On July 23, the entire staff of the Democratic National Committee received an email from the organization’s CEO, Seema Nanda. It was her first day on the job, and the email contained a link inviting staffers to RSVP for a meeting with their new boss. Several people clicked the link.
But the email was not sent by Nanda. It was a phishing attack, an innocent-looking email with a link that gives the hacker access to the recipient’s email, computer, or network. This was how the Russians had first penetrated the DNC during the 2016 campaign—except that this email came from the DNC’s own cybersecurity team. It was a test, one of a series of phishing attacks the DNC has launched against its employees to train them to be suspicious of all communications in order to keep the party safe. “We’re willing to go to absurd extremes within our own building, against our own staff, to try to make sure that they recognize things and report things, just that that muscle memory is in place,” says DNC Chief Technology Officer Raffi Krikorian, who previously ran Uber’s Advanced Technology Center and the security operation at Twitter.
Even those absurd extremes are not extreme enough. In the face of coordinated hacking efforts backed by the Russian state, there’s only so much Krikorian and his 30-person team can do on their own. When he ran security at Twitter, Krikorian had a team of 60 to 70 people. “We don’t have the budget for a 60 to 70-person security team, but we have the same target on our back,” he says. “I think this is where we need the federal government to step in.”
The federal government has taken steps to combat hacking elsewhere in elections. In March, Congress set aside $380 million for states to begin shoring up the security of their voting systems. The Department of Homeland Security is working to help states prepare for the midterms. But Congress has done nothing to protect political campaigns and parties from hacking—even though they are often the easiest prey for malicious actors seeking to derail a campaign.
During the 2016 election, the Russians launched cyberattacks on three prongs of the political system. They spread disinformation through fraudulent social-media accounts that reached millions of Americans. They penetrated state voter registration databases, succeeding in Illinois in stealing the personal information of half a million voters. And they hacked the DNC, the Democratic Congressional Campaign Committee, and Hillary Clinton’s campaign chairman, John Podesta, in order to access their internal communications and publish them online. It’s not entirely clear how much of an impact the first two efforts had, but the third changed the conversation around the election and possibly, its outcome. When DNC communications leaked days before the Democratic National Convention in Philadelphia appeared to show that the party apparatus had worked to secure Clinton’s nomination, many left-wing Democrats grew furious at the party and Clinton. A month before the election, less than an hour after the Washington Post published the Access Hollywood tape that showed Donald Trump bragging about sexually assaulting women, WikiLeaks grabbed the headlines by releasing a trove of Podesta’s emails. Even though many of the emails were as benign as a risotto recipe, they reinforced the narrative that the Clinton campaign had things to hide.
Two years later, Congress has acknowledged, in multiple hearings and proposed bills, the threat posed by unregulated social-media platforms and the dangers of insecure voting machines and voter registration databases—though it has yet to pass any legislation or allocate adequate funding to fix these problems. But Congress has not held a single hearing to address the vulnerability of political campaigns and parties.
“Congress has been asleep at the wheel,” says Daniel Schuman, policy director at the progressive nonprofit Demand Progress, where his portfolio includes cybersecurity issues. “They need to have hearings, figure out the issue, and then legislate on it. Congress needs to act like Congress.” Krikorian agrees. “Awareness of a problem and acceptance of a problem is step one,” he says. “So I feel like we haven’t gotten through step one yet.”
Already, several campaigns have come under attack ahead of the 2018 midterms. In July, Sen. Claire McCaskill, a Missouri Democrat in a tough reelection battle, acknowledged that the GRU, Russia’s intelligence agency, had targeted her Senate staff with a phishing campaign. McCaskill staffers received emails that appeared to come from the Microsoft Exchange email service they used, prompting them to click a link to change their passwords. McCaskill said the attacks were unsuccessful. Two other candidates whose identities have not been disclosed were targeted in the same attack, according to Microsoft, which first detected it.
Hans Keirstead, a Democrat who challenged the staunchly pro-Russian Rep. Dana Rohrabacher (R-Calif.), revealed earlier this month he had clicked on a malicious link and fallen victim to a phishing attack. A few days later, Reuters reported that David Min, a Democratic congressional candidate in a district that borders Rohrabacher’s, was also hacked. Keirstead and Min both came up short in their June primaries. Both districts are viewed as critical to Democrats’ efforts to retake control of the House of Representatives in November.
“If you take the premise that election security is a nonpartisan issue, training to manage yourself in a cyber-dangerous environment seems to be something that could be done across both parties,” says Krikorian. “It shouldn’t be left only to the DNC and district committees to be helping our campaigns.”
The day after Trump’s victory, Area 1 Security, a firm that specializes in preventing phishing attacks, detected a massive wave of them from the Kremlin’s intelligence arm. The Russians were seeking access to the private communications of thousands of Americans who worked in politics or government, or who had worked on campaigns years earlier. Russian intelligence, the firm deduced, was adding new names to its list of targets but never removing older ones. The lesson was ominous. “Once a target, always a target,” says Blake Darché, a former hacker with the National Security Agency and Area 1 cofounder. “These poor people have no idea what’s happening, and they’re probably all hacked.”
The discovery highlighted one of the myriad threats campaigns face. Any one of thousands of operatives cycling between campaign jobs and the private sector could be unknowingly compromised and become the vector for the Russians to infiltrate the next campaign.
“The situation is a complete disaster,” says Maciej Ceglowski, a developer and entrepreneur who has been volunteering to help Democratic House candidates with campaign security. Ceglowski founded Tech Solidarity, a nonprofit that connects volunteer technical staff with political campaigns, journalists, and nongovernmental organizations to provide cyber assistance. Campaigns, he says, need hands-on training on how to secure their email accounts, handle incoming attachments, and share documents. That training needs to extend to staffers’ personal accounts—Podesta’s personal email, not his campaign address, was hacked—something Ceglowski has found completely lacking. “Nobody is giving practical, actionable advice,” he says. “There is no one to call. A huge leadership vacuum.”
Krikorian says the DNC has long resisted a top-down approach to campaign management, so there’s no mandated security strategy, although it does recommend certain vendors and precautions like two-factor authentication to Democratic campaigns. The thinking, he says, is: “All politics is local in a lot of ways, so let them figure out what they need to do.” Politically, that makes sense. Technologically, it doesn’t. “I’m dealing with people who use both Microsoft and Google and Yahoo and all these other different services,” he says. “And we can’t keep track of all of them with a limited budget and a limited staff.”
Politicians, says Johns Hopkins University professor and cybersecurity expert Thomas Rid, are the “soft underbelly” of government security. Official congressional communications operate on government platforms with security protocols (though not always the best ones), but members’ campaign and personal accounts do not even have that, and are often the most attractive targets for hackers. In 2012, the Senate’s rules and ethics committees waived a requirement that official and campaign communications be separated so that senators would not have to carry two cellphones. Security is frequently sacrificed for convenience, and it’s unlikely all elected officials use essential security measures like two-factor authentication on campaign and personal email accounts. President Donald Trump reportedly uses cellphones lacking recommended security features to call his friends for advice and to access Twitter, rebuffing recommendations from his staff to cycle through phones frequently and have them regularly inspected by security experts.
“It’s just an incredibly insecure environment,” says Schuman, who used to advise Congress on telecommunications and national security as an attorney with the Congressional Research Service. On Capitol Hill, he says, there’s little awareness of how security works or urgency to improve it. Safety precautions are burdensome, and members and staff have not been trained on how to protect themselves. “This is, in significant part, a technological problem, but it’s even more of a social problem,” he says.
There is considerable disagreement about how to fix it. Some experts are wary of opening campaigns and parties to further scrutiny from the FBI and other intelligence agencies, fearing that the feds could end up spying on politicians. It’s not far-fetched: When Sen. Dianne Feinstein (D-Calif.) set out to investigate the CIA’s torture program during the Obama years, the agency spied on her staff’s computers.
Others believe the answer will come from outside government through partnerships with private security firms or nonprofits. It was Microsoft, after all, that detected the attacks on McCaskill and two other campaigns. But under campaign finance law, private companies cannot offer services at below-market rates, and campaigns generally spend every last dollar on television ads and get-out-the-vote operations, not pricey cybersecurity services. Nonprofits are by law nonpartisan, so any help they offer must be spread equally among political parties. And so, most people keep returning to the federal government as the ultimate answer to the problem.
Only one member of Congress, Rep. Terri Sewell (D-Ala.), has introduced legislation to address campaign cybersecurity. The Securing and Heightening the Integrity of our Elections and Lawful Democracy Act (SHIELD) Act would create a line of communication between DHS and the party committees on cybersecurity in order to update the committees about threats and improve their computer security. The E-Security Fellows Act, also introduced by Sewell, would create a program to train campaign staff in cybersecurity best practices. Both bills have been awaiting a hearing for more than a year.
“The fact that we haven’t had any hearings on [campaign cybersecurity], that we haven’t tried to expose this vulnerability, is just mind-boggling to me,” says Sewell, who serves on the House intelligence committee and is privy to classified intelligence on the issue. “We have all these swing districts in the 2018 election, we’re seeking to try to win back the House. If they can infiltrate individual campaigns, there’s vulnerability there. Russians or foreign sovereign nations could influence those kinds of elections as well. That’s a real danger.”
In the Senate, Ron Wyden (D-Ore.) has taken a different approach, urging executive-branch agencies to pitch in while Congress dithers. Last December, Wyden suggested to then-National Security Adviser H.R. McMaster that the Secret Service expand its mandate to include cybersecurity protections for the president and presidential candidates in order to secure their communications. McMaster, who left the White House in April, never responded.
Wyden also asked DHS to designate campaigns as critical infrastructure—a designation given to state election systems in January 2017 that makes them a priority for federal security assessments and aid, along with things like the electrical grid and nuclear facilities. Christopher Krebs, who runs the DHS division in charge of critical infrastructure, told Wyden the designation was not necessary. So in May, Wyden followed up with DHS, asking for details on how the agency helped campaigns in the 2016 and 2018 elections. DHS has not responded to Wyden.
“DHS actively engages with both major party campaign committees and a number campaigns,” a DHS official told Mother Jones. “We offer a number of trainings and services based on the need of a campaign or committee. We have met with leadership of the committees and provided on-site trainings.” The official declined to say how many campaigns had received cyberthreat-related services, or how long it took to get them once requested. In response to several questions about campaigns, the official touted DHS’s aid to states to improve their election cybersecurity.
Finally, Wyden reached out to the Federal Elections Commission, the one federal body with the ability to implement changes to campaign policies without legislation. Last year, after a gunman opened fire on members of Congress at a softball practice, the agency authorized candidates to use campaign funds for physical security measures at their homes. In May, Wyden asked the commission to take this a step further and allow members to use excess funds to protect their digital security. The commission has yet to vote on his recommendation.
Congressional inaction to secure campaigns is counterintuitive. In a legislative body rife with self-dealing, self-promotion, and even illegal self-enrichment, members are failing to implement cybersecurity reforms of which they would be the primary beneficiaries. Sewell says her two bills to shore up security were motivated in part by self-interest. “Having a meeting with my IT department just on our individual campaign, we didn’t even know where to start,” she says. “And I knew if I had that problem with my own campaign, others were doing the same.”
But it’s rare a campaign will admit it needs help. Rid, of Johns Hopkins, says the last time he can recall a member of Congress acknowledging a successful hack was in 2009, when Sen. Bill Nelson (D-Fla.) announced that his Senate computers had been breached. Yet given the numerous cyberattacks on the government, the private sector, and campaigns since then, Rid says, “Is it a plausible assumption that Congress has not been successfully breached since 2009? I don’t think that’s a plausible assumption to make.” The result is there is little awareness of the problem, and therefore little incentive to fix it. Darché, the phishing expert, once informed a member of an intelligence committee that the North Koreans were trying to phish the member, who dismissed the warning. (A staffer called Darché back the next day in a panic, asking for details.) Other experts relayed similar stories of issuing warnings to politicians only to have them shrugged off.
Schuman pins some of the blame for congressional inaction on the fact that members are ill-informed about security. From 1972 to 1995, Congress housed the Office of Technological Assessment, where a staff of more than 140 technologists advised members on the latest technological issues. When Republicans took Congress in 1995, they eliminated the office. Despite frequent calls for its return, largely from Democrats, Republicans continue to block it.
“People who could have advised Congress on things like cybersecurity or net neutrality or online infiltration of ad networks or whatever it may happen to be haven’t existed for 23 years, and this was done on purpose,” Schuman says. “They are dumb by design.”