NRCC breach exposes gaps 2 years after Russia hacks

Democrats are seizing on recent revelations that the House GOP’s campaign arm was hacked earlier this year to spotlight that both parties are vulnerable to cyberattacks.

The FBI is investigating a cyber breach at the National Republican Congressional Committee (NRCC) that felt like déjà vu to many in Washington — hackers targeting political campaign groups. This time, however, the perpetrators aimed their digital tools at the GOP instead of Democrats.

“It creates more of a sense of how critical it is that we protect our infrastructure,” Sen. Roy BluntRoy Dean BluntSenate GOP blocks election security bill Hillicon Valley: Senate bill would force companies to disclose value of user data | Waters to hold hearing on Facebook cryptocurrency | GOP divided on election security bills | US tracking Russian, Iranian social media campaigns This week: Congress set for clash on Trump's border request MORE (R-Mo.) told The Hill this week. “The federal government has certainly had plenty of hacks of their own, so we can't say with any certainty, ‘Do this like we do it you won't have a problem,’ because we've had plenty of problems.”


Four top aides at the NRCC — which was notified in April about the breach — learned that their emails had been surveilled for months, according to Politico, which first reported the intrusion.

Ian Prior, a public relations professional hired by the NRCC to oversee its response to the breach, confirmed the cyber intrusion.

“The NRCC can confirm that it was the victim of a cyber intrusion by an unknown entity,” said Prior, a former Justice Department official, in an email to The Hill. “The cybersecurity of the Committee’s data is paramount, and upon learning of the intrusion, the NRCC immediately launched an internal investigation and notified the FBI, which is now investigating the matter.”

Hackers likely breached a hosted email environment as a result of a password compromise, according to a source familiar with the matter.

The attack serves as a stark reminder that the targets of a cyberattack are fluid and changing. But it also has Democrats waving their fingers at Republicans for not heeding their warnings after the intelligence community concluded that Russia interfered in the 2016 presidential race. Back then Democrats told their GOP counterparts: It’s us this time, but you could be next.

“In their age-old routine of choosing party over country, Republicans swept the issue aside,” Rep. Bennie ThompsonBennie Gordon ThompsonThe Hill's Morning Report - Democratic debates: Miami nice or spice? Artificial intelligence can't solve online extremism issue, experts tell House panel Democrats make U-turn on calling border a 'manufactured crisis' MORE (Miss.), the top Democrat on the Homeland Security Committee, said in a statement after the NRCC hack was revealed.


“Now news of this hack — which was not released for months — makes it clear Republicans ignored election security at their own peril,” he said. “Democrats led on election security the entire 115th Congress and Republicans should have joined us.”

Nevertheless, Thompson and other top Democrats expected to lead key House committees next year say they will examine the matter during the 116th Congress.

“This is an issue that transcends party,” Rep. Jerrold Nadler (N.Y.), the top Democrat expected to lead the Judiciary panel, wrote on Twitter. “I hope more of my @HouseGOP colleagues will be willing to say so in the new Congress when House Judiciary and others take a close look at this systemic problem.”

Democrats are also resurfacing comments President TrumpDonald John Trump2020 Democrats spar over socialism ahead of first debate Senate passes .5 billion border bill, setting up fight with House 'Teflon Don' avoids the scorn of the 'family values' GOP — again MORE made earlier this year in which he asserted that Republicans have better cybersecurity after a series of damaging attacks against Democrats, including the ones on the Democratic National Committee (DNC) and John Podesta, who was campaign manager for former Secretary of State Hillary ClintonHillary Diane Rodham Clinton'Teflon Don' avoids the scorn of the 'family values' GOP — again Don't expect Trump-sized ratings for Democratic debates Ocasio-Cortez on Biden: 'I think that he's not a pragmatic choice' MORE’s presidential bid.

“The DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses and they were able to be hacked,” Trump told CBS News earlier this year. “I heard they were trying to hack the Republicans too, but — and this may be wrong — but they had much stronger defenses.”

Former FBI Director James ComeyJames Brien ComeyBiden is the least electable candidate — here's why Top Mueller prosecutor Andrew Weissmann lands book deal Trump to appear on 'Meet the Press' for first time as president MORE told Congress last year that while hackers successfully breached an old Republican National Committee server during the election, their efforts to target the GOP paled in comparison to the Kremlin’s efforts to go after Democrats in 2016. While Russia-linked hackers infiltrated other Republican targets, the hackers did not leak those stolen files.

Lawmakers are still in the information-gathering stage with the NRCC hack.

The top members of the Senate Intelligence Committee — Chairman Richard BurrRichard Mauze BurrHillicon Valley: Senate bill would force companies to disclose value of user data | Waters to hold hearing on Facebook cryptocurrency | GOP divided on election security bills | US tracking Russian, Iranian social media campaigns GOP senators divided over approach to election security GOP frets about Trump's poll numbers MORE (R-N.C.) and Vice Chairman Mark WarnerMark Robert WarnerPelosi: Congress will receive election security briefing in July Democrats leery of Sanders plan to cancel student loan debt Pressure builds to secure health care data MORE (D-Va.) — voiced interest in receiving a briefing from the FBI, which is investigating the hack.

Other lawmakers have also called for more details to be released.

“There's a lot more information that has to come out on the hack, how it happened, what happened,” said Sen. James LankfordJames Paul LankfordPelosi: Congress will receive election security briefing in July Senate GOP blocks election security bill GOP senators divided over approach to election security MORE (R-Okla.), who noted that it has not yet been announced who’s responsible for the breach.

“There's a big difference between a domestic hacker who got into them and a foreign hacker,” he added.

Warner has been vocal about his belief that Republicans need to be more wary of a potential breach of their systems.

“The truth is that there are foreign adversaries who, for the most part, want to simply disrupt our political system. And I think there was, for a while, some hubris from some of them — Republicans saying the Democrats were just sloppy in 2016,” Warner said on Thursday. “The truth is that both political parties have been attacked by the Russians in the 2016 cycle.”

During remarks on Friday, Warner noted that cybersecurity isn’t necessarily a priority for political campaigns and committees like the NRCC, who are more focused on getting their candidates into office.

“The ultimate startup is a political campaign,” the senator said at an event for the Center for a New American Security. “And the notion that cybersecurity’s going to be on the top three when your goal is getting reelecting or electing someone isn’t going to take place.”

Officials working on election security have acknowledged that more needs to be done to secure campaigns from cyberattacks, an issue amplified after three separate Democratic candidates in California were the victims of such attacks this election cycle.

The NRCC hack has also resurfaced questions about how political groups should respond when their opponents fall victim to a cyberattack.

Earlier this year, the two parties were reportedly in talks about how both sides would work together in the face of a politically motivated cyberattack, but those discussions fell apart after Republicans refused to agree not to use hacked materials, saying leaked information would be fair game to use if it became public.

It’s unclear if any information was stolen during the NRCC hack, but no data or emails have been publicly released like they were in 2016 with the DNC and Podesta hacks.

A document dump like the ones leading up to the 2016 election would force lawmakers and operatives across the political spectrum, as well as the media, to grapple with the question of whether to utilize the publicly available information.

Warner said on Friday that he wants Congress to take action on election security sooner rather than later, saying the U.S. needs to adopt a “whole-of-society” approach to combating adversaries like Russia in cyberspace.

If not, he warned, the U.S. and its political parties will continue to be the victim of cyberattacks that interfere in the electoral process.