As our country struggles to piece together what happened in the 2016 election, the harsh reality is that the 2020 campaign is already under attack. Russia continues to hack, probe, and meddle and they’re not going to quit anytime soon.
And here’s something even more sobering to consider: our elected officials are not up the task to stop it.
The President has sided with Vladimir Putin. His enablers in Congress are too frightened of a presidential Twitter lashing to push back, and the rest of the federal government, including the FBI, CIA, and NSA, are focused on intelligence gathering and reactionary investigations.
Those running for office have been left on their own when it comes to combating foreign nation-state attacks, which are happening every single day in the form of phishing scams, DDOS attacks, network probes, social engineering schemes, and brute force intrusions. Indeed, on Thursday, Microsoft’s VP of Customer Security said the company had already intercepted attacks on three high-profile 2018 candidates that had been launched by the same Russian group that hacked the DNC.
For those running for office—or, even, with designs to do so down the road—let me state in unequivocal terms that the time to start prepping is now. Having served as the Chief Information Officer of the 2016 Democratic National Convention in Philadelphia, along with 15 years in the field, I am acutely aware of what happens when that prep work comes too late.
The most important step is to change IT security culture—or, in many cases, create one. It’s a way of thinking that must be practiced from the campaign manager down to the volunteers, along with a commitment to doing so in a smart way, so people can still function in their fast-paced, transient, high-pressure jobs.
IT Security is complicated, I know. But so is legal work, accounting, polling, compliance, and ad buying. Campaigns budget for those necessary services. And yet, they too often are frugal when it comes to engaging with IT security experts who can tell them what to do and how to stay out of trouble. After all, if you don’t know what to ask, or even what the threats are, what chance does your campaign stand against a nation-state hacking group?
The good news is that at the top level, major campaign committees like the DNC, DCCC, and DSCC are working to change the culture by investing millions of dollars into combating foreign attacks. The DNC installed a formidable CTO previously at Twitter and Uber, Raffi Krikorian, and added former Yahoo executive Bob Lord as Chief Security Officer. Both come from companies that are on the front lines of cyber attacks. They understand that IT security is not a piece of hardware you plug in or some software you install, but a holistic effort across an organization.
But the big organizations can’t be all that we worry about. Smaller and mid-tier campaigns are still falling short of the commitment needed. Worse, some still don’t recognize the seriousness of the problem. Many don’t even know where to begin.
Security and expertise costs money, and many campaigns—especially those that are just coming together, including prospective 2020 candidates—aren’t yet committed to funding these new needs.
Some folks might say, “Well, my campaign doesn’t have any interesting documents or data.” And they may be right!
But what they do have are people, and people who start on small campaigns end up working on larger campaigns later. If those people are compromised by lax security early on, they can unwittingly bring those compromised accounts and devices with them, compound the problem, and perpetuate the cycle. As the most recent Mueller indictment outlined, the DNC was compromised through a DCCC staffer’s account, who provided Russian actors an end-run around DNC security.
Finally, candidates, high profile surrogates, and staff need to take responsibility for all their personal accounts and devices. Everything you touch needs to be secured. The weakest link can create a cascading effect that leads to your private emails plastered across the Internet.
Do the Russians really care what you’re watching on Netflix? Probably not. But they do care about the billing address you have stored there and the answers to your security questions they can see once they’ve logged in. A single compromised account may not seem like a lot. But taken in aggregate, an attacker can build a profile over time to compromise more sensitive accounts like your email, iCloud, or Dropbox.
The most powerful tool in a hacker’s arsenal, in the end, is human error. And the best way to guard against human error is to start thinking critically about these issues now, before they became major problems down the road.
Campaigns need to recognize what’s at stake, or 2020 will turn into the Wild Wild West where Russia, China, Iran, or North Korea throw everything they have at attacking our democracy. After all, these countries know the current U.S. President may end up siding with them.