The spotlight on cyber vulnerabilities of political campaigns has grown brighter after three Democratic campaigns in California were hacked during the state’s primary elections.
The campaigns of Bryan Caforio, Hans Keirstead and David Min all fell victim to cyber intrusions this year, underscoring a shortcoming that applies to political operations of various sizes: insufficient protections to guard against cyberattacks.
But having more cash on hand doesn’t always mean it’ll be used to beef up protections. A recent McClatchy analysis of Federal Election Commission filings found that only six candidates running for seats in the House and Senate this election cycle have spent more than $1,000 on cybersecurity measures.
Patrick Sullivan, head of the security team at cloud services provider Akamai Technologies, estimated that basic cybersecurity measures for a political campaign would cost around $2,000 a month.
“Depending on the level they want, those things can be pretty affordable to at least do the basic things like protect your website from defacement and distributed denial of service [DDoS] attacks,” Sullivan told The Hill. “You can purchase that as a utility over just a short period of time.”
The three House candidates whose campaigns suffered cyberattacks were running in competitive primaries for districts that are battlegrounds in the general election.
The nonpartisan Cook Political Report lists all three races as toss-ups, and the Democratic Congressional Campaign Committee (DCCC) dispatched field organizers in an attempt to flip the seats from Republican to Democrat.
Caforio, who lost by 2 percentage points to Katie Hill in California’s 25th District, was hit with DDoS attacks in late April that caused his campaign website to crash, as first reported by Rolling Stone.
Those attacks came at inopportune times for Caforio. The surge of traffic overwhelmed his site shortly before the biggest debate of the primary season.
Min faced a more subtle cyberattack as he battled his competitor in the 45th District. His campaign discovered malware in staffers’ computer files after a startup incubator — operating under the same roof as his campaign headquarters — noticed an unusual spike in server traffic in late March, according to a Min campaign source.
The DCCC viewed the incident as a sophisticated attack because of an unauthorized installation of key-logging software that avoided detection by the campaign’s anti-virus software, according to the campaign source. Min ultimately lost in the June primary to his opponent, Katie Porter, by 2.4 percentage points.
And in the 48th Congressional District, Keirstead conceded to Harley Rouda after a weeks-long ballot count led to a 126-vote difference. Keirstead described a series of cyberattacks against his campaign throughout the primary, including how hackers used thousands of username-password combinations in an attempt to break into his campaign website.
None of the campaigns suggested that they would have won their primary if the cyberattacks hadn’t taken place.
Authorities have not named any persons of interest in the digital intrusions. The FBI declined to comment, saying it “does not confirm or deny the existence of investigations.”
Sean Sullivan, a security adviser at cyber firm F-Secure, said a campaign’s cyber protections boil down to education — making sure all staff members are vigilant about protecting campaign websites, emails, cellphones and other connected devices.
"Bigger, more complex campaigns will have needs that scale exponentially, and the cost to secure their infrastructure will scale along with,” he told The Hill.
For some campaigns, cybersecurity didn't become a priority until after the primaries.
One Democratic operative currently involved in a California campaign said that after they made it through to the general election they hired a staffer, at a cost of about $4,000 a month, who's largely dedicated to protecting the campaign through cyber means.
“It has always been on the campaign’s mind, we didn’t necessarily have resources or time to get to it in the primary,” the operative told The Hill. “Once the primary was over, we made sure to find someone to take this off our plate and tighten this up for us.”
The operative said the cyber-focused staffer has tightened up cybersecurity by educating campaign staff, including interns, on best practices like having strong passwords, making sure both personal and campaign email accounts are secure and ensuring that they have more secure channels when it comes to internal communications.
The staffer, who has made sure the candidate and the candidate’s family are covered, also shares information with some of the other Democratic campaigns in the state, according to the operative.
“It isn’t every campaign, it is who has the capacity to hire someone,” the operative said.
The focus on securing campaigns and election systems comes after Russian efforts to interfere in the 2016 election, from a sophisticated disinformation campaign on social media networks to cyberattacks against Democratic groups and political figures.
Earlier this year, special counsel Robert MuellerRobert (Bob) MuellerSenate Democrats urge Garland not to fight court order to release Trump obstruction memo Why a special counsel is guaranteed if Biden chooses Yates, Cuomo or Jones as AG Barr taps attorney investigating Russia probe origins as special counsel MORE indicted 12 Russian intelligence officers for their alleged involvement in the cyberattack against the Democratic National Committee (DNC). And Dan CoatsDaniel (Dan) Ray CoatsOvernight Hillicon Valley — Scrutiny over Instagram's impact on teens Former national security officials warn antitrust bills could help China in tech race Cyber preparedness could save America's 'unsinkable aircraft carrier' MORE, the director of national intelligence, warned over the summer that the warning lights of another Russian cyberattack were “blinking red again.”
Congress hasn’t made much progress on efforts to protect campaigns from cyberattacks.
While bipartisan bills like the Secure Elections Act would strengthen the security of election systems and processes, such measures aren’t designed to protect campaign sites.
Rep. Jim LangevinJames (Jim) R. LangevinHillicon Valley — Presented by American Edge Project — Americans blame politicians, social media for spread of misinformation: poll Democrats urge federal agencies to address use of cryptocurrencies for ransomware payments Biden signs bill to strengthen K-12 school cybersecurity MORE (D-R.I.), co-chairman of the Congressional Cybersecurity Caucus, said campaigns are “one of the links” in the overall process of running elections, and he pointed to a bill known as the SHIELD Act would help address the matter by better coordinating cyber efforts between the Department of Homeland Security and campaign committees.
Campaign committees like the DNC and DCCC are also stepping up their guidance to campaigns in an effort to boost security.
The Democratic operative involved on the California campaign said cybersecurity began to grow in importance starting in 2014, while acknowledging that “it should’ve been earlier.” By the time of the Russian attack against the DNC, cyber was taken seriously — but the damaging DNC hack “really kind of changed the perspective.”
“We are starting to consider cybersecurity more of a priority,” the operative said.