THE KEY

Two of the five leading Democratic presidential candidates won’t say whether they have installed basic cybersecurity protections for their 2020 campaigns to take on President Trump.

But the campaign of former vice president Joe Biden, who is leading Trump in most national polls, was more transparent, saying it’s providing staff with cybersecurity training and mandating they use extra protections when logging into digital accounts.  

“Biden for President is executing a comprehensive approach to defending, protecting and securing our digital ecosystem. We have brought on high-quality personnel, require the use of multi-factor authentication on all devices, and are training staff on cybersecurity best practices and tools to ensure the campaign infrastructure remains secure," said a campaign spokesman.

The Cybersecurity 202 asked the 23 Democrats running for president whether they had taken basic measures to protect their campaigns from hacking by foreign adversaries such as Russia, which stole emails from Hillary Clinton's campaign and the Democratic National Committee in 2016.

About half of them declined to say whether they had taken basic precautions to protect their information, such as requiring staff to use complex passwords for websites, passcodes for smartphones and encrypted apps for text messaging.

Hacking fears have dominated the presidential race following ex-special counsel Robert S. Mueller III's conclusion that Russia interfered in 2016 to tip the scales for President Trump — and warnings from U.S. intelligence and Homeland Security officials that they’ll likely try it again in 2020.

Trump further roiled the waters this week by suggesting he would listen to damaging information from foreign adversaries about his opponents before informing the FBI. That sparked renewed momentum in Congress for legislation requiring campaigns to alert the FBI about such contacts and to mandate election protections such as paper ballots and security audits.  

Despite the dangers, only three of the candidates who are polling highest in Iowa, the first caucus state, were willing to describe measures they’ve taken to protect their campaigns from being breached.

In addition to Biden, an aide to Sen. Kamala Harris of California told me her campaign is giving staff cybersecurity training, using encrypted messaging apps and protecting all digital accounts with multi-factor authentication — for example by requiring both a password and a unique SMS code to log in.

An aide for South Bend, Ind., Mayor Pete Buttigieg said his campaign had implemented those same security features plus others I asked about — which were primarily drawn from a cybersecurity checklist from the Democratic National Committee. Other questions focused on whether campaigns mandated that staff use complex passwords or a password manager tool and if they had a chief cybersecurity officer. 

Campaigns for Sens. Elizabeth Warren (Mass.) and Bernie Sanders (I-Vt.), however, declined to say anything about their cybersecurity protections and suggested that answering basic security questions could make the campaigns more vulnerable.

Overall, 12 of the 23 campaigns provided some information about their security protection, all of which said they were following most or all of the DNC’s major recommendations.

Other higher-polling campaigns that gave substantial answers include Sens. Amy Klobuchar (Minn.) and Michael Bennett (Colo.) as well as former congressmen Beto O’Rourke (Tex.) and John Delaney (Md.). Those who declined to answer or didn’t respond included Sen. Cory Booker (N.J.) and Rep. Tulsi Gabbard (Hawaii).

Trump’s reelection campaign also declined to describe its cybersecurity protections.

DNC Chief Security Officer Bob Lord told me in a statement that all campaigns should be following his cybersecurity checklist and that the DNC “continues to educate and work with campaigns and the entire Democratic ecosystem on best practices to improve our overall security posture.”

There’s little security value in hiding from attackers that you’re following basic cybersecurity best practices, Maurice Turner, a senior technologist at the Center for Democracy and Technology who focuses on election security, told me.

“Campaigns being secretive about whether they are using basic cyber hygiene practices is like not admitting to wearing a seat belt,” Turner said. “Anything but an immediate, unequivocal ‘yes’ doesn’t inspire confidence and leads to more questions.”

The nonanswers also suggest the candidates aren’t modeling good cybersecurity for the nation amid a crush of digital attacks that has damaged the privacy of nearly every American, Turner said.

“We need to be able to normalize these conversations because this is a threat everyone faces,” he said. “Everyone should feel comfortable knowing that their leaders understand these threats and are doing something about them.”

To be sure, there’s no evidence that campaigns that declined to describe their cybersecurity protections have instituted fewer protections than those that did.

And, in addition to the DNC checklist, there are numerous other cybersecurity aids for campaigns, including from private companies and a nonprofit organization that the Federal Election Commission recently approved to provide free or low-cost cybersecurity services to campaigns.

The Department of Homeland Security is also offering campaigns cybersecurity assistance including digital vulnerability scans.

This year, DHS has spoken with about a dozen presidential campaigns about cybersecurity protections, “many of which have expressed interest in continued engagement or utilizing election security services offered by DHS,” Matt Masterson, senior cybersecurity adviser for the department’s Cybersecurity and Infrastructure Security Agency, told me by email, though he didn't name the campaigns.

DHS also held a joint briefing for presidential campaigns last month with the FBI and the Office of the Director of National Intelligence, Masterson told me.

“Protecting 2020 will take a whole-of-nation effort, which is why we have sustained outreach and communication with campaigns and political committees throughout this election cycle,” he said.

PINGED, PATCHED, PWNED

PINGED: Senate Democrats are trying to use Trump’s comments that he might listen to stolen intelligence about his opponents provided by a foreign power to reinvigorate legislation aimed at protecting the 2020 contest — and they’re slamming Republican colleagues for not helping out.

Sen. Mark R. Warner (D-Va.) tried to push through legislation on Thursday that would require political campaigns to report to the FBI if foreign agents tried to give them dirt on opponents, but Republicans blocked the measure.

Sen. Ron Wyden (D-Ore.) also slammed Republicans in an email to me, saying, “The president has made perfectly clear that he has no problem with foreign hackers interfering in our democracy. If congressional Republicans don’t end their obstruction of election security legislation like my [Protecting American Votes and Elections Act of 2019], the only logical conclusion is they don’t have a problem with foreign interference, either.”

 

Sen. Amy Klobuchar (D-Minn.) called Trump's comments "inexcusable" and pushed two election security bills she's sponsoring. 

House Democrats are also prepping a wide array of election security bills following Trump’s comments. Here are all the details from my colleagues Mike DeBonis and Ellen Nakashima.

PATCHED: Senators from both sides of the aisle offered a stern warning to the Trump administration Thursday about its potential backpedaling on a series of restrictions on the Chinese telecom Huawei in the hopes of reaching a trade agreement with Beijing. “In no way should Huawei be used as a bargaining chip in trade negotiations,” Warner and Sen. Marco Rubio (R-Fla.) wrote in a letter yesterday to the State Department and the U.S. Trade Representative.

The senators also warn of “long-term security risks posed by Chinese telecommunications firms.” Schumer earlier warned that Senate Democrats would do all they could to block any Trump efforts to go easy on Huawei, calling it “a dire threat to our national security.”

PWNED: A phony LinkedIn profile created with artificial intelligence probably demonstrates how foreign powers are using social media to spy on Americans, the Associated Press’s Raphael Satter reports.

The profile for “Katie Jones” claimed she was a fellow at the Center for Strategic and International Studies think tank and had numerous high- profile Washington connections. But experts tell Satter they believe Jones doesn’t exist and the profile photo was generated by A.I. — probably as part of a foreign spying operation. Satter broke down the almost imperceptible clues that the image was a fake:

“William Evanina, director of the U.S. National Counterintelligence and Security Center, said foreign spies routinely use fake social media profiles to home in on American targets — and accused China in particular of waging “mass scale” spying on LinkedIn,” Satter reported.

“Instead of dispatching spies to some parking garage in the U.S. to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” Evanina told Satter. 

Here are more details on China's vast LinkedIn spying operations from Cyberscoop’s Jeff Stone
 

PUBLIC KEY

Cybersecurity news from the public sector:

The Senate Majority Leader and his allies are blocking reforms that would protect voting systems.
The New Yorker
The House Intelligence Committee heard alarming testimony Thursday that deepfake videos could be weaponized by foreign adversaries to sow divisions in the United States.
The Hill
A license plate scanning company was hacked, and now thousands of images of drivers are on the dark web.
Motherboard
As the city digs out from the ransomware attack, officials said they would be unable to send water bills in June.
The Baltimore Sun
WikiLeaks' founder Julian Assange is due before a London court on Friday, f...
Reuters
PRIVATE KEY

Cybersecurity news from the private sector:

Since March, criminals have been using hacking tools that were reportedly stolen from the National Security Agency in targeting companies around the world as part of a cryptomining campaign, researchers with cybersecurity company Trend Micro said Thursday.
CyberScoop
By building security into top-level domains, Google makes it harder for HTTPS to fall short.
Wired
Researchers have found two vulnerabilities in a type of infusion-pump system, which hospitals used to administer medication, that they say could allow a hacker to disable the device, infect it with malware, or create false readings.
Cyberscoop
SEC OCIE inspections finds that companies have failed to properly secure network-accessible storage systems.
ZDNet
THE NEW WILD WEST

Cybersecurity news from abroad:

Technology
The app, which says it has 200 million users worldwide, has been widely used in Hong Kong to coordinate demonstrations against a controversial extradition bill.
Rachel Siegel