The Federal Election Commission has decided that a nonprofit spinoff of Harvard’s Defending Digital Democracy Project may provide free and low-cost cybersecurity services to political campaigns without violating campaign finance laws, given the fact that there is a “highly unusual and serious threat” posed to U.S. elections by foreign adversaries. The driving force behind the FEC’s advisory opinion, which FEC Chair Ellen Weintraub issued Tuesday, is the fact that there is a “demonstrated, currently enhanced threat of foreign cyberattacks against party and candidate committees,” she writes in the advisory. The nonprofit, Defending Digital Campaigns, has political campaign veterans Matt Rhoades and Robby Mook among its board members, as well as former National Security Agency executive Debora Plunkett. In the ruling, Weintraub notes the FEC’s decision is partly due to the other efforts by the government, primarily to expose and prosecute foreign adversaries, that she indicates have not done enough to protect campaigns and political parties.
“[F]oreign cyberattacks, in which the attackers may not have any spending or physical presence in the United States, may present unique challenges to both criminal prosecution and civil enforcement,” she writes.
Rhoades, senior fellow with the Defending Digital Democracy Project, has said the goal is to help political campaigns, which are often unable to afford cybersecurity advisors or expertise.
“When you’re first setting up and you’re first raising those precious hard dollars, the last thing you want to do is to spend them on something to secure your networks,” Rhoades, who served as Mitt Romney’s campaign manager in 2012, said in April at an FEC meeting. Mook was Hillary Clinton’s 2016 campaign manager.
Eligible groups for DDC services include House candidates that have at least $50,000 in receipts and Senate candidates that have at least $100,000 in receipts for the current election cycle, candidates who will appear on the general election ballot, or presidential candidates who are polling above five percent in national polls.
Although Weintraub’s opinion addresses just DDC’s request, a whole host of cybersecurity companies have been providing election security services and products for free or at a low cost. That includes companies such as Cloudflare, which has been providing protection against distributed denial of service attacks for free, and Synack, which has been offering free crowdsourced penetration testing to states. Others have made discount offerings to the election community, such as Centrify, which has offered identity management services at a discount.
It is not clear that the FEC opinion issued this week applies to any and every group interested in offering cybersecurity services — the advisory opinion only directly addresses DDC’s request to do so.
“This opinion is limited to the circumstances presented in the request, including the eligibility criteria … and extends solely to the described cybersecurity activities …” Weintraub writes.
When asked if other groups can use the opinion to offer cybersecurity services to campaigns and political parties for free or at low cost, FEC spokesperson Myles Martin told CyberScoop they could likely do so given that FEC advisory opinions provide “certain legal protection,” so long as all the conditions and circumstances are the same.
Weintraub says she wants every campaign to take advantage of the decision.
“We [approved the measure] because of the grave dangers facing campaigns from hackers, and I hope every campaign will take advantage of it,” Weintraub told a House Oversight and Reform subcommittee hearing on Wednesday.
The opinion, which the FEC has been debating for months, comes days before an open FEC meeting during which the commission will be discussing how national party committees pay for cybersecurity expenses.
Weintraub told lawmakers Wednesday she will be proposing a rule to free up party committees’ building funds to cover cybersecurity expenses for them and their candidates.