FEC: Lawmakers and staff may use campaign funds for personal cybersecurity

The Federal Election Commission voted Thursday to allow members Congress to reallocate leftover campaign funds to protect personal electronic devices and accounts of members and staff.

FEC Commissioner Caroline Hunter wrote on behalf of the commission that spending on cyber hygiene and protective services would not constitute, "impermissible conversion of campaign funds to personal use."

Hunter's comments were addressed to Sen. Ron Wyden (D-Ore.), who requested the opinion from FEC.

The unanimous vote Thursday will allow members of Congress and staff to use campaign funds to purchase a range of hardware and software products to bolster their own security, including cell phones and computers, home routers, personal software and applications, firewalls, antivirus software, security keys, secure cloud services, password management tools, consulting, incident response services and others.

"With growing threats posed by foreign governments, it's crucial that elected officials get smarter about their cybersecurity," said Wyden on Twitter.

Wyden is finalizing details on a bill that would extend additional protections to the personal devices and accounts of members, a spokesperson confirmed to FCW.

While members of Congress can draw from cybersecurity resources at the House and Senate Sergeant-At-Arms to protect their official devices and accounts, they were unable to do so for personal ones or those of their families.

Randy Vickers, chief information security officer for the House of Representatives, told FCW in October that even though current rules limit the ability to spend appropriated dollars, they try to do what they can to "help [members] help themselves" as well as their families.

For instance, Vickers said the House allows members to sign up to five devices to its mobile threat platform, and members can add a personal cell phone or a family member's phone if they wish. House cybersecurity personnel can also offer free advice and consulting on how to secure home routers and other forms of personal IT.

"If they have an issue, we can't do the investigation, but we try to help them understand where the problem may have occurred or who to reach out to," said Vickers. "If it's something that deals with theft or something like that, they can always work with Capitol Police or local law enforcement if it's in the district. So, we try to find ways to help them through the process without physically doing the investigation."

In April, Mike Rogers, former head of the National Security Agency and U.S. CyberCom, told lawmakers that their personal devices and accounts were "prime targets for exploitation" by adversarial nation states.

Adversaries can also target spouses or children of lawmakers, who are not covered under many of the protections afforded to elected officials. Vickers said members of Congress can also fall victim to "collateral damage" from the actions of their family members.

"We actually had a staffer that was being heavily targeted because the individual's son had created some enemies in the gaming environment," said Vickers. "We have several dark web monitoring capabilities, and we use the members and various keywords, and anytime we see some type of physical threat or anything like that -- even if it's unsubstantiated -- we work with law enforcement to make sure that we have appropriate protections. So, we go as far as we can under the jurisdiction we have."