Campaign finance laws prohibit businesses and even many nonprofits from directly contributing to political campaigns. They can’t even send pizza. Now, the United States Federal Election Commission may apply the same laws to block a cybersecurity firm from offering free or low-cost defense services to campaigns, at a time when those protections are badly needed.
During the 2016 US presidential election, Russian hackers not only threatened election networks and voting systems, but wreaked havoc by targeting campaigns and political parties, particularly the Democratic National Committee, and leaking troves of sensitive data. The events showed the importance of implementing defenses against hacks like phishing, network intrusions, and denial of service attacks for even the most transient campaign efforts. But all long-running campaigns are by definition temporary. They want to spend their money on promotion, not IT. So more and more companies have offered free services to campaigns as a way to make stronger cybersecurity a no-brainer.
The FEC has allowed some of those to go through. Microsoft can offer free services to campaigns that already use the company's software and services, since it already offers some amount of free support, software patches, and feature updates to all of its customers. The commission recently approved two examples under campaign finance laws. And in May, it allowed a nonpartisan nonprofit known as Defending Digital Campaigns to provide free digital defense services to campaigns, since it was specifically funded with that narrow mission in mind.
These, though, appear to be the exceptions. The current advisory opinion request the FEC is considering, from the phishing defense firm Area 1 Security, presents a new type of test. The FEC has not finalized its opinion about whether Area 1 can legally offer free or low-cost services to campaigns, but the commission’s draft opinion so far indicates that it may not allow the arrangement.
The FEC argues that Area 1 hasn’t demonstrated enough of a tangible, quantifiable business reason to offer the low-cost services, and that therefore the firm could make that offer to curry political favor. The FEC's decision about Area 1 could have implications for the broader industry's ability to work with campaigns gratis.
Area 1 says the FEC's current draft conclusion represents a fundamental misunderstanding of how many tech companies, and especially cybersecurity firms, do business. Oren Falkowitz, CEO of the company and a former NSA analyst, says that Area 1 negotiates pricing with all of its customers on a sliding scale depending on their size, needs, and circumstances. He also notes that in some cases, the firm already provides free services to individual proprietors and consultants. Falkowitz says there are many reasons these arrangements are advantageous to his company. They allow Area 1 to tout a larger number of total users, for example, and give the firm access to network and incident data that helps with research and development. Falkowitz also notes that the firm sometimes takes on interesting or important clients at a reduced rate, because defending such clients strengthens morale within the company and motivates employees to work even harder on defense.
Area 1 and the FEC will trade comments ahead of a hearing on Thursday where the case will be discussed further. It is possible that the FEC will reverse its current conclusion. But in general, Falkowitz says, the experience has raised a larger concern for him about whether it is legal and practical for any cybersecurity firm to offer vital services to campaigns.
“If the commission is ruling against it, that would be a pretty significant blow to the candidates themselves and their desire to be protected,” he says. “This is something that has already hurt people. Campaigns got phishing emails, they clicked on those emails, and the rest is history. It makes me think the commission is out of step with the threat.”
Phishing in particular has plagued political campaigns—providing Russian hackers with an open window into the Democratic National Committee's network, Hillary Clinton's campaign emails, and her campaign chair John Podesta's personal Gmail account.
In a statement to WIRED, FEC press officer Judith Ingram noted that the commission does not speak to potential implications of its advisory opinions and is narrowly focused on the facts of individual cases.
The commission has not dealt with many requests for guidance on cybersecurity issues in general. Other than the Microsoft and Defending Digital Campaigns examples, it has only considered one other related matter—about the legality of candidates using excess campaign funds to pay for enhanced digital security defenses for their own personal devices and home network.
Daniel Weiner, senior counsel at the Brennan Center's Democracy Program at New York University School of Law and a former senior counsel within the FEC, says the commission doesn’t necessarily want to hinder cybersecurity defense availability or block any particular request it hears. But it must uphold the law, and it hasn’t done any major overhauls in years to modernize its regulations. This creates the need for special exceptions like that in the Defending Digital Campaigns case.
“Really, what they’re kind of constrained by here is the body of regulation they’ve written and precedent they’ve assembled over decades,” Weiner says. “Arguably the Area 1 case is a great example that the commission is overdue to do new rule-making, and actually think about how the law applies to this situation and what’s in the public interest. Without that you’re left with these one-off requests.”
As a result, regardless of how Area 1’s case is decided, the commission’s initial hesitance serves as a warning to other cybersecurity firms about the potential illegality of providing campaigns with reduced-cost defenses—right in the moment when campaigns need these options the most.