Campaign finance laws prohibit businesses and even many nonprofits from directly contributing to political campaigns. They can’t even send pizza. Now, the United States Federal Election Commission may apply the same laws to block a cybersecurity firm from offering free or low-cost defense services to campaigns, at a time when those protections are badly needed.

During the 2016 US presidential election, Russian hackers not only threatened election networks and voting systems, but wreaked havoc by targeting campaigns and political parties, particularly the Democratic National Committee, and leaking troves of sensitive data. The events showed the importance of implementing defenses against hacks like phishing, network intrusions, and denial of service attacks for even the most transient campaign efforts. But all long-running campaigns are by definition temporary. They want to spend their money on promotion, not IT. So more and more companies have offered free services to campaigns as a way to make stronger cybersecurity a no-brainer.

The FEC has allowed some of those to go through. Microsoft can offer free services to campaigns that already use the company's software and services, since it already offers some amount of free support, software patches, and feature updates to all of its customers. The commission recently approved two examples under campaign finance laws. And in May, it allowed a nonpartisan nonprofit known as Defending Digital Campaigns to provide free digital defense services to campaigns, since it was specifically funded with that narrow mission in mind.

These, though, appear to be the exceptions. The current advisory opinion request the FEC is considering, from the phishing defense firm Area 1 Security, presents a new type of test. The FEC has not finalized its opinion about whether Area 1 can legally offer free or low-cost services to campaigns, but the commission’s draft opinion so far indicates that it may not allow the arrangement.

The FEC argues that Area 1 hasn’t demonstrated enough of a tangible, quantifiable business reason to offer the low-cost services, and that therefore the firm could make that offer to curry political favor. The FEC's decision about Area 1 could have implications for the broader industry's ability to work with campaigns gratis.

Area 1 says the FEC's current draft conclusion represents a fundamental misunderstanding of how many tech companies, and especially cybersecurity firms, do business. Oren Falkowitz, CEO of the company and a former NSA analyst, says that Area 1 negotiates pricing with all of its customers on a sliding scale depending on their size, needs, and circumstances. He also notes that in some cases, the firm already provides free services to individual proprietors and consultants. Falkowitz says there are many reasons these arrangements are advantageous to his company. They allow Area 1 to tout a larger number of total users, for example, and give the firm access to network and incident data that helps with research and development. Falkowitz also notes that the firm sometimes takes on interesting or important clients at a reduced rate, because defending such clients strengthens morale within the company and motivates employees to work even harder on defense.

Area 1 and the FEC will trade comments ahead of a hearing on Thursday where the case will be discussed further. It is possible that the FEC will reverse its current conclusion. But in general, Falkowitz says, the experience has raised a larger concern for him about whether it is legal and practical for any cybersecurity firm to offer vital services to campaigns.

“If the commission is ruling against it, that would be a pretty significant blow to the candidates themselves and their desire to be protected,” he says. “This is something that has already hurt people. Campaigns got phishing emails, they clicked on those emails, and the rest is history. It makes me think the commission is out of step with the threat.”