Congressional campaigns rocked by Russian interference in the 2016 elections are trying to make sure that it never happens again.
Campaigns and elections are top targets for future cyberattacks. So campaign committees and campaigns themselves are taking steps to bolster security staff and training.
But is enough being done to help campaigns, outside groups, and election systems fortify their defenses?
Some worry the answer may be no. Potential upcoming risks could range from the release of sensitive documents by hackers to compromised voter files.
Rep. Eric Swalwell, a member of the House Intelligence Committee, said the federal government should be stepping up and assisting members of both parties with implementing cybersecurity best practices.
“I think, right now, every campaign’s on its own,” the California Democrat said.
Preparing for the worst
On any given day, campaign staffers are juggling events with voters, making fundraising calls, and coordinating volunteers going door-to-door. They’re laser-focused on getting their candidates elected.
So cybersecurity is not always high on the priority list.
“When you’re on a campaign itself you’re drinking from a firehose and you’re just trying to survive,” one veteran Democratic operative said. “You’re working 18 hours a day … You’ve got all these things you need to do.”
The workload isn’t likely to change. But after the Democratic National Committee and the Democratic Congressional Campaign Committee were hacked last year, campaign staffers know they have to make time for cybersecurity.
“Wake-up call is an understatement,” Sen. Angus King said of last year’s election interference. The Maine independent is a member of the Senate Intelligence Committee and is up for re-election in 2018.
With a new focus on cybersecurity comes a new problem: What exactly should be done to protect campaigns?
“My sense from talking to a lot of folks is Democrats recognize that this is a problem … but to a large degree, people aren’t sure what to do about it,” said Shauna Daly, a former research director at the DNC who co-founded the nonprofit Progressive Security Corps.
Even so, campaign leaders on both sides of the aisle are taking steps to prevent cyberattacks.
A DNC aide said the committee is adding a chief technology officer and a chief information security officer as part of a “full organizational restructuring.”
The DCCC has around-the-clock monitoring for its information systems. Cybersecurity training for staff is mandatory. Suggestions on how to improve cybersecurity are also included in the committee’s recommendations to campaigns that are preparing to launch.
The DCCC also sends a one-page document to candidates that describes best practices for information security — including how to secure emails, manage passwords and share files.
The Democratic Senatorial Campaign Committee has invested significantly in information security and has certified cybersecurity professionals who provide training, spokesman David Bergstein said.
At the National Republican Congressional Committee, spokesman Jesse Hunt called cybersecurity “an absolute priority.” The NRCC has hired a full-time cybersecurity team.
Some lawmakers are personally invested in the issue, and for good reason. Their cell phone numbers were leaked after the DCCC was hacked.
“I got 20 messages — including one with a lovingly recited recipe for cheesy shrimp,” said Rep. Jim Himes, a member of the Intelligence Committee and part of DCCC leadership.
The Connecticut Democrat noted that lawmakers and staffers are more aware of simple ways to improve security. Those include two-factor authentication, which adds a second layer of security beyond a password when accessing a digital account.
After the DCCC was hacked, Himes said lawmakers conferred several times with Crowdstrike — the firm hired to investigate the attack.
But since then, he said there has been a “light touch” on cybersecurity. Campaign leaders and lawmakers, he said, have shifting priorities.
“People get focused on [the special election in] Georgia 6th or their latest legislation or whatever,” Himes said. “So I do think we’re generally taking our eye off the ball.”
As Himes walked onto the House floor to vote last week, he said he hasn’t raised concerns with committee leadership.
“I probably should,” he said.
Cybersecurity experts say staff training can go a long way in helping staffers identify suspicious emails, implement two-factor authentication and develop complex passwords.
“Unfortunately, the soft spot in any election campaign is going to be the people,” said Ely Kahn, former director of cybersecurity at the National Security Council and co-founder of the information security company Sqrrl.
Though some committees such as the DCCC provide cybersecurity training, it is not clear if that is a common practice among House and Senate campaigns of both parties.
Many candidates are just starting to jump into the hundreds of races across the country, and it will be some time before the top contenders emerge.
Sen. James Lankford, a member of the Senate Intelligence Committee, doubted campaigns were being given detailed guidance on cybersecurity because it is still primary season.
“There are so many candidates out there and a lot of them are not connected with the DNC or RNC at this point,” the Oklahoma Republican said.
Daly, of Progressive Security Corps, said campaign committees keep primary campaigns at arms length until the voters choose a nominee. And that could be an issue with the boon of Democratic candidates running in 2018.
“Those folks are really going on their own, which is scary,” Daly said.
On their own
Some campaigns and operatives are taking matters into their own hands.
“Yes,” Sen. Claire McCaskill said when asked if she was concerned about cyberattacks.
“Yes” also was her answer when asked if her campaign was taking new steps to protect against such attacks this cycle.
And would she detail those steps?
The Missouri Democrat is running in one of the most closely watched Senate races of the cycle.
McCaskill and other incumbents up for re-election say they’re stepping up their cyberdefenses, but won’t discuss the details.
Sen. Martin Heinrich, a member of the Intelligence Committee, said his 2018 campaign is working to strengthen security.
“We’re going to have a conversation with every campaign employee or volunteer who has a campaign digital account and make sure that they understand basic things like: Google does not send you an email saying, ‘click here to update your password,’” the New Mexico Democrat said.
Some campaign staffers use apps like Signal that send encrypted messages.
“I think people always assumed, rightly or wrongly, that your emails were safe, your texts were safe, everything was safe,” one campaign operative said. “And that isn’t the case.”
Campaign veterans like Daly also are offering training and guidance.
Democratic digital consultant Brian Franklin has launched a new company called Campaign Defense that will provide behavioral training — for example, how to respond to a suspicious email.
His company would also provide access to an incident response firm and legal experts if a client is hacked. Franklin plans to reach out to the DNC and the congressional committees about providing such services.
“A lot of these campaigns just simply don’t have the education,” Franklin said. “They just don’t know what not to do.”
DSCC Chairman Chris Van Hollen wants the FBI to play a more active role.
The Maryland Democrat plans to introduce legislation before the August recess that would establish an FBI cybersecurity liaison to presidential campaigns and the party committees.
“The hacking of the DNC and the DCCC changed everybody’s calculus about this,” Van Hollen said.
Lawmakers and experts warn that the cybersecurity threat goes beyond the committees and the campaigns.
“We have to recognize that there are bad actors out there and that they will try to influence the election process,” said Sen. Mike Rounds, who chairs the Armed Services Cybersecurity Subcommittee.
That means states, the federal government, “those that create and contract to help people with campaigns” and other organizations are potential targets, the South Dakota Republican said.
Heinrich said what concerns him most are attempts to infiltrate voting machines and voter files, which occurred in 2016.
A Department of Homeland Security official told the Senate Intelligence Committee this month that election systems in 21 states were potentially targeted by Russian operatives.
Lawmakers are still weighing how to combat those threats.
Sen. Amy Klobuchar said last week that she intends to introduce legislation boosting funding for states to address them. The Minnesota Democrat is up for re-election next year.
Lawmakers are sounding the alarm about ill-prepared voting systems and the need to prevent future attacks. But they say they also need to know what happened during the 2016 campaign season.
Kahn, the former NSC cybersecurity director, noted that one of the worst scenarios for cyberattacks — a foreign government influencing an election — has already happened.
“Unfortunately, we’re living that nightmare,” Kahn said.
Correction: A earlier version of the story misstated the name of the company Campaign Defense.