New: A weekly newsletter about the trends shaping cities

Stories

Why campaigns turn down free cybersecurity

 Illustration of a campaign vote button with an opened padlock shackle on the top.
Illustration: Aïda Amer/Axios

Cybersecurity outfits are itching to offer political campaigns free or cut-rate products to protect them from being hacked. But the campaigns, spooked by legal and technical concerns, keep turning them down.

Why it matters: Here's an abridged list of campaign-related hacking targets during the last two presidencies: The Obama, McCain and Lindsey Graham campaigns; John Podesta's and Sara Palin's private emails; the Democratic and Republican National Committees; and the Democratic Congressional Campaign Committee. Cybersecurity for campaign operations might be a good idea.

The big picture: Security companies of all sizes have mulled offering free or discounted cybersecurity products to campaigns for a mix of altruistic and marketing reasons.

  • Google, Synack, Cloudflare, Microsoft and others already offer a variety of free protections to government officials. Several others, including Akamai, offer discounted services.

But offering the same services to campaigns gets complicated, because of campaign finance regulations and lack of expertise.

  • It's against campaign finance law for corporations to donate directly to campaigns, whether that's in the form of money or services.

Driving the news: The FEC is currently determining whether to offer an exemption to Defending Digital Campaigns, a nonprofit started by campaign advisers to Mitt Romney and Hillary Clinton that aims to offer a host of discounted or free cybersecurity services.

  • The decision has been in the works since last year and may be decided as soon as May 23.
  • "We don’t want campaigns to be NASCAR," said Patrick Peterson of Agari, an email security firm that wants to offer free services to campaigns. "We don't want Elizabeth Warren to wear a jacket with Dunkin’ Donuts and Agari logos. We just want campaigns to be able to handle risk management."

What happens next: If the FEC decides to grant the exemption for the nonprofit, that opens the doors for other firms to make similar offerings, said Daniel Weiner, senior counsel of the democracy program at NYU's Brennan Center for Justice.

  • But experts believe it's better for the FEC to make a formal rule than to settle the issue through ad hoc exemptions, which leaves murkier boundaries.
  • Good governance groups have argued the issue would ideally be solved by Congress.

The expertise shortage is as much an issue as the campaign finance rules. Microsoft obtained an exemption similar to the one Defending Digital Campaigns is seeking and offered discounted security tools to 2018 campaigns — but it still struggled to get campaigns to accept the tools.

  • Campaigns for local office, the Senate or Congress are not large operations, and often they lack full IT teams to configure enterprise-strength security controls. Many chose not to accept Microsoft's help.
  • Microsoft is addressing this issue for 2020 by offering setup wizards to streamline the process.

But expertise might affect adoption of other technologies differently. Even though there are already a ton of free and low-cost tools for government election officials, officials have complained they have no way to separate useful tools from snake oil. Political campaigns aren't likely to have any easier a time.