Amid increased warnings of Russian interference in the midterm elections — and evidence that hackers are targeting candidates — congressional campaigns are trying to balance cybersecurity with the demands of competitive contests.
That’s especially difficult for small House campaigns. But experts warn that such campaigns, particularly in competitive races, are prime targets for hackers and foreign adversaries.
Traffic originating from Russia started increasing on Joe Radinovich’s campaign website around the time the Democratic-Farmer-Labor Party was conducting its endorsement process in the 8th District in northeastern Minnesota.
“That Russian activity kind of threw up a red flag for us,” said Jordan Hagert, Radinovich’s deputy campaign manager. The campaign turned to the Democratic Congressional Campaign Committee and House Minority Whip Steny H. Hoyer for advice.
Since then, Radinovich staffers have continued to monitor their website and emails. They have instituted some cybersecurity best practices such as two-step authentication and haven’t detected additional suspicious activity.
Hagert said he was not surprised to see Russian interest in their campaign, given that the general election will be competitive.
North Branch Mayor Kirsten Kennedy, who is also running for the DFL nod, said her campaign received an interview request and later figured out it was from a Russian media outlet. She declined the interview.
Kennedy said she was extremely concerned about cyberattacks on elections and critical infrastructure such as power grids. Even though one of her consultants focuses on cybersecurity, she said her campaign could be better protected.
Prioritizing cybersecurity is still a balancing act for campaigns like Radinovich’s and Kennedy’s. Both have small staffs laser-focused on winning the Aug. 14 primary.
The same is true for scores of other congressional campaigns as warnings and evidence mount that Russian hackers will once again be looking to meddle in a U.S. election.
ICYMI: McConnell Warns Russians to Keep Out of Elections, Schumer Wants More Than Words
A real threat
The threat of Russian interference ranges from hacking election machines to facilitating misinformation campaigns — and even cyberattacks on campaigns themselves.
“I would be surprised if it didn’t happen,” Rep. Ted Lieu said. The California Democrat is a member of the House Judiciary Committee and a DCCC regional vice chair.
Microsoft announced last week that it had thwarted Russian cyberattacks against three candidates, including one aimed at vulnerable Missouri Democratic Sen. Claire McCaskill. The company clarified this week that multiple attacks had actually been aimed at two legislators running for re-election.
“Through our Defending Democracy Program, we’re working with political campaigns to protect them from hacking, and we’re exploring technical solutions to preserve and protect electoral processes,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, said in an email.
Campaigns and party officials stress that they recognize cybersecurity is vital.
“I do think there has been an increase [in interest in cybersecurity] as we’ve gotten further in the cycle,” said Shauna Daly, who founded Progressive Security Corps last year to help campaigns defend against cyberattacks. “Whether that’s enough, I don’t really know.”
The revelations from Microsoft at the Aspen Security Forum signaled to House Intelligence ranking member Adam B. Schiff that the methods used by Russians to interfere in the 2016 election were back.
Russian hackers obtained documents damaging to Hillary Clinton’s presidential campaign and some other candidates when they successfully infiltrated the Democratic National Committee and the DCCC in 2016.
“They seem to be following the playbook,” Schiff, a California Democrat, said off the House floor last week.
News that McCaskill’s Senate staff had been the target of phishing emails linked to Russian hackers, first reported by The Daily Beast, was cast as the first sign of Russian meddling in 2018. The Missouri Senate race will be one of the most competitive in the country.
Some cybersecurity experts working with political organizations say the question isn’t if Russians and others will attempt to hack into campaigns — it’s how many they’ll target and if they’ll be successful.
And it’s not just foreign adversaries who are targeting campaigns. Experts warned that campaigns are vulnerable to attacks from others looking for opportunities to steal data or hijack it for ransom.
Former Gov. Phil Bredesen, a Tennessee Democrat who is running for Senate, notified federal authorities in March that his campaign received emails asking for money. The emails raised concerns that Bredesen’s campaign had been hacked. (The campaign did not return a request for comment.)
What’s being done
Most campaigns are not willing to discuss details about their cybersecurity practices — or even whether their staff receives cybersecurity training.
Roll Call contacted 24 House campaigns and 12 Senate campaigns involved in Toss-up races about cybersecurity.
Six House campaigns responded, and three of those said they mandated training for staff.
Of the four Senate campaigns who responded, two said their staffs receive cybersecurity training.
Campaign committees overseeing House and Senate races for each party have bolstered their own cybersecurity since the start of the cycle.
The DCCC has also issued guidelines and recommended specific technology to a “great deal” of campaigns, according to a committee aide.
The committee has also worked with specific vendors to offer discounted rates. Last year, it offered “caucus wide” briefings on cybersecurity to lawmakers, candidates and staff. The DCCC aide noted that “ultimately, it is up to their campaign to adopt and enforce these recommendations.”
Some have taken the committee’s advice.
The DCCC connected Democrat Mike Levin, who is running in California’s 49th District, with a cybersecurity specialist who is on his staff. Gil Cisneros, a Democrat running in the nearby 39th District, also employs a specialist on staff who ensures that all staffers are following cybersecurity protocols.
The concerns haven’t escaped Republicans. The National Republican Congressional Committee has a full time cybersecurity staff.
The entire staff for Minnesota Republican Carla Nelson participated in a May cybersecurity conference call with “Defending Digital Democracy,” a bipartisan project from Harvard University focused on election cybersecurity. The state senator is running in Minnesota’s 1st District, a Toss-up race.
Nelson campaign manager Joe Desilets said the campaign has mandatory password changes for staffers and uses two-factor authentication.
“After seeing some of the recent news, I’m glad that we took this seriously early on,” he said in an email.
Roughly 90 House and Senate campaigns participated in the conference call, according to Mari Dugas, the project coordinator for Defending Digital Democracy. The program’s senior fellows include former Clinton campaign manager Robby Mook and Mitt Romney’s 2012 campaign manager, Matt Rhoades.
Dugas said the May call included an overview of the program’s campaign cybersecurity playbook. She said the program hopes to hold additional conference calls, and the playbook has been distributed to more than 2,000 campaigns at the federal, state and local levels.
Slow to change
Dugas and others noted an uptick in campaigns interested in bolstering their cybersecurity as Election Day nears and news breaks of attempted hacks.
But some say there still is a lack of urgency, especially among campaigns with small staffs and limited resources.
“You’re using crappy chairs that make your back hurt for months. You save money on everything that you can,” said Daly, who was the DNC’s research director from 2009 to 2011.
Daly said it’s difficult to convince campaign staff to participate in an hour-long training about security.
“And until and unless they have been attacked, they don’t see the value of it,” she said.
Some campaign staffs may think they are too small and insignificant to be targeted, at least before winning a primary. But experts warn that campaigns in competitive races should not wait until after the primary election to follow best practices.
Dugas and Brian Franklin, a Democratic digital consultant who co-founded Campaign Defense, said campaigns can take steps that are cheap and relatively easy, such as using two-factor authentication and complex passwords.
Franklin said such practices, including training for staff, need to be mandated by the campaigns.
“If it’s not mandatory, you can’t expect people to voluntarily make their processes more difficult,” said Franklin, whose company is working with campaigns and party organizations to institute training and respond to breaches.
Daly suggested outside groups and donors should threaten to withhold money from campaigns not addressing the issue. Franklin said the campaign committees should also more be more aggressive in requiring training for campaign staff.
He also said there could be legal implications if campaigns are hacked. Lawyer Sue Friedberg, who specializes in cybersecurity, confirmed that states have various notification requirements if personal information is stolen.
For now the onus is on campaigns to implement guidelines and best practices.
It’s a similar challenge facing business startups, noted Mike Sager, the chief technology officer for EMILY’s List. He detailed his own suggestions for campaigns in a Medium post in May.
And whether campaigns like it or not, these experts say defending against cyberattacks is something campaigns will have to confront.
“This is never going to go away,” Sager said. “This is the world we live in now.”