaked havoc by targeting campaigns and political parties, particularly the Democratic National Committee, and leaking troves of sensitive data. The events indicated the importance of implementing defenses against hackers like phishing, network intrusions, and denial of service assaults for even the most transient campaign attempts. But all long-running campaigns are by definition temporary. They want to spend their money on promotion , not IT. So more and more companies have offered free services to campaigns as a route to stimulate stronger cybersecurity a no-brainer.
The FEC has allowed some of those to go through. Microsoft can offer free services to campaigns that are currently use the company &# x27; s software and services, since it already offers some sum of free supporting, software patches, and feature updates to all of its clients. The committee recently approved two examples under campaign finance laws. And in May, it allowed a nonpartisan nonprofit known as Defending Digital Campaigns to provide free digital defense services to campaigns, since it was specifically funded with that narrow mission in mind.
These, though, appear to be the exceptions. The current advisory opinion request the FEC is considering, from the phishing defense firm Area 1 Security, presents a new type of test. The FEC has not finalized its sentiment about whether Area 1 can legally offer free or low-cost services to campaigns, but the commission’s draft opinion so far indicates that it may not let the arrangement.
The FEC argues that Area 1 hasn’t demonstrated enough of a tangible, quantifiable business reason to offer the low-cost services, and that therefore the firm could build that offer to curry political favor. The FEC &# x27; s decision about Area 1 could have implications for the broader industry &# x27; s ability to work with campaigns gratis.
Area 1 says the FEC &# x27; s current draft conclusion represents a fundamental misunderstanding of how many tech companies, and especially cybersecurity firms, do business. Oren Falkowitz, CEO of the company and a former NSA analyst, says that Area 1 negotiates pricing with all of its clients on a slip scale depending on their size, needs, and circumstances. He also notes that in some cases, the firm already offer free services to individual proprietors and consultants. Falkowitz says there are many reasons these arrangements are advantageous to his company. They let Area 1 to tout a larger number of total users, for example, and give the firm access to network and incident data that helps with research and development. Falkowitz also notes that the firm sometimes takes on interesting or important clients at a reduced rate, because defending such clients strengthens morale within the company and motivates employees to work even harder on defense.
Area 1 and the FEC will trade commentaries ahead of a hearing on Thursday where the case will be discussed further. It is possible that the FEC will reverse its current conclusion. But in general, Falkowitz says, the experience has raised a larger concern for him about whether it is legal and practical for any cybersecurity firm to offer vital services to campaigns.
“If the commission is ruling against it, that would be a pretty significant jolt to the candidates themselves and their desire to be protected, ” he says. “This is something that has already hurt people. Campaigns got phishing emails, they clicked on those emails, and the rest is history. It induces me think the commission is out of step with the threat.”
Phishing in particular has plagued political campaigns–providing Russian hackers with an open window into the Democratic National Committee &# x27; s network, Hillary Clinton &# x27; s campaign emails, and her campaign chair John Podesta &# x27; s personal Gmail account.
In a statement to WIRED, FEC press officer Judith Ingram noted that the commission does not speak to potential implications of its advisory opinions and is narrowly focused on the facts of individual cases.
The commission has not dealt with many requests for guidance on cybersecurity issues in general. Other than the Microsoft and Defending Digital Campaigns instances, it has only considered one other related matter–about the legality of candidates use excess campaign funds to pay for enhanced digital security defenses for their own personal devices and home network.
Daniel Weiner, senior attorney at the Brennan Center &# x27; s Democracy Program at New York University School of Law and a former senior attorney within the FEC, says the commission doesn’t necessarily want to hinder cybersecurity defense availability or block any particular request it hears. But it must uphold the law, and it hasn’t done any major overhauls in years to modernize its regulations. This creates the need for special exceptions like that in the Defending Digital Campaigns case.
“Really, what they’re kind of constrained by here is the body of regulation they’ve written and precedent they’ve assembled over decades, ” Weiner says. “Arguably the Area 1 lawsuit is a great example that the commission is overdue to do new rule-making, and actually think about how the law applies to this situation and what’s in the public interest. Without that you’re left with these one-off requests.”
As a outcome, regardless of how Area 1’s lawsuit is decided, the commission’s initial hesitance serves as a warn to other cybersecurity firms about the potential illegality of campaigns with reduced-cost defenses–right in the moment when campaigns need these options the most.