bathrooms have signs urging people to wash their hands. But at the
Democratic National Committee, reminders hanging
in the men’s and women’s restrooms address a different kind of
Email is NOT a secure method of communication,” the signs read,
“and if you see something odd, say something.”
fliers are a visible symptom of an increased focus on cybersecurity
at the DNC, more than two years after hackers linked to the Russian
military looted the committee’s computer networks and inflamed the
party’s internal divides at the worst possible time for Hillary
Clinton. But the painful lessons of 2016 have yet to take hold
across the campaign world — which remains the soft underbelly for
cyberattacks aimed at disrupting the American political process.
making some strides in cybersecurity protections since 2016, cyber
experts and researchers say, many candidates and campaigns have yet
to implement standard safeguards to prevent breaches of their
computer networks, websites and emails.
just doesn’t seem to be as urgent of a concern in the conversations
I’ve had,” said Ronald Bushar, government chief technology officer
for FireEye, which has long tracked the Russian hacker group that
U.S. intelligent agencies say targeted the Democrats and Clinton.
the past two years, Bushar has consulted with numerous campaigns,
political committees and Capitol Hill staffers on cybersecurity
issues and advocated for greater investments in email security and
defenses such as 24-hour website intrusion monitoring. But he said,
“I don’t see a ton of that happening.”
a former FBI official told POLITICO that hackers are continuing to
target campaigns in an attempt to undermine November’s midterm
elections. At least two senators have recently discussed a spate of
cyberattacks targeting Congress.
lawmakers and the country’s top intelligence and law enforcement
agencies haven’t offered campaigns the same coordinated
cybersecurity assistance they’re providing to state governments,
which are receiving $380 million to safeguard their voting machines,
voter databases and other election systems.
with that federal help, states are largely unprepared to improve
their security before this November’s elections and are off to a
slow start to gird for 2020, a POLITICO
survey found last month. The situation may
be even more dire for political campaigns — short-lived, often
the Trump administration paraded out some of its highest-ranking
officials on Aug. 2 to reinforce the government’s commitment to
secure elections, Director of National Intelligence Dan Coats made
it clear politicians are under attack, too. “We ... know the
Russians try to hack into and steal information from candidates and
government officials alike,” he said.
recent weeks, Democratic Sens. Claire McCaskill of Missouri and
Jeanne Shaheen of New Hampshire both said email attacks have
targeted their Senate offices. McCaskill, a critic of both Trump and
Russia, is up for reelection this year in a deep-red state and has
blamed Moscow for the cyberattacks on her staff.
pretty obvious what Russia's trying to do. All of us have had plenty
of warning now,” McCaskill told POLITICO last week. “I don't think
my office and my campaign are the only ones that are taking
extraordinary efforts to try to protect our information.”
former FBI official with knowledge of cyberattacks on campaigns told
POLITICO that the assaults are ongoing and “campaigns are being
targeted.” The former official said it was unclear where these
efforts originated but that they are specifically targeting the
midterms and “in support of continuing to undermine the democratic
the former official said, the new attacks on campaigns are similar
to those that targeted the DNC and Clinton’s staff in 2016:
remote-access attempts to penetrate emails.
interviews, lawmakers and campaigns insisted they have made the
right security investments and have raised awareness on digital
threats enough to stop hackers and foreign adversaries. Neither the
DNC nor the Republican National Committee would specify the steps
they have taken, citing security concerns.
both parties have publicly disclosed some of their actions, such as
hosting security workshops with tech companies like Microsoft. The
DNC opened an “I Will Run” marketplace that directed potential
campaigns to use secure communication apps made by Signal and Wickr.
Some campaigns are also taking advantage of enhanced security
features that Google is offering for free to high-profile targets.
bottom line is that campaigns are both smarter about cybersecurity
than they were two years ago, take it more seriously, and, on
balance, have mitigated some of the cybersecurity risk that is out
there,” said Eric Rosenbach, co-director of the Harvard Kennedy
School's Belfer Center for Science and International Affairs.
said, when you’re starting from a very low bar, it’s easy to show
lots of improvement,” added Rosenbach, who leads the center’s
Defending Digital Democracy Project, a bipartisan effort devoted to
Sen. Cory Gardner, who chairs the National Republican Senatorial
Committee, said cybersecurity demands “constant vigilance” from
really is a real-time, ongoing effort to make sure people have the
tools they need to safeguard themselves and the process,” he told
POLITICO, adding that the NRSC’s digital team has had “very lengthy,
detailed conversations” with candidates, campaigns and vendors about
said the candidates he’s talked to “absolutely” understand the risk
of not protecting their sensitive data from hackers. “If they don’t,
they’re not running a good campaign.”
addition to the increased attention to security among campaigns and
candidates, many people working in politics and on the midterms feel
a growing sense of urgency and paranoia about the issue.
the fliers in the DNC’s bathrooms, which offer a raft of
cybersecurity advice including the proper use of Dropbox or Google
Drive and a warning against sending passport numbers by email.
Elsewhere in DNC headquarters, warnings give employees tips about
topics like enabling two-factor authentication — a step beyond
passwords to protect accounts.
cybersecurity alerts are posted in the bathrooms at the Democratic
Congressional Campaign Committee, another organization Russian
hackers breached in 2016.
RNC is working to raise security awareness, too. "Every email that’s
external gets marked as ‘external’ in the subject line,” a
development that’s taken place within the last couple of months,
according to a source at the RNC. (This can foil intruders who pose
as colleagues or bosses while trying to trick people into giving up
sensitive information.) In addition, committee staffers have to take
an online security test that runs them through “a bunch of different
scenarios” to assess their knowledge of best cyber practices.
Democratic operative, some of whose emails were stolen and released
during the 2016 DNC hacks, said she now avoids complaining about
other people in work emails. "Everyone has people they don’t get
along with, so we don’t bitch about people in email anymore," she
Democratic operative told POLITICO that many people working on
campaigns now use secure messaging apps such as Wickr and Signal.
getting more robust trainings on digital security, every six
months,” the person said. “People are more afraid, there's more
people using password managers and being more cautious about these
sorts of things."
April, Wickr has seen a three-fold increase in the number of
campaigns that use it, according to CEO Joel Wallenstrom. He said
more than half of Senate campaigns and over 70 political consulting
teams use the platform.
firm’s political and government lead, Audra Grassia, said that “the
vast majority of campaigns and political committees are 180 degrees
from where they were in the 2016 cycle” when it comes to
that said, “there’s no doubt” campaigns are “going to have a target
on their back as long as elected officials make huge policy
decisions,” Grassia added.
a statement, David Bergstein, the national press secretary of the
Democratic Senatorial Campaign Committee, said the organization has
“invested significantly in information security, has certified
information security professionals on staff who provide training and
we work with Senate campaigns to increase their cybersecurity
of the Belfer Center cautioned that while it’s important for the
tech firms to provide tips and capabilities for campaigns to improve
their security, “it’s much more important the campaign managers and
the leaders of the organization to make cybersecurity a priority.”
counterintuitive as it sounds, cybersecurity is a human problem,
it’s a leadership problem, it’s not a technical problem,” said
Rosenbach, whose organization last year published a campaign
he said, “should just assume from here on out, for the next several
decades at least, that they will be targets for cyberattackers, both
nation-state intelligence services and other nefarious individuals,
who are trying to have some influence on the political situation in
the United States.”
Tim Starks and Daniel Lippman
contributed to this report.