Federal Election Commission refuses to release computer security study

Flaws in election regulator's systems highlighted in Center for Public Integrity story

By

 Updated:

Next to the Federal Election Commission’s front door is a quotation from former U.S. Supreme Court Justice Louis Brandeis: “Sunlight is said to be the best of disinfectants." 

But the agency is refusing to uncloak a pricey, taxpayer-funded study that details decay in the security and management of its computer systems and networks, which the Center for Public Integrity revealed had been successfully infiltrated by Chinese hackers in October 2013.

The report — known within the FEC as the “NIST study” — also provides recommendations on how to fix the FEC’s problems and bring its computer systems in line with specific National Institute of Standards and Technology computer security protocols.

In denying the Center for Public Integrity’s Freedom of Information Act request for a copy of the study, the FEC primarily cited the “deliberative process privilege” in federal law, which is designed to “prevent injury to the quality of agency decisions.”

The Center for Public Integrity has appealed the decision of the FEC, which is responsible for enforcing and regulating the nation’s election laws and providing timely public disclosure of fundraising and spending by thousands of federal political candidates and committees.

The Center for Public Integrity did obtain through its Freedom of Information Act request 18 emails that together indicate top FEC staffers have for months considered this study — and the safety issues it addresses — a top priority.

FEC Chairwoman Ann Ravel, a Democrat, said Thursday that the FEC is not releasing the study because “the concern is that it contains information that details potential vulnerabilities.” She added that she believes, “without question, that the agency will be more secure” when it fixes problems pointed out by the study’s findings.

Ravel declined to discuss commissioners’ deliberations on the security study. Vice Chairman Matthew Petersen, a Republican, did not return a request for comment, nor did Commissioner Lee Goodman, a Republican who served as FEC chairman when the agency commissioned the study.

But Ravel confirmed that commissioners in July reviewed the study, which had been overseen by FEC Staff Director and Chief Information Officer Alec Palmer and conducted by Luray, Virginia-based consulting firm SD Solutions LLC.

An FEC employee familiar with the matter said commissioners in July conducted a closed-door meeting and approved hiring an outside firm to implement the study’s various recommendations. In a separate July meeting, the commission’s finance committee approved spending about $400,000 to pay for security improvements. Hiring a contractor remains a work in progress, the source said.

The security study itself wasn’t cheap: The FEC on Aug. 15, 2014, paid SD Solutions LLC $199,500 for what’s described in federal contract records as an “information technology gap analysis.”

A “gap analysis,” in government parlance, compares some aspect of a federal agency’s actual performance with what an agency would consider ideal performance.

Less comprehensive reports on the FEC’s security systems, including a broad annual survey of agency operations by contractor Leon Snead & Co., have highlighted notable flaws in the FEC’s computer and information technology systems.

“Without adopting and implementing National Institute of Science and Technology minimum security controls, the FEC’s computer network, data and information is at an increased risk of loss, theft, manipulation, [and] interruption of operations,” Leon Snead & Co.’s 2012 report stated.

FEC officials bristled at such assertions, saying its “systems are secure.”

Revelations in December 2013 about the Chinese hacking incident, which crippled its computer systems, changed the agency’s attitude.

Ravel acknowledged that “there was a lot of internal discussion” by FEC officials about security, and by early 2014, Goodman and Ravel — often at odds with one another politically and ideologically — said they were united in improving the FEC’s computer systems.

From there, the agency made steady progress toward improving its computer security.

It quickly began hiring new IT staffers.

In March 2014, the FEC requested Congress allocate it $1.51 million to address its obsolete computer systems.

And come the summer of 2014, the agency was seeking a contractor to comprehensively review those systems. It hired SD Solutions LLC to do the work.

In an email on Aug. 21, 2014, Palmer, the FEC’s staff director and chief information officer, told Goodman and Ravel that his staff was preparing for the study by “working on the timeline of all security related improvements and activities over the past 9 months and timeline related to the NIST study.”

On Oct. 31, Palmer thanked Deborah Tibbs, his special assistant, for attending a training course that would aid her in helping manage the study’s contract.

“We all know how critical this is in improving our security posture here at the FEC,” Palmer wrote Tibbs.

Contractor SD Solutions LLC appears to have completed its work this spring. On June 10, Palmer asked FEC Chief Information Security Officer Esteve Mede for an update on the study’s status.

“[W]e need to get the recommendations into the hands of the commissioners by the end of this month including all the cost related issues benefits risks etc. so they can make a decision and then we can set up a contract for execution before the end of the fiscal year,” Palmer wrote.

By June 29, Palmer was racing to present the study’s findings to the FEC’s six commissioners. He emailed five colleagues to ask if he could cancel a meeting with them.

“I need every minute I can get to complete the NIST recommendations (from the NIST study) for Commission review by the middle of the week.

On June 30, Palmer sent FEC commissioners several documents, including security recommendations made by contractor SD Solutions LLC.

“These documents are not to leave the FEC,” Palmer wrote.

Shortly afterward, Shana M. Broussard, an aide to FEC Commissioner Steven Walther, emailed Palmer for additional information. She also alerted Palmer that Walther might “take you up on your offer to meet” about the study prior to a July 15 meeting of the commission’s finance committee.

On July 2, Palmer sent FEC Commissioner Steven Walther an email titled “*Confidential: Fw: NIST Study and Recommendations - Confidential Documents.” The documents were not included in the FEC’s FOIA request response.

The National Institute of Standards and Technology said it did not possess a copy the FEC’s study, and therefore, could not provide it in response to a separate Freedom of Information Act request from the Center for Public Integrity.

This story was co-published with Poynter

Care about freedom of the press? Support independent investigative journalism.

Donate now
Donate now