Political campaigns worry they’re next for ransomware hits
Political campaigns are ramping up their protections, worrying the next in a rising number of ransomware attacks could target them.
Cyber criminals have gone after an ever-increasing number of targets, from Colonial Pipeline to JBS USA. And political campaigns are painfully familiar with risks after the 2016 attacks on the Democratic National Committee (DNC).
“I think we have already seen Armageddon in what happened in 2016 at the DNC,” said Jesse Thomas, senior director of impact and mobilization of the Democratic firm Bully Pulpit Interactive.
Russian hackers leaked thousands of Democratic National Committee emails ahead of the 2016 presidential election, doing damage to Democratic nominee Hillary Clinton.
“That was absolutely as bad as it could possibly get to have full penetration of the network and then having your internal documents used and weaponized,” Thomas added.
The intelligence community later concluded that the operation was a part of an effort by the Kremlin to interfere in the election. While the Russian efforts did not result in any changed votes, hackers were able to gain access to voter registration systems in Florida and Illinois.
Concerns have multiplied over cyber threats during the past year as organizations ranging from schools to hospitals to government agencies have been hit with ransomware attacks, which involve hackers encrypting systems and demanding payment to allow access again.
Presidential campaigns during the 2020 election cycle were also a target.
Microsoft announced in September that it was seeing hackers based in China, Russia and Iran target both the Trump and Biden campaigns. Google researchers also found evidence of attempted cyberattacks against the two campaigns by Chinese and Iranian government-backed hackers.
Other campaigns were also targeted, with Sen. Bernie Sanders (I-Vt.) briefed in early 2020 on Russian government efforts to interfere in the election in favor of his presidential campaign.
Experts told The Hill that political campaigns are often juicy targets for foreign governments and cyber criminals alike.
“[Campaigns] are squishy, perimeter enterprises,” said Michael Kaiser, the president and CEO of Defending Digital Campaigns (DDC), a group committed to defending federal campaigns from cyber threats, including ransomware attacks.
Kaiser said that campaigns differ from traditional companies in that they contain more parties that are susceptible to cyber threats, such as the candidate’s family, confidants, third-party vendors and fundraisers.
Members of Congress on both sides of the aisle have increasingly become concerned about cybersecurity threats to the nation. Following the recent major ransomware attacks, lawmakers told The Hill that they were concerned campaigns were vulnerable as well.
“Yes, ransomware is going to be a headache in everything,” Sen. Angus King (I-Maine), the co-chairman of the congressionally established Cyberspace Solarium Commission (CSC), told The Hill. “I think the more danger in campaigns is hack-and-leak and election meddling, disinformation. That’s what I am more worried about.”
“I think ransomware is a potential issue in elections, but I’m just as worried about malign influence, hack-and-leak, kinds of things we saw in 2016,” King noted.
Rep. Mike Gallagher (R-Wis.), the other co-chairman of the CSC, told The Hill that political campaigns were often particularly vulnerable to hackers due the quick pace at which they are set up.
“The problem campaigns have is you’re building a weird startup on a short timeline, and so you don’t have resources to invest in cybersecurity, so they’re soft targets,” Gallagher said.
Campaign committees are also taking steps to ensure they are protected from ransomware attacks and other cyber threats.
“The DCCC is constantly monitoring and reexamining our infrastructure to protect against cyber threats. We are in regular communication with campaigns that need resources to protect their assets,” said Chris Taylor, spokesman for the Democratic Congressional Campaign Committee.
Additionally, the DCCC announced in March that it was bringing on its first ever chief technology officer, Erica Joy Baker.
Republicans have also worked to beef up their cybersecurity operations.
“The NRCC [National Republican Congressional Committee] does not publicly discuss its operational security, but takes numerous steps to ensure its systems are secure,” said a source familiar with the group’s planning.
Campaigns and committees often do not go into detail about specific measures they’re taking in an effort to protect themselves.
“This is the other thing about cybersecurity in the political sector. … Would a cyberattack on a campaign look like a weakness?” Kaiser said.
DDC, which partnered with companies such as Microsoft and Google, offers training in areas ranging from password management to website protection.
Kaiser said his goal is to create a pipeline of knowledge on cybersecurity within the political campaign world.
“My long-term vision is we just start getting some of these people trained so they know it, so they move from campaign to campaign,” Kaiser said. “Learn it. Bring cybersecurity to the next campaign. We’ve got to lift the whole sector, and in this sector it’s a lot about people.”
DDC directly worked with more than 180 campaigns last cycle. Kaiser said a growing number of campaigns are beginning to recognize the need for more cybersecurity resources.
“There was a pretty good awareness about the need to do something in cybersecurity,” he said. “It’s not like people don’t know that these risks are out there and don’t know that there’s nothing they’re supposed to do.”
Experts say smaller campaigns, usually those that are not federal or statewide, are more vulnerable to cyber threats due to a lack of infrastructure. Federal and statewide campaigns, usually with the support of committees, tend to have more protection from threats.
“I worked for the Biden campaign remotely, and before I could access any of my information, I was shipped a token to be able to access anything which is a far cry from anything I’ve seen in previous presidential campaigns,” Thomas said.
Kaiser said the No. 1 priority for smaller campaigns with fewer resources should be multifactor authentication with a security key.
“That’s going to help against a ton of stuff but especially phishing attempts,” he said.
With 2021 mostly an off year for elections, Gallagher stressed that campaigns gearing up for 2022 should prioritize cybersecurity now and not later. The recent attacks, he said, are “wake-up calls.”
“The time was probably yesterday,” Gallagher said.