Meet the Two Corporations Doing Their Part to Secure America’s Democracy

By: Heather McGuire

The many scandals surrounding the 2016 election cycle shed light on vulnerabilities within our electoral infrastructure. Several congressional committees, intelligence agencies, and the Department of Justice continue to drag out investigations;[1] meanwhile, two corporations have offered proactive solutions. To combat growing cybersecurity threats to the most visible actors in our political landscape, Microsoft Corporation (“Microsoft”) and Area 1 Security, Inc. (“Area 1”) now provide federal candidates and political committees (“PACs”) with specialized technology training, anti-phishing services, and breach support at minimal costs.[2]

Microsoft provides millions of users with cloud-based productivity software and email services, which puts it in a unique position to protect “election-sensitive” users against hacking.[3] In 2018, Microsoft introduced a package called “AccountGuard” to election-sensitive users on a nonpartisan basis for no additional cost.[4] To accept the package, eligible clients first need to opt in by providing Microsoft certain information about their online accounts.[5] Then, the users have access to three primary services: (1) documentation, webinars, and potentially in-person cybersecurity trainings; (2) Microsoft investigations of breaches by non-state actors; and (3) email and telephone technical support, to assist in securing online accounts and remediating any breaches.[6]

Similarly, Area 1 provides users with “the most imaginative, comprehensive, and effective solution for elimination phishing attacks.”[7] A phishing attack occurs when a phisher entices a user to unintentionally compromise the security of their network by opening an email, clicking a link, or completing a form.[8] Fortunately, Area 1 clients can rest easy knowing their phish threats are identified and stopped before damage occurs.[9] Area 1 offers contracts that charge an upfront, fixed fee described as “little to no cost” so long as the client employs fewer than 5,000 full-time employees and it can provide Area 1 with “a significant opportunity to improve its research and development initiatives.”[10] Area 1 correctly believed that many federal candidates and PACs could fit the bill.

But before Microsoft was able to launch AccountGuard, and before Area 1 could offer its “little to no cost” pricing tier to federal candidates and PACs, each corporation needed approval from the Federal Election Commission (“the Commission”) as their proposed services appeared to conflict with federal law. [11] which prohibits corporations from making contributions to the these election-sensitive clients without charge or at less than the “usual and normal charge.”[12] To square this conflict, the Commission reasoned that the two corporations could offer their services without making illegal in-kind contributions because each sought to deliver its service based on commercial and not political considerations, in the ordinary course of business.[13]

Microsoft demonstrated its business considerations by highlighting four points: (1) providing enhanced security services to election-sensitive entities would help Microsoft maintain and increase market share among these entities; (2) election-sensitive customers typically have fewer resources to spend on cybersecurity than Microsoft’s for-profit customers; (3) data received about online threats from election-sensitive customers – a type of threat intelligence that is of such value to Microsoft’s product development that it occasionally purchases this type of data from other companies – would be “highly valuable” to Microsoft’s cybersecurity development; and (4) AccountGuard would help Microsoft maintain its brand reputation given the public scrutiny regarding foreign attempts to influence elections.[14] The Commission was convinced.

Likewise, Area 1 demonstrated its business considerations by stating its expectation to gain valuable research and development benefits from servicing federal candidates and PACs because they are uniquely and specifically targeted by foreign cyber actors.[15] Further, the Commission acknowledged that Area 1 made the same pricing tier offer to similarly situated non-political clients including public-sector entities, educational institutions, start-ups, and section 501(c)(3) non-profit organizations, thus supporting its ordinary course of business argument.[16]

Cybersecurity concerns impact every American enterprise, but our political apparatus is of utmost concern. Not many corporations have embraced the challenge of protecting our election-sensitive individuals from cyberattacks, namely of foreign origination, because of daunting federal campaign finance laws. Though, in return for their efforts, Microsoft and Area 1 will reap the benefit of increasing market share and product development. Plus, an integral part of our democracy is secured.

Twitter/Instagram: @heather_mcg

Facebook: Heather McGuire

[1] See Marshall Cohen, et al., Tracking the Russia Investigations, CNN (May 31, 2019), https://www.cnn.com/interactive/2017/politics/russia-investigations/#/investigations/specialCounsel/all; Rowan Scarborough, Fusion GPS Allegations Spur Push for NRA-Russia Probe, The Wash. Times (Aug. 21, 2019), https://www.washingtontimes.com/news/2019/aug/21/fusion-gps-allegations-spur-fec-push-nra-russia-pr/.

[2] See FEC Advisory Op. No. 2018-11, at 1 (2018), available at https://www.fec.gov/files/legal/aos/2018-11/2018-11.pdf; FEC Advisory Op. No. AO 2019-12, at 1-2 (2019), available at https://www.fec.gov/files/legal/aos/2019-12/2019-12.pdf.

[3] FEC Advisory Op. No. 2018-11, at 1 (2018), available at https://www.fec.gov/files/legal/aos/2018-11/2018-11.pdf.

[4] See id.

[5] See id. at 2.

[6] See id.

[7] FEC Advisory Op. No. AO 2019-12, at 1 (2019), available at https://www.fec.gov/files/legal/aos/2019-12/2019-12.pdf.

[8] Id.

[9] See id. at 2.

[10] Id.

[11] See 11 C.F.R. § 100.52(d).

[12] FEC Advisory Op. No. 2018-11, at 1 (2018), available at https://www.fec.gov/files/legal/aos/2018-11/2018-11.pdf.

[13] See id. at 3.

[14] See id. at 2.