If special counsel Robert Mueller’s report on Russian efforts to help President Trump’s 2016 campaign failed to answer all the questions from his Democratic rivals, it nonetheless made one point perfectly clear: the necessity of protecting themselves from foreign hackers.
Published in late April, the report detailed the Kremlin’s theft of “hundreds of thousands of documents” from the Democratic National Committee’s computer network and former presidential candidate Hillary Clinton’s campaign chairman, increasing pressure that has been building since U.S. intelligence agencies warned three years ago that Russia was attempting to sway the election.
Now, with the next presidential vote more than a year away, would-be Democratic contenders are already spending thousands of dollars to fortify their data and email networks against intruders, building on the efforts of national security officials who have far greater budgets.
Records filed with the Federal Election Commission show Sen. Kamala Harris, D-Calif., paid more than $7,200 for “cybersecurity services,” including to LinkedIn co-founder Allen Blue, who’s also providing cybersecurity help to Julián Castro, who served as secretary of the Department of Housing and Urban Development under President Barack Obama. Harris’ presidential campaign also spent $197 on Wickr, an encrypted messaging platform, and her Senate campaign shelled out $467 for it.
[Related: Republicans hired the same cybersecurity firm as the hacked DNC]
Washington Gov. Jay Inslee spent $19,500 on “cybersecurity consulting,” while Sen. Elizabeth Warren, D-Mass., purchased subscriptions to secure cloud storage companies such as Dropbox. Trump’s reelection campaign takes cybersecurity “very seriously” too, though spokesman Tim Murtaugh declined to comment on specific preparations.
Among the tools and tactics available to campaigns are two-factor authentication, restricting access to important files so they are not on a shared server, and segmenting networks, said Paul Rosenzweig, a senior fellow at the R Street Institute who works on national security and cybersecurity.
For candidates operating on a shoestring budget, Google offers services with souped-up security features tailored to campaign needs, said Clint Watts, a distinguished research fellow at the Foreign Policy Research Institute.
Campaign staff should be trained in how to recognize and report attempted cyberattacks or even suspicious in-person encounters such as phone calls, Watts said. “It’s more how do you detect and how do you respond, and what are our procedures,” he added. “You just come up with simple protocols and brief everybody.”
He also noted the possibility that hostile actors will approach campaigns with dirt on political opponents. “If you take that stuff, it puts you in a position to be compromised,” he said. “Every time you make one of these mistakes, it gives a foreign power leverage over you.”
Indeed, a decision by Trump’s son to meet with a Russian representative offering damaging information on Clinton in 2016 was one of the events that prompted the Mueller probe, which has overshadowed much of Trump’s presidency despite his repeated statements that there was “no collusion.”
“Some of the campaigns and many of the cybersecurity professionals … did not see the election system as a target” in 2016, according to Rosenzweig, which gave the Russians the advantage of surprise. Attitudes have shifted since then, he said, though the change has been “limited by the president’s unwillingness to acknowledge what everyone else in the country recognizes.”
DNC Chairman Tom Perez pledged that his party will not “seek out or weaponize stolen private data for political gain” and urged his counterpart, Republican National Committee Chairwoman Ronna McDaniel, to do the same.
“As the leaders of our country’s two largest political parties, we have a responsibility to protect the integrity of our democratic process,” he wrote in an open letter to McDaniel last month. “That’s why I urge you to join me in condemning the weaponization of stolen private data in our electoral process.”
A proposal before the FEC, meanwhile, could give campaigns access to cybersecurity services free of charge.
The plan comes from Robby Mook, Clinton’s campaign manager in 2016, and Matt Rhoades, who handled the same job for Mitt Romney in 2012. The two want to provide resources and training to protect campaigns from cyberattacks through a nonprofit group offering cybersecurity boot camps, software, and hardware. The tools would be available to any presidential candidate polling above 5% nationally, as well as House candidates who have raised at least $50,000 and Senate candidates who have raised $100,000.
“This is warfare,” Mook said during an FEC meeting April 11. “People are trying to disrupt our democracy.”
The commission hasn’t yet determined whether such services would constitute a prohibited campaign contribution, though the Campaign Legal Center, a watchdog group, says they would “reach a desirable policy outcome by improperly and dangerously bending the law.”
Rosenzweig argues there’s room for both nonprofit groups and political parties with deeper pockets to help.
“Cybersecurity should be off-book and shouldn’t be in the same way as cutting an ad or doing get-out-the-vote,” he said. “The parties should have a role, because they have greater capacity.”
