2020 Political Campaigns Are Trying To Avoid A 2016-Style Hack

Jan 28, 2020
Originally published on January 28, 2020 6:52 am

Paranoia is the best strategy for political campaigns when it comes to digital security. After all, who can forget the massive hack of the Hillary Clinton campaign's emails during the last presidential election and its embarrassing consequences?

The reelection campaign of Maine Sen. Angus King took this to heart. Lisa Kaplan, King's digital director, regularly sent out fake emails to her staff to "see who would click on them." Those emails during the 2018 campaign looked real — but they were not.

The goal was to keep staff members on their toes so they wouldn't fall for emails from real hackers intent on damaging the campaign.

"We would try to get them to do things like change their password for their email or change their password for the database we were using," Kaplan said.

It's this kind of attention to detail and seriousness about security that political veterans and party officials are urging on candidates and their staffs. Starting next week, the first votes in the 2020 Democratic presidential primaries will be cast. Even more campaigns — from congressional races to local contests for mayor and city council — are gearing up for November's election.

Communication is the lifeblood of any political campaign, but it can also be the thing that sinks it if messages get hacked or manipulated. Email and social media accounts can be taken over. Sensitive or embarrassing documents can be leaked, and false information can really damage a campaign.

Campaigns are especially vulnerable because they operate like startups: They're created from the ground up and add staff quickly. People move in and out of jobs quickly and bring in new phones and laptops.

"Campaigns are effectively startups, but their risk profile is more like established large businesses," said Mark Risher, who works on account security at Google.

Additional risk comes from staffers using personal cellphones, computers and email accounts to work on sensitive material.

That rapid, often chaotic growth creates openings for hackers.

"You have almost every worst-case scenario," said Mary Dickinson, a co-founder of U.S. CyberDome, a nonprofit offering free cybersecurity services to campaigns.

"You can't really do effective training because you've got people coming on board all the time," she said. And since it's normal for people to bring their own devices into the campaigns, "you've got used devices that are not scrubbed being brought into the food chain," Dickinson said.

The most infamous hack of a campaign happened in 2016, when Russians broke into the Gmail account of Hillary Clinton's campaign chair, John Podesta. Some of the emails were embarrassing, such as Clinton's paid speeches to Wall Street banks.

The Russians got into Podesta's email account through a phishing attack — where hackers send emails disguised to look like they're from a familiar sender or from a known entity like a bank. They try to trick people into handing over passwords.

Phishing is "very, very cheap to perpetrate [and] very, very easy to scale," Risher said. "The attackers get to keep trying again and again until they succeed, and the target only has to make a mistake once."

Nearly four years after the Clinton campaign email hack, phishing attacks haven't changed much, Risher said.

"The attackers are still mostly using the same techniques that were effective in 2016, 2017, 2018. They haven't evolved because they haven't needed to," he said.

Despite ample evidence that political figures are targets, they remain vulnerable. A recent national survey by Google and the Harris Poll asked politicians about their cybersecurity risks. Forty percent said they've had an account compromised in a phishing attack. And 60% said they haven't significantly updated the security of their accounts since 2016.

So what should campaigns do to get serious about security?

At the top of the list is taking basic precautions to protect email and other accounts.

That includes multifactor authentication, which requires people to enter not just a password but also a code sent to their smartphone or from a special hardware key. Experts also recommend using password managers and communicating on encrypted messaging apps, like Signal and Wickr.

It is not just candidates and staff who should be tightening up their online security but also the people operating in the periphery who might be helping out the campaign.

"You have a spouse that could be vulnerable; you have children; you have the candidate's best friend who's also the finance chair," said Michael Kaiser, president of Defending Digital Campaigns, another nonprofit that connects campaigns with free and discounted cybersecurity services and training.

If any of the campaign helpers have access to private information and they get hacked, their accounts can be used to target the candidate.

Experts say the focus in 2020 is not just on reducing risk but on planning how to respond if a cyberattack happens.

Otherwise, candidates will be battling adversaries not only at the ballot box but in their inboxes too.

Copyright 2020 NPR. To see more, visit https://www.npr.org.

NOEL KING, HOST:

During the 2016 campaign, Hillary Clinton's campaign emails were hacked. So in 2020, campaigns are on the defense to prevent that kind of thing from happening again. Here's NPR technology correspondent Shannon Bond.

SHANNON BOND, BYLINE: During Senator Angus King's reelection campaign in 2018, the suspicious emails were coming from inside the building.

LISA KAPLAN: We would send out these fake phishing emails and see who would click on them.

BOND: Lisa Kaplan was digital director for the Maine senator. The emails she sent looked real, but they were not.

KAPLAN: We would leave all of these little clues so that people should have picked up that it was not a real email. And we would try to get them to do things, like change their password for their email or change their password for the database we were using.

BOND: It was a strategy to keep staff on their toes so they wouldn't fall for emails from real hackers intent on damaging the campaign. That's the kind of paranoia that election campaigns need these days. Many of them are already in full swing, from the Democratic presidential primaries to congressional races to local contests for mayor and city council. Security experts and political veterans say they are vulnerable. Communication, which is the lifeblood of any political campaign, can also be the thing that sinks it if messages get hacked or manipulated. Email and social media accounts can be taken over, sensitive or embarrassing documents leaked. The campaign trail in particular presents unique challenges to digital security. Mark Risher works on account security at Google.

MARK RISHER: Campaigns are effectively startups, but their risk profile is more like established large businesses.

BOND: Campaigns are created from the ground up. People move in and out of jobs quickly and bring in new phones and laptops. Mary Dickinson is co-founder of US CyberDome, a nonprofit offering campaigns free cybersecurity services. She says this rapid, often chaotic growth creates openings for hackers.

MARY DICKINSON: You have almost every worst-case scenario. You can't really do effective training because you've got people coming on board all the time. You've got bring your own device as the norm. You've got used devices that are not scrubbed being brought into the food chain here.

BOND: The most infamous hack of a campaign happened in 2016. Russians broke into the Gmail account of Hillary Clinton's campaign chair, John Podesta. Some of the emails that came out were embarrassing, like Clinton's speeches to Wall Street banks. The Russians got into Podesta's email through a phishing attack. That's when hackers send emails disguised to look like they're from someone you know or your bank. They try to trick you into handing over your passwords. Google's Risher explains.

RISHER: The reality is that phishing, which is effectively just deceiving the target, the victim, into passing over information, is very, very cheap to perpetrate. And the target only has to make a mistake once.

BOND: Nearly four years after the Clinton email hack, Risher says phishing attacks haven't changed much.

RISHER: They haven't evolved because they haven't needed to.

BOND: So what should campaigns do to get serious about security? First on the list is taking basic precautions.

MICHAEL KAISER: Turning on multifactor authentication.

BOND: Michael Kaiser is president of Defending Digital Campaigns, another nonprofit that connects campaigns with free and discounted cybersecurity services and training.

KAISER: It's making sure that you're using, you know, better password practices like a password manager. It's using some form of encrypted communications.

BOND: And Kaiser says it's not just candidates and staff who should be tightening up their online security.

KAISER: So you have a spouse that could be vulnerable. You have children. You have the candidate's, you know, best friend who's also the finance chair.

BOND: Those people have access to private information. And if they get hacked, their accounts can be used to target the candidate. Experts say the focus in 2020 is not just on reducing risk but on planning how to respond if a cyberattack happens. Otherwise candidates will be battling adversaries not only at the ballot box but in their inboxes, too. Shannon Bond, NPR News, San Francisco.

(SOUNDBITE OF ATTUNE'S "THRILL") Transcript provided by NPR, Copyright NPR.