The U.S. Federal Election Commission (FEC) said today political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities. The decision comes amid much jostling on Capitol Hill over election security at the state level, and fresh warnings from U.S. intelligence agencies about impending cyber attacks targeting candidates in the lead up to the 2020 election.
Current campaign finance law prohibits corporate contributions to campaigns, and election experts have worried this could give some candidates pause about whether they can legally accept low- to no-cost services from cybersecurity companies.
But at an FEC meeting today, the commission issued an advisory opinion (PDF) that such assistance does not constitute an in-kind contribution, as long as the cybersecurity firm already offers discounted solutions to similarly situated non-political organizations, such as small nonprofits.
The FEC’s ruling comes in response to a petition by California-based Area 1 Security, whose core offering focuses on helping clients detect and block phishing attacks. The company said it asked the FEC’s opinion on the matter after several campaigns that had reached out about teaming up expressed hesitation given the commission’s existing rules.
In June, Area 1 petitioned the FEC for clarification on the matter, saying it currently offers free and low-cost services to certain clients which are capped at $1,337. The FEC responded with a draft opinion indicating such offering likely would amount to an in-kind contribution that might curry favor among politicians, and urged the company to resubmit its request focusing on the capped-price offering.
Area 1 did so, and at today’s hearing the FEC said “because Area 1 is proposing to charge qualified federal candidates and political committees the same as it charges its qualified non-political clients, the Commission concludes that its proposal is consistent with Area 1’s ordinary business practices and therefore would not result in Area 1 making prohibited in-kind contributions to such federal candidates and political committees.”
The decision is the latest in a string of somewhat narrowly tailored advisories from the FEC related to cybersecurity offerings aimed at federal candidates and political committees. Most recently, the commission ruled that the nonprofit organization Defending Digital Campaigns could provide free cybersecurity services to candidates, but according to The New York Times that decision only applied to nonpartisan, nonprofit groups that offer the same services to all campaigns.
Last year, the FEC granted a similar exemption to Microsoft Corp., ruling that the software giant could offer “enhanced online account security services to its election-sensitive customers at no additional cost” because Microsoft would be shoring up defenses for its existing customers and not seeking to win favor among political candidates.
Dan Petalas is a former general counsel at the FEC who represents Area 1 as an attorney at the law firm Garvey Schubert Barer. Petalas praised today’s ruling, but said action by Congress is probably necessary to clarify the matter once and for all.
“Congress could take the uncertainty away by amending the law to say security services provided to campaigns to do not constitute an in-kind contribution,” Petalas said. “These candidates are super vulnerable and not well prepared to address cybersecurity threats, and I think that would be a smart thing for Congress to do given the situation we’re in now.”
The FEC’s decision comes as federal authorities are issuing increasingly dire warnings that the Russian phishing attacks, voter database probing, and disinformation campaigns that marked the election cycles in 2016 and 2018 were merely a dry run for what campaigns could expect to face in 2020.
In April, FBI Director Christopher Wray warned that Russian election meddling posed an ongoing “significant counterintelligence threat,” and that the shenanigans from 2016 — including the hacking of the Democratic National Committee and the phishing of Hillary Clinton’s campaign chairman and the subsequent mass leak of internal emails — were just “a dress rehearsal for the big show in 2020.”
Adav Noti, a former FEC general counsel who is now senior director of the nonprofit, nonpartisan Campaign Legal Center, said the commission is “incredibly unsuited to the danger that the system is facing,” and that Congress should be taking a more active roll.
“The FEC is an agency that can’t even do the most basic things properly and timely, and to ask them to solve this problem quickly before the next election in an area where they don’t really have any expertise is a recipe for disaster,” Noti said. “Which is why we see these weird advisory opinions from them with no real legal basis or rationale. They’re sort of making it up as they go along.”
In May, Sen. Ron Wyden (D-Ore.) introduced the Federal Campaign Cybersecurity Assistance Act, which would allow national party committees to provide cybersecurity assistance to state parties, individuals running for office and their campaigns.
Sen. Wyden also has joined at least a dozen other senators — including many who are currently running as Democratic candidates in the 2020 presidential race — in introducing the “Protecting American Votes and Elections (PAVE) Act,” which would mandate the use of paper ballots in U.S. elections and ban all internet, Wi-Fi and mobile connections to voting machines in order to limit the potential for cyber interference.
As Politico reports, Wyden’s bill also would give the Department of Homeland Security the power to set minimum cybersecurity standards for U.S. voting machines, authorize a one-time $500 million grant program for states to buy ballot-scanning machines to count paper ballots, and require states to conduct risk-limiting audits of all federal elections in order to detect any cyber hacks.
Earlier this week, FBI Director Wray and Director of National Intelligence Dan Coats briefed lawmakers in the House and Senate on threats to the 2020 election in classified hearings. But so far, action on any legislative measures to change the status quo has been limited.
Democrats blame Senate Majority Leader Mitch McConnell for blocking any action on the bipartisan bills to address election security. Prior to meeting with intelligence officials, McConnell took to the Senate floor Wednesday to allege Democrats had “already made up their minds before we hear from the experts today that a brand-new, sweeping Washington, D.C. intervention is just what the doctor ordered.”
“Make no mistake,” McConnell said. “Many of the proposals labeled by Democrats to be ‘election security’ measures are indeed election reform measures that are part of the left’s wish list I’ve called the Democrat Politician Protection Act.”
But as Politico reporter Eric Geller tweeted yesterday, if lawmakers are opposed to requiring states to follow the almost universally agreed-upon best practices for election security, they should just say so.
“Experts have been urging Congress to adopt tougher standards for years,” Geller said. “Suggesting that the jury is still out on what those best practices are is factually inaccurate.”
Noti said he had hoped election security would emerge as a rare bipartisan issue in this Congress. After all, no candidate wants to have their campaign hacked or elections tampered with by foreign powers — which could well call into question the results of a race for both sides.
These days he’s not so sanguine.
“This is a matter of national security, which is one of the core functions of the federal government,” Noti said. “Members of Congress are aware of this issue and there is a desire to do something about it. But right now the prospect of Congress doing something — even if most lawmakers would agree with it — is small.”
This post was originally published on https://krebsonsecurity.com/feed/.