The Federal Election Commission has refused to release a cybersecurity report over claims that doing so could expose vulnerabilities in its computer systems.
FEC chairwoman Ann Ravel said on Thursday that the agency would not release the report because of concerns “that it contains information” detailing “potential vulnerabilities.” The agency had previously denied a Freedom of Information Act request submitted by the Center for Public Integrity, a left-of-center nonprofit that engages in investigative journalism, to make the $199,500 analysis of the FEC’s systems public.
The organization filed a lawsuit against the FEC in July seeking to overturn the agency’s decision.
The analysis, performed by FD Solutions, was commissioned to reveal weaknesses and propose solutions for resolving them. The report follows a 2013 cyberattack, traced to perpetrators in China, that caused the agency’s website and computer systems to crash, and a 2014 study by the Office of Inspector General that found the FEC’s IT policies and standards out of date. The 2013 incident did not result in information being stolen, according to authorities, but disrupted access to campaign finance disclosures and highlighted security vulnerabilities.
The OIG’s report criticized, in part, the FEC’s failure to comply with the National Institute of Standards and Technology, or NIST, practices used by other federal departments. “The OIG believes that the IT security incidents that have occurred in recent years could possibly have been prevented or minimized if the agency had adopted and aligned with the government-wide security standards applicable to the FEC’s business processes,” the OIG stated.
In addition to identifying weaknesses, the analysis performed by FD Solutions was intended to identify where the FEC’s security failed to align with NIST standards, earning it an alternative name as the “NIST study.” Aside from those involved with its production, the only officials who have viewed it are the six FEC commissioners and the agency’s Chief Information Officer Alec Palmer.
Dave Levinthal, a senior political reporter for the Center for Public Integrity, disputed the basis for the FEC’s denial, telling the Washington Examiner that the report almost certainly contains information “that is unlikely to prevent the agency from doing its job or otherwise put it at imminent risk.” Even if it does contain sensitive information, Levinthal continued, “Agencies have the ability to release partially redacted versions of studies and documents if the release of certain information poses a threat.”
In a piece published on Friday, Levinthal stated that an employee for the FEC leaked the details of a closed-door meeting held in July at which commissioners approved hiring an external firm to implement the study’s recommendations. He also reported that the commission’s finance committee had approved a budget of $400,000 for the project.
However, the commission has yet to select a specific contractor, and it has not released a timeline for completing the upgrades. Until it makes some substantial progress, the agency will remain a target both for curious observers at home and hackers abroad.
