After Russian agents stole emails from Hillary Clinton’s campaign chairman in 2016 and targeted other candidates with hacks in 2018, political campaigns know they face serious cybersecurity threats. Democratic presidential contenders are already investing in stronger infrastructure. For example, in its first quarter Federal Election Commission filings, Kamala Harris’ campaign reported that it had paid $7,249 to consultants like LinkedIn co-founder Allen Blue for unspecified “cyber security services” and $197 to Wickr, an encrypted messaging platform that allows users to auto-delete texts. Elizabeth Warren’s campaign spent $1,077 on secure cloud storage services from Dropbox and Box.com, $455 on the password manager LastPass, and $1,340 on equipment from Yubico, which manufactures hardware for two-factor authentication. Other campaigns have similarly spent thousands of dollars on consultants to help build out their systems.
Campaigns have been largely responsible for funding their own cybersecurity, even as the risk has grown and the potential harm from election interference has become clearer. Though these costs are just pocket change for presidential candidates who have already raised millions of dollars, campaigns in state and local races might not have the funds to take such precautions. And those campaigns are under attack too: In 2018, Russian hackers targeted at least three members of Congress, including former Missouri Sen. Claire McCaskill, who was running for reelection.
The FEC is now considering a proposal that might help fix the issue. It would allow campaigns to access free IT services to secure their operations and strengthen the integrity of the country’s election system. The only catch is that a decision in favor of the proposal risks leaving a gaping loophole in campaign finance laws that could provide corporations with yet another way to unduly influence elected officials.
On Thursday, the FEC will again consider a request to allow a nonprofit to offer free and low-cost cybersecurity support to campaigns in the form of software, hardware, tech boot camps, and information-sharing systems. Defending Digital Campaigns, the nonprofit spinoff of a Harvard cybersecurity project founded by Hillary Clinton’s 2016 campaign manager, Robby Mook, and Mitt Romney’s 2012 campaign manager, Matt Rhoades, submitted the proposal in September. The FEC last discussed the proposal during an open meeting on April 11, and a ruling is likely coming soon. (Defending Digital Campaigns did not respond to Slate’s interview requests.)
“What we’re trying to do isn’t really to benefit presidential campaigns,” Rhoades said during the meeting, emphasizing instead that the aim is to help the down-ballot “little guy” campaigns. “When you’re first setting up and you’re first raising those precious hard dollars, the last thing you want to do is to spend them on something to secure your networks.” Based on a cursory examination of first quarter filings, there has been little to no investment in cybersecurity among congressional campaigns.
Campaign finance laws typically do not allow corporations to intervene in elections to support or oppose a candidate. Under these rules, Defending Digital Campaigns can’t legally donate products and services. The organization argued in documents submitted to the FEC that it is not seeking to influence the outcomes of elections in a partisan manner and therefore should get an exemption for its activities. It proposes making its cybersecurity support available to “any presidential candidate polling above 5 percent nationally” or any congressional candidates who have raised a certain amount of money or “qualified for the general election ballot.” Defending Digital Campaigns says this supports its claims to be nonpartisan in mission. It also cites voter registration initiatives and candidate debate hosting, which are also exempt from the corporate contribution ban, as precedents.
There is bipartisan support for offering campaigns free cybersecurity services. Yet, legal experts worry that allowing for too broad an exemption in this case would unintentionally create a loophole. A month after Defending Digital Campaigns submitted its proposal, the money-in-politics watchdog Campaign Legal Center submitted a comment warning that the draft would “reach a desirable policy outcome by improperly and dangerously bending the law.” The center noted that it was especially concerned with the suggestion to allow Defending Digital Campaigns to provide travel and lodging for on-site boot camps.
Campaign Legal Center agrees that there is an urgent need to improve cybersecurity preparedness across the board. However, as its director of federal reform, Brendan Fischer, told Slate, “It’s probably not hard to imagine that corporations would like to provide valuable services to candidates in order to build relationships and then get a call back when a lobbyist calls and requests a meeting.”
Campaign Legal Center had similar misgivings about a separate FEC exemption granted to Microsoft in September to provide free packages of enhanced security protections to its election-related customers. Microsoft argued that a breach would tarnish the company’s brand and that gathering data on cyberattacks would be invaluable; thus, the provision of free services was advancing business, rather than partisan, interests. “If that is the standard, then pretty much any corporation could give anything to a candidate, because they always do it for business reasons,” an attorney for the center told Roll Call at the time. Microsoft’s victory prompted another firm, Area 1 Security, to also request an exemption to provide free anti-phishing services to campaigns. If the FEC isn’t careful with its rulings, there is a risk that efforts to provide free cybersecurity could attenuate campaign finance laws.
Fischer sees the original justification for the proposed exemption currently before the FEC—that Defending Digital Campaigns is a nonprofit advancing a nonpartisan mission not intended to influence an election—as too broad. Using that logic, the Chamber of Commerce, for example, might be able to justify subsidizing travel and lodging for Democratic and Republican candidates who attend a seminar on free market principles. Fischer hopes the FEC will ultimately grant Defending Digital Campaigns an exemption but more narrowly tailor the legal reasoning for doing so. He co-wrote and submitted a comment to the commission earlier this month suggesting that the exemption would be sound if it applies exclusively to services that will uphold the Federal Election Campaign Act’s ban on foreign participation in elections. Defending Digital Campaigns has indicated that it supports this alternate proposal.
Even with this narrower exemption, though, Democratic FEC Chair Ellen Weintraub still seems to have concerns. During the April 11 hearing, Weintraub said, “I would like to support this endeavor. I also have an obligation to protect the law.” When asked if there was a particular abuse of the exemption she was worried about, she replied, “Just a long history of things that seem reasonable at the time, and then somebody else comes along and says, ‘Aha! Now they’ve said that, I can do this.’ ”
Weintraub’s colleagues appear to be less apprehensive about granting the exemption, but all four of the commissioners currently heading the FEC would need to vote in favor of the proposal for it to pass. As the political trade publication Campaigns & Elections notes, the FEC has already held meetings on this matter four times, so the commission is likely nearing a ruling.