A repeat of the hack targeting John Podesta could well happen again.
It’s the eve of Election Day 2020, and political reporters have just received an incendiary email. Donald Trump’s campaign has sent out grainy cellphone footage of his Democratic challenger, Joe Biden, at a private meeting with wealthy donors, ridiculing Americans who voted for the president in 2016 and plotting how to trick them into backing him instead.
Except Biden never made the remarks and Trump never shared them. A few overeager journalists post the video on Twitter before fully investigating its authenticity, causing the clip to spread on social media faster than the presidential campaigns and the press can expose it as a fraud. U.S. authorities will eventually attribute the deception to North Korean hackers, impersonating the Trump campaign’s domain name and deploying deepfake technology to keep their preferred nuclear-talks counterpart in office. But that won’t happen for weeks, well after Americans have chosen their next leader.
Such a hypothetical scenario isn’t implausible. In fact, it’s a type of threat that the email-security firm Agari flagged in a recent report. Three and a half years have passed since John Podesta, the chairman of Hillary Clinton’s presidential campaign, fell for a phishing email—granting Russian hackers, and thereby the world, access to his Gmail account and coming to embody the devastating ways foreign governments can meddle in democratic politics. In light of that trauma, the current crop of presidential campaigns has made progress in fortifying their digital operations. But according to those who have worked with the campaigns on these efforts, they nevertheless remain vulnerable to attack and lack cybersecurity best practices.
“The risk is more than reasonable that another Podesta-like attack could take place,” Armen Najarian, Agari’s chief marketing officer, told me.
Christopher Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which has consulted with every 2020 presidential campaign, has described the hack and leak of Democratic Party documents in 2016 as “the most impactful” element of the Kremlin’s interference in that race. “Shame on us if we’re not ready this time around,” he has said. With just over a year until the election, it’s far from clear that the candidates are.
It’s tough to precisely assess the presidential candidates’ preparedness, because they’re divulging few details about the precautions they’re taking. When The Atlantic contacted representatives of Trump’s campaign and the top 10 Democratic campaigns, many officials declined to comment on their approach to digital security on the grounds that revealing the measures would render them less effective. “We take cybersecurity very seriously and we do not comment on our preparations,” Tim Murtaugh, the communications director for the president’s reelection campaign, told The Atlantic in an emblematic response.
A few candidates offered some details. Ian Sams, the press secretary for Kamala Harris, told The Atlantic that the campaign is mandating that all staff use encrypted messaging services and two-factor authentication to access accounts. A spokesperson for Beto O’Rourke said the campaign trains staff on defending against cyberattacks as part of its onboarding process, requires staffers to protect mobile devices with complex passwords, and uses secure messaging channels. The Biden campaign has a chief technology officer, and Pete Buttigieg’s campaign recently became the first to publicize that it had hired a chief information-security officer.
Joel Wallenstrom, the CEO of Wickr, which along with Signal has become a popular encrypted messaging app for political campaigns, told me his service hasn’t replaced email for these campaigns but is being employed as a dedicated channel for sharing sensitive information, such as polling data and opposition research. This not only shelters the material, he said, but also makes it more difficult for adversaries to bait campaign staff with these documents through other channels like email without raising suspicions.
Nevertheless, Agari has found that only four of the 13 presidential candidates polling at 1 percent or above—Biden, Elizabeth Warren, Cory Booker, and Tulsi Gabbard—have implemented a policy that in its estimation would prevent emails spoofing their campaign-site domains from reaching the inboxes of voters, donors, reporters, or other recipients. As a point of comparison, the Department of Homeland Security now requires all federal agencies to aim for adopting this level of protection against email-spoofing.
Among those who haven’t taken this step, according to Agari’s assessment as of August 20: the campaigns of leading candidates such as Trump, Bernie Sanders, Harris, and Buttigieg. The policies of the Harris and Buttigieg campaigns deposit such unauthenticated communications into recipients’ spam folders, while the campaigns of Trump and Sanders have controls in place to monitor unvalidated messages, but no protocols to block or quarantine these emails.
Agari has also discovered that only two campaigns—those of Warren and Trump’s Republican challenger, Bill Weld—are using tools beyond the standard suite of security features provided by Google or Microsoft to guard against email breaches.
The company, of course, has business interests in highlighting the need for email-security services. But it doesn’t necessarily stand to profit from the 2020 presidential campaigns getting more serious about the issue. In keeping with recent rulings by the Federal Election Commission that amount to a workaround to campaign-finance laws, Agari is planning to offer its Secure Email Cloud service—which can cost tens or hundreds of thousands of dollars depending on an organization’s size—to campaigns for free through Harvard University’s Defending Digital Democracy project. (Najarian said the firm is also working directly with one presidential campaign, but declined to specify which one.)
Since 2016, Najarian added, the threat has evolved to include more frequent spear phishing with no malicious link, attachment, or software, which is difficult for security tools to detect. It’s essentially “a crime of identity deception” and a form of social engineering, he explained, citing as an example Weld’s campaign manager receiving a personalized email that appears to be from an administrative assistant requesting the password for the campaign’s Box.com account.
And while Russia could reprise its interference in 2020, it’s not the only potential state aggressor. Iran, aggrieved by Trump’s withdrawal from their nuclear deal, has been ramping up political-influence operations on social media in the United States and could redeploy hackers that have long assaulted the American private sector. The North Koreans demonstrated a willingness to hack and leak documents for political ends in retaliating against Sony Pictures over the 2014 release of The Interview. Chinese hackers targeted the campaigns of Barack Obama and John McCain in 2008 and that of Mitt Romney in 2012, though their modus operandi to date has been to gather information rather than weaponize it.
“The [security] tools are free. They’re relatively easily [implemented]. It’s table stakes because we know that this email-attack vector is going to be targeted,” Najarian told me. “Why wouldn’t you prioritize this?”
Campaigns are soft targets by their very nature: chaotic, sprawling, in perpetual flux, often cash-strapped, and moving at a rapid clip that leaves little room for elaborate security measures. A stark asymmetry is also at work when a foreign government turns its cybertroops on a long tail of way less tech-savvy campaign staff. Disaster requires only one weak link—one staffer working on a malware-infested personal device or neglecting to install software updates.
It’s in this context that the Federal Election Commission has given its blessing to Harvard’s Defending Digital Democracy project to provide subsidized or free commercial security services to campaigns. The project’s nonprofit arm is now developing ways to offer all campaigns the basics, including an office suite (such as Google’s G Suite or Microsoft Office 365, along with tools such as physical security keys), encrypted communications platforms, and endpoint protection for the various devices each staffer uses.
But this focus on fundamentals is illustrative of just how much work remains to be done before Election Day 2020. Asked whether the presidential campaigns are taking part in simulations of security breaches, Robby Mook, Hillary Clinton’s former campaign manager and one of the leaders of the Harvard project, told me, “We need to get wider adoption of [cybersecurity] best practices before we’re even ready for that.”
“We are trying to set up some new systems that didn’t exist [in 2016], but the fact remains that you have highly sophisticated [hostile] actors going at these campaigns, and the campaigns are basically on their own,” Mook said. “There is no one today who is accountable for this. The federal government takes responsibility for the physical protection of candidates in the presidential races. They do not take responsibility for the cyberprotection of the candidates and their families.”
Wallenstrom, who said he has been approached by campaign officials for advice on which information-security chiefs to recruit, told me one obstacle to filling these positions is that they are “not very high-paying,” require a regular presence on the campaign trail, and are less likely to feature “the resources, budget, and capabilities to be successful” relative to a corporate setting. Anyone who takes the job “better be pretty mission-focused,” he explained.
Maciej Ceglowski, a tech entrepreneur who helped provide security training to dozens of Democratic congressional campaigns ahead of the 2018 midterm elections, argues that election-security efforts have not sufficiently focused on protecting the personal accounts of campaign staffers and their family members, which often contain more damaging content than work accounts and offer hackers a means of accessing those professional accounts anyway. (Recall that Russian hackers broke into Podesta’s personal Gmail account, along with the Democratic National Committee’s computer network. Clinton’s campaign actually took many of the steps still considered crucial today: two-factor authentication for campaign email accounts, the auto-deletion of emails more than a month old, phishing drills for staff, even messages about digital hygiene in campaign-office bathrooms.) Safeguarding everything but personal data “is like putting a lock on your glove compartment to deter car theft,” Ceglowski writes.
“For a lot of candidates, there’s just a disconnect when they think about campaign security: They’re thinking about Russians hacking into their database. They’re not thinking about their personal email, their kids’ email, and all that,” Mook said. “People want to do this. It’s not resistance. It’s just, they don’t know how or they can’t afford it.”
Mook noted that email remains the primary digital vulnerability for campaigns, because everyone has an account, but the risks don’t end there. He is concerned, for instance, that an adversary could launch a denial of service attack on a campaign website the night of the candidate’s convention speech. “That could literally result in a campaign losing millions of dollars,” he said.
Nonetheless, he stressed that one of the most significant shifts since the 2016 election is that cybersecurity has today become a part of campaign culture. “If it doesn’t need to go on email, it doesn’t,” he said. “If it doesn’t need to be said digitally, it shouldn’t be.”
The question is whether culture can change at the warp speed of politics. Reflecting on his struggles to guide Democratic congressional campaigns and national organizations away from relying on hazardous email attachments and toward embracing Signal and shared Google Docs, Ceglowski likened the experience to preaching abstinence from sex: “You know the moment you leave the room, they’ll be double-clicking on whatever Excel spreadsheet the [Democratic Congressional Campaign Committee] forwarded them that day.”
Christian Paz contributed reporting to this article.