The Federal Election Commission gave the go-ahead this week to a nonprofit organization seeking to offer free cybersecurity services to political campaigns, upending rules that typically consider such free services illegal campaign contributions.

The commission’s reasoning, in a nutshell, was that it ordinarily bans such services due to the possibility people might try to cash in on political favors later. But in this case, the risk of Russian and Chinese hackers running roughshod over the 2020 elections is far worse.

The nonprofit Defending Digital Campaigns, which made the appeal, now plans to run cybersecurity boot camps for staffers on presidential and congressional campaigns. The FEC also gave it the green light to negotiate free and reduced prices for cybersecurity services from companies to provide to the campaigns. The organization will also help share information about cybersecurity threats between campaigns and the U.S. government.

And they'll make those services available to any campaign of any party -- provided presidential candidates are polling above 5 percent in national polls and House and Senate candidates have collected at least $50,000 and $100,000 in donations that cycle respectively. The services will also be available to think tanks and policy focused non-governmental organizations. 

“Elections should be about which candidate has the better vision and plan, not who has the most sophisticated cyber defenses, but today's campaigns in both parties are up against some of the world's most sophisticated cyber operatives,” Robby Mook, Hillary Clinton’s 2016 campaign manager and one of three Defending Digital Campaigns board members, told me via email.

The organization’s other two board members are Mitt Romney’s 2012 campaign manager, Matt Rhoades, and Debora Plunkett, former director of the National Security Agency’s defensive arm, the Information Assurance Directorate. The idea for the organization grew out of a broader election security effort sponsored by Harvard University’s Belfer Center called Defending Digital Democracy where Mook, Rhoades and Plunkett are senior fellows. 

The iniitative could go a long way in securing campaigns, which are often unwilling to invest in digital protections because they’re devoting every dollar to building up other campaign infrastructure and staying in the race. That's especially worrying to government officials fighting to avert devastating breaches during the 2020 campaign that could undermine the political process or even swing elections at the presidential or congressional level. Presidential party nominees in the past three election cycles were hacked — most devastatingly in 2016 when Russian hackers stole troves of information from the Clinton campaign and strategically released it via WikiLeaks and other sites.

But congressional candidates, who work with much smaller budgets, are often the least defended from hacking, Plunkett told me. And foreign hackers are likely to target those campaigns, she said — either to release their information and damage faith in the democratic system or just to gather up as much information about the electorate as possible.

“It would be foolish for any candidate for federal office to think they wouldn’t be a target,” she told me.

In such a crowded field this year, hackers could also target those campaigns looking to cut short the career of a promising upstart candidate, Rhoades warned during an FEC meeting last month. “You can see many of the rising stars coming well in advance—people like former President Barack Obama, former President George W. Bush—and they’re very vulnerable at that stage," he said.

Despite the grave threat of campaign hacking, the aproval didn't come easily.

The FEC was wary that free cybersecurity services could be used as a workaround to evade campaign finance laws meant to cut down on corruption and influence in politics and it took several months to approve its advisory opinion. The final opinion stresses that the permission applies only to nonpartisan, nonprofit groups that are offering the same services to campaigns of all parties.

It also notes that the opinion won’t apply anymore if the hacking threat becomes less dire for some reason or if the government figures out a way to provide the same services on its own.

Two of the four commissioners — Democratic Chairwoman Ellen L. Weintraub and independent Steven T. Walther — added additional requirements that DDC publish information about all of its donors each month and refuse any contributions from foreign citizens.

The Republican members didn't condition their approval of the opinion on those provisions, leaving open the possibility of less restrictive rules in the future. 

Because the FEC has only four members – the minimum allowed for it to make decisions — all of its opinions must be unanimous.

Correction: This article has been corrected to state that the advisory opinion requires DDC to disclose its donors. 


PINGED: The Justice Department on Thursday charged WikiLeaks founder Julian Assange for violating the Espionage Act, “an escalation of the Trump administration’s pursuit of leakers that could have major First Amendment repercussions for news organizations,” my colleagues Devlin Barrett, Rachel Weiner and Matt Zapotosky reported.

Prosecutors initially charged Assange with computer hacking, a far less serious charge that nevertheless irked cybersecurity experts.

The new indictment’s charges sound disconcertingly like the work of journalism, my colleagues write — such as a charge that Assange “obtained and disseminated secret documents.”

Bruce Brown, executive director of the Reporters Committee for Freedom of the Press, in a statement called the indictment “a dire threat to journalists.”

“The new indictment carries potential consequences not just for Assange but for others who publish classified information, and could change the delicate balance in U.S. law between press freedom and government secrecy,” my colleagues write. “It also raises fresh questions about whether the British courts [where Assange is currently held] will view the new charges as justified and worthy of extradition.”

PATCHED: The public shouldn’t fret about a letter circulated among staff at the Department of Homeland Security’s cybersecurity agency seeking volunteers to apply for temporary assignments on the U.S.-Mexico border, acting DHS secretary Kevin McAleenan told lawmakers Thursday.

“I would not expect nor want the [Cybersecurity and Infrastructure Security Agency] leadership to deploy critical cybersecurity professionals in this role,” McAleenan said during a House Homeland Security Committee hearing.

“If they have mission-support professionals – attorneys or others – who could be spared to support this effort, we would welcome that,” McAleenan added.

CISA Director Chris Krebs said yesterday that about 10 of his approximately 3,500 employees had deployed to the border and 10 more were on their way — only a couple of whom focus on cybersecurity, Cyberscoop’s Sean Lyngaas reported.

PWNED: A bipartisan group of five senators introduced a bill Thursday that would provide $700 million in grants for rural telecoms to shed the Chinese firm Huawei from their networks.

The bill comes after a Trump administration executive order that banned Huawei from the United States’ next-generation 5G wireless networks and a Commerce Department action that blacklisted the company among U.S. suppliers of software and components.

The bill would codify the 5G ban into law and surge U.S. efforts to influence global 5G standards.

U.S. officials argue Huawei could be a vehicle for Chinese government spying, while the company has firmly denied the charge.  

The United States 5G Leadership Act was sponsored by Sens. Roger Wicker (R-Miss.), Tom Cotton (R-Ark.), Mark Warner (D-Va.), Ed Markey (D-Mass.) and Dan Sullivan (R-Alaska).


Cybersecurity news from the public sector:

The US intelligence community has briefed presidential campaigns on potential cybersecurity and espionage issues they may face ahead of the 2020 election.
U.S. Reps. Stephanie Murphy and Michael Waltz will file bipartisan legislation to require deferral officials to alert Congress and state and local officials when election systems are hacked.
orlando sentinel
One EPA employee said their office was tracking vulnerabilities on their own to avoid oversight from other agency components.

Cybersecurity news from the private sector:


Cybersecurity news from abroad:

The United Kingdom is preparing to invest 22 million pounds, the equivalent of almost $28 million, to open new cyber operation centers.
The Hill