The growing number of cybersecurity vendors offering free or low-cost services to campaigns may discourage practitioners from allocating sufficient funding to pay for online protections.
That’s one concern being raised by a long-time digital security expert after the FEC lowered barriers recently for vendors to provide cybersecurity services at low-or-no cost. The Commission’s decision came as foreign hackers continue to probe 2020 targets.
Now, “firms may offer political campaigns the same discounts they offer other customers, but only non-profits can provide campaigns with free services or deals special to the campaigns,” according to Axios.
For instance, campaigns can now accept anti-phishing services from Area 1 at a discounted rate, but Defending Digital Campaigns, Inc., a 501(c)(4), which in May got the FEC’s approval to service federal campaigns and party committees, can offer services for free.
In addition, Microsoft recently made services like email, file sharing, collaboration on files and cloud storage available to all federal campaigns and party organizations at the same rate the company had been offering NGOs and non-profits.
“There have been a lot of vendors who have tried to lower the price point of their security software so that they could sell to advocacy groups [and campaigns],” said Wendy Nather, a former private and public sector chief information security officer (CISO) who now works at Cisco.
“But a lot more goes into using a security product,” explained Nather, who noted that campaigns and groups need staff with the right expertise in order to effectively use these products.
To wit, useful network defenses require “proactive monitoring,” she said.
“That’s usually just as expensive or more expensive than the product itself — having the people with the expertise to run it,” Nather told C&E. “The question is really where are those people going to come from and can non-profits really afford to provide those people?”
In other words, if DDC is the only FEC-approved non-profit in the space servicing campaigns below the so-called “security poverty line,” can it keep up with the staffing demand for those services?
Nather is skeptical, and advised campaigns instead to budget for security themselves “rather than expecting the free software will save them.”
“Where these rulings left off, they’re not going to be enough to help the campaigns,” she said.
In fact, the FEC may have unwittingly created a “slippery slope” where companies like Agari, an email security provider offering services through the DDC, will need to push campaign clients into higher cost services.
At last month’s CampaignExpo conference in DC, hosted by C&E, campaign finance professionals also warned campaigns to be cautious about discounted or free services that aren’t specifically addressed by an FEC advisory opinion.
The recent AO’s issued by the commission cover a very specific set of services from specific groups so accepting other discounted services in the cybersecurity realm could be seen as an in-kind contribution if the FEC hasn’t addressed it with specificity.
“Regardless of the good intentions they have, we may not have enough supply there for non-profits to give those security services,” said Nather. “The monitoring, the installation, the deployment, the support, all of those things have to be accounted for. If you’re only allowing non-profits to provide that, that’s a very expensive portion.”