U.S. Political Campaign Cybersecurity: Service Provider Discounts Permitted
Cybersecurity consultants, such as managed security service providers (MSSPs), may offer services at discounted prices to help protect U.S. political campaigns from hackers, the Federal Elections Commission (FEC) has ruled.
For now, the FEC’s decision applies only to Area 1 Security, a Redwood City, California-based security specialist focused on blocking phishing campaigns. But for MSSPs the ruling potentially presents a significant opportunity in the government sector.
Area 1 maintains 11 channel partner relationships, including an arrangement with Optiv, a Top 100 MSSP, ACS, SADA Systems, Secure Smart Solutions and others. The FEC, which regulates political campaigns at the federal level, had previously barred cybersecurity consultants from offering discounted services to campaigns because it was considered an “in kind donation.”
The company had asked the FEC to allow it to provide its services to federal candidates and political committees under the same “low to no cost” pricing tier it offers to its qualified customers. The FEC decided that inasmuch as Area 1 also provides the same pricing structure to non-political clients, it was permissible under the commission’s rules.
In a published opinion, the FEC wrote: “Because Area 1 would offer these services in the ordinary course of business and on the same terms and conditions as offered to similarly situated non-political clients, the Commission concludes that the proposal would not result in prohibited in-kind contributions and thus is permissible.”
Area 1’s request may be a good place for the FEC to start. Political campaigns have shown themselves to be vulnerable to phishing activity. In the 2016 presidential race, hackers successfully infiltrated Hillary Clinton’s campaign chairman John Podesta’s server and pilfered thousands of emails in a spear-phishing attack. There have been numbers of other unsuccessful attacks.
Political operations and businesses still struggle to defend themselves against spearphishing attacks, said Jane Wasson, Area 1 product marketing director, in a blog post. “Despite significant investment in cybersecurity tools, most organizations still experience phishing emails that evade defenses and land in employee inboxes, causing data breach, financial loss and brand damage,” she said.
The FEC’s decision has some similarities with a law proposed by California legislators last March. The new bill would allow the campaign funds of political candidates in the state to be used to help secure their office computers and personal devices. Candidates could also allocate campaign funds to secure devices used by staffers, pay for security-related hardware and software purchases and hire consultants, such as managed security service providers, to bulk up security.