FEC approves anti-spearphishing service for campaigns at low cost
The Federal Election Commission approved a request Thursday from an anti-spearphishing company, deeming it permissible for the security vendor to provide its services to campaigns and political parties at a discount without violating campaign laws.
The FEC expressed trepidation last month over whether it could approve the request from a company, Area 1 Security, to provide low or no cost services to campaigns. A debate stemmed from FEC concerns that a security firm, by offering a markdown on normally expensive services to campaigns, could inappropriately curry favor with lawmakers. This decision is one in a series of approvals the FEC has issued in recent months as it recognizes the serious threat foreign adversaries pose to U.S. elections.
“Area 1 has cleared the way for candidates to arm themselves with the best technology available to protect against a repeat of the disastrous cyber-intrusions in prior election cycles,” Dan Petalas, outside counsel for Area 1, told CyberScoop.
Area 1 now has the green-light from the FEC to offer its services to campaigns and political parties at a flat annual fee of $1,337, a rate it already uses with non-profits and startups. Area 1 typically offers different tiers of pricing for its services. One model charges on a pay-per-phish basis, wherein the company charges $10 for each spearphishing attempt caught up to a certain maximum.
The commission previously cited the “demonstrated, currently enhanced threat of foreign cyberattacks” as a reason the FEC was consenting to free or low cost provision of cybersecurity services to campaigns.
Campaigns often fail to invest in cybersecurity because they dedicate limited funds elsewhere, Matt Rhoades, who previously served as Mitt Romney’s campaign manager in 2012, has said. A non-profit Rhoades is backing has also received approval from the FEC to run similar low cost or free cybersecurity services for political campaigns in recent months.
The path to ‘yes’
Since Area 1 already provides email security services for $1,337 per year to some customers, any service it provides to political parties or campaigns isn’t pushing the bounds of its normal business practices, the FEC noted Thursday. Area 1 CEO Oren Falkowitz has said the company receives business value from these deals because they gather intelligence from the attacks aimed at those organizations, allowing Area 1 to improve its overall product.
FEC Chair Ellen Weintraub wrote of Area 1’s request that the sale of goods or services does not result in a political contribution when the discount is “made available on the same terms and conditions” that the vendor is already offering to other non-campaign clients.
Area 1 initially failed to make it clear to the FEC that it already provides low cost services to other clients, which prompted the FEC a month ago to urge the company to revise an initial request from earlier this year. Meanwhile, Democratic presidential candidates for 2020 elections have already wrapped up their first series of debates, but many are still lacking in cybersecurity practices, as a Wall Street Journal survey found. It wasn’t until a meeting in June, when the FEC was reviewing an initial request from Area 1 to offer its services to campaigns, that the two sides came to understand each other.
The FEC decision Thursday was approved unanimously. Area 1 may now start providing services to political campaigns and committees for a fixed cost of $1,337 per year, Petalas said.
FEC approvals grow
In recent months the FEC has authorized companies and non-profits seeking to provide cybersecurity services to political campaigns and parties at low or no cost.
Part of the FEC’s interest in green-lighting these entities, such as Rhoades’ non-profit spun out of Harvard’s Defending Digital Democracy Project, is the ongoing foreign threat against U.S. elections, as Weintraub noted in a May advisory opinion. Russian spearphishing previously resulted breaches at both the Democratic National Committee and the Democratic Congressional Campaign Committee, upending the 2016 presidential race.
But in the process of reviewing Area 1’s request, Weintraub hinted that Congress should consider a blanket law that would clarify what cybersecurity services companies can and can not offer to campaigns.
Although FEC advisory opinions, like the one approved Thursday, may be used by other companies seeking to do the same activities outlined in the opinions, they could still leave the legality of certain specific offers unresolved.
Petalas, who previously served as acting general counsel for the FEC, is also supportive of Congress clarifying the law.
“This advisory opinion is not carte blanche for federal candidates to receive free services from all cybersecurity service providers,” Petalas told CyberScoop.
Sen. Ron Wyden, D-Ore., has introduced a proposal that would have national party committees funneling funds for cybersecurity purposes to campaigns and state parties, though it is unclear if Congress has the political will to take on the issue more broadly.
The threat from foreign adversaries remains in the meantime, a senior intelligence official told reporters late last month in a background briefing.
“We do believe that the 2020 elections are a potential target for state and non-state cyber actors and we continue to observe unknown actors attempt suspicious and malicious activity against internet-connected infrastructure periodically,” the senior intelligence official said.