By Joseph Marks
Sen. Bernie Sanders won't say whether his campaign has taken basic cybersecurity precautions. (AP Photo/Andrew Harnik)
Two of the five leading Democratic presidential candidates won’t say whether they have installed basic cybersecurity protections for their 2020 campaigns to take on President Trump.
But the campaign of former vice president Joe Biden, who is leading Trump in most national polls, was more transparent, saying it’s providing staff with cybersecurity training and mandating they use extra protections when logging into digital accounts.
“Biden for President is executing a comprehensive approach to defending, protecting and securing our digital ecosystem. We have brought on high-quality personnel, require the use of multi-factor authentication on all devices, and are training staff on cybersecurity best practices and tools to ensure the campaign infrastructure remains secure," said a campaign spokesman.
The Cybersecurity 202 asked the 23 Democrats running for president whether they had taken basic measures to protect their campaigns from hacking by foreign adversaries such as Russia, which stole emails from Hillary Clinton's campaign and the Democratic National Committee in 2016.
About half of them declined to say whether they had taken basic precautions to protect their information, such as requiring staff to use complex passwords for websites, passcodes for smartphones and encrypted apps for text messaging.
Hacking fears have dominated the presidential race following ex-special counsel Robert S. Mueller III's conclusion that Russia interfered in 2016 to tip the scales for President Trump — and warnings from U.S. intelligence and Homeland Security officials that they’ll likely try it again in 2020.
Trump further roiled the waters this week by suggesting he would listen to damaging information from foreign adversaries about his opponents before informing the FBI. That sparked renewed momentum in Congress for legislation requiring campaigns to alert the FBI about such contacts and to mandate election protections such as paper ballots and security audits.
Despite the dangers, only three of the candidates who are polling highest in Iowa, the first caucus state, were willing to describe measures they’ve taken to protect their campaigns from being breached.
In addition to Biden, an aide to Sen. Kamala Harris of California told me her campaign is giving staff cybersecurity training, using encrypted messaging apps and protecting all digital accounts with multi-factor authentication — for example by requiring both a password and a unique SMS code to log in.
An aide for South Bend, Ind., Mayor Pete Buttigieg said his campaign had implemented those same security features plus others I asked about — which were primarily drawn from a cybersecurity checklist from the Democratic National Committee. Other questions focused on whether campaigns mandated that staff use complex passwords or a password manager tool and if they had a chief cybersecurity officer.
Campaigns for Sens. Elizabeth Warren (Mass.) and Bernie Sanders (I-Vt.), however, declined to say anything about their cybersecurity protections and suggested that answering basic security questions could make the campaigns more vulnerable.
Overall, 12 of the 23 campaigns provided some information about their security protection, all of which said they were following most or all of the DNC’s major recommendations.
Other higher-polling campaigns that gave substantial answers include Sens. Amy Klobuchar (Minn.) and Michael Bennett (Colo.) as well as former congressmen Beto O’Rourke (Tex.) and John Delaney (Md.). Those who declined to answer or didn’t respond included Sen. Cory Booker (N.J.) and Rep. Tulsi Gabbard (Hawaii).
Trump’s reelection campaign also declined to describe its cybersecurity protections.
DNC Chief Security Officer Bob Lord told me in a statement that all campaigns should be following his cybersecurity checklist and that the DNC “continues to educate and work with campaigns and the entire Democratic ecosystem on best practices to improve our overall security posture.”
There’s little security value in hiding from attackers that you’re following basic cybersecurity best practices, Maurice Turner, a senior technologist at the Center for Democracy and Technology who focuses on election security, told me.
“Campaigns being secretive about whether they are using basic cyber hygiene practices is like not admitting to wearing a seat belt,” Turner said. “Anything but an immediate, unequivocal ‘yes’ doesn’t inspire confidence and leads to more questions.”
The nonanswers also suggest the candidates aren’t modeling good cybersecurity for the nation amid a crush of digital attacks that has damaged the privacy of nearly every American, Turner said.
“We need to be able to normalize these conversations because this is a threat everyone faces,” he said. “Everyone should feel comfortable knowing that their leaders understand these threats and are doing something about them.”
To be sure, there’s no evidence that campaigns that declined to describe their cybersecurity protections have instituted fewer protections than those that did.
And, in addition to the DNC checklist, there are numerous other cybersecurity aids for campaigns, including from private companies and a nonprofit organization that the Federal Election Commission recently approved to provide free or low-cost cybersecurity services to campaigns.
The Department of Homeland Security is also offering campaigns cybersecurity assistance including digital vulnerability scans.
This year, DHS has spoken with about a dozen presidential campaigns about cybersecurity protections, “many of which have expressed interest in continued engagement or utilizing election security services offered by DHS,” Matt Masterson, senior cybersecurity adviser for the department’s Cybersecurity and Infrastructure Security Agency, told me by email, though he didn't name the campaigns.
DHS also held a joint briefing for presidential campaigns last month with the FBI and the Office of the Director of National Intelligence, Masterson told me.
“Protecting 2020 will take a whole-of-nation effort, which is why we have sustained outreach and communication with campaigns and political committees throughout this election cycle,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Sen. Mark R. Warner (D-Va.) speaks after hearing some of the testimony from Michael Cohen, President Trump's former lawyer, before a closed-door hearing of the Senate Intelligence Committee in February. (Alex Brandon/AP)
Sen. Mark R. Warner (D-Va.) tried to push through legislation on Thursday that would require political campaigns to report to the FBI if foreign agents tried to give them dirt on opponents, but Republicans blocked the measure.
Sen. Ron Wyden (D-Ore.) also slammed Republicans in an email to me, saying, “The president has made perfectly clear that he has no problem with foreign hackers interfering in our democracy. If congressional Republicans don’t end their obstruction of election security legislation like my [Protecting American Votes and Elections Act of 2019], the only logical conclusion is they don’t have a problem with foreign interference, either.”
Sen. Amy Klobuchar (D-Minn.) called Trump's comments "inexcusable" and pushed two election security bills she's sponsoring.
This is inexcusable. The President of the United States just effectively gave permission to foreign agents to interfere in our elections. We need my Secure Elections Act and Honest Ads Act passed immediately. The 2020 elections are not secure. Disgraceful. https://t.co/Ht8GwBA0Aj— Amy Klobuchar (@amyklobuchar) June 13, 2019
Sen. Marco Rubio (R-Fla.) speaks in February at the Heritage Foundation. (Carolyn Kaster/AP)
This image captured on June 11 shows part of a LinkedIn profile for someone who identified themselves as Katie Jones. The Associated Press has found it is one of many phantom profiles that lurk on the social media platform. (AP)
The profile for “Katie Jones” claimed she was a fellow at the Center for Strategic and International Studies think tank and had numerous high- profile Washington connections. But experts tell Satter they believe Jones doesn’t exist and the profile photo was generated by A.I. — probably as part of a foreign spying operation. Satter broke down the almost imperceptible clues that the image was a fake:
For a while now people have been worrying about the threat of “deepfakes,” AI-generated personas that are indistinguishable, or almost indistinguishable, from real live humans. I think I may have caught an example of one in the wild:https://t.co/yvZbK8RoQt pic.twitter.com/4FaNqtivEY— Raphael Satter @ RightsCon (@razhael) June 13, 2019
“Instead of dispatching spies to some parking garage in the U.S. to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” Evanina told Satter.
Here are more details on China's vast LinkedIn spying operations from Cyberscoop’s Jeff Stone.
Source: The Washington Post