The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Two leading Democratic 2020 candidates won't say if they've taken basic cybersecurity measures

with Tonya Riley


Two of the five leading Democratic presidential candidates won’t say whether they have installed basic cybersecurity protections for their 2020 campaigns to take on President Trump.

But the campaign of former vice president Joe Biden, who is leading Trump in most national polls, was more transparent, saying it’s providing staff with cybersecurity training and mandating they use extra protections when logging into digital accounts.  

“Biden for President is executing a comprehensive approach to defending, protecting and securing our digital ecosystem. We have brought on high-quality personnel, require the use of multi-factor authentication on all devices, and are training staff on cybersecurity best practices and tools to ensure the campaign infrastructure remains secure," said a campaign spokesman.

The Cybersecurity 202 asked the 23 Democrats running for president whether they had taken basic measures to protect their campaigns from hacking by foreign adversaries such as Russia, which stole emails from Hillary Clinton's campaign and the Democratic National Committee in 2016.

About half of them declined to say whether they had taken basic precautions to protect their information, such as requiring staff to use complex passwords for websites, passcodes for smartphones and encrypted apps for text messaging.

Hacking fears have dominated the presidential race following ex-special counsel Robert S. Mueller III's conclusion that Russia interfered in 2016 to tip the scales for President Trump — and warnings from U.S. intelligence and Homeland Security officials that they’ll likely try it again in 2020.

Trump further roiled the waters this week by suggesting he would listen to damaging information from foreign adversaries about his opponents before informing the FBI. That sparked renewed momentum in Congress for legislation requiring campaigns to alert the FBI about such contacts and to mandate election protections such as paper ballots and security audits.  

Despite the dangers, only three of the candidates who are polling highest in Iowa, the first caucus state, were willing to describe measures they’ve taken to protect their campaigns from being breached.

In addition to Biden, an aide to Sen. Kamala Harris of California told me her campaign is giving staff cybersecurity training, using encrypted messaging apps and protecting all digital accounts with multi-factor authentication — for example by requiring both a password and a unique SMS code to log in.

An aide for South Bend, Ind., Mayor Pete Buttigieg said his campaign had implemented those same security features plus others I asked about — which were primarily drawn from a cybersecurity checklist from the Democratic National Committee. Other questions focused on whether campaigns mandated that staff use complex passwords or a password manager tool and if they had a chief cybersecurity officer. 

Campaigns for Sens. Elizabeth Warren (Mass.) and Bernie Sanders (I-Vt.), however, declined to say anything about their cybersecurity protections and suggested that answering basic security questions could make the campaigns more vulnerable.

Overall, 12 of the 23 campaigns provided some information about their security protection, all of which said they were following most or all of the DNC’s major recommendations.

Other higher-polling campaigns that gave substantial answers include Sens. Amy Klobuchar (Minn.) and Michael Bennett (Colo.) as well as former congressmen Beto O’Rourke (Tex.) and John Delaney (Md.). Those who declined to answer or didn’t respond included Sen. Cory Booker (N.J.) and Rep. Tulsi Gabbard (Hawaii).

Trump’s reelection campaign also declined to describe its cybersecurity protections.

DNC Chief Security Officer Bob Lord told me in a statement that all campaigns should be following his cybersecurity checklist and that the DNC “continues to educate and work with campaigns and the entire Democratic ecosystem on best practices to improve our overall security posture.”

There’s little security value in hiding from attackers that you’re following basic cybersecurity best practices, Maurice Turner, a senior technologist at the Center for Democracy and Technology who focuses on election security, told me.

“Campaigns being secretive about whether they are using basic cyber hygiene practices is like not admitting to wearing a seat belt,” Turner said. “Anything but an immediate, unequivocal ‘yes’ doesn’t inspire confidence and leads to more questions.”

The nonanswers also suggest the candidates aren’t modeling good cybersecurity for the nation amid a crush of digital attacks that has damaged the privacy of nearly every American, Turner said.

“We need to be able to normalize these conversations because this is a threat everyone faces,” he said. “Everyone should feel comfortable knowing that their leaders understand these threats and are doing something about them.”

To be sure, there’s no evidence that campaigns that declined to describe their cybersecurity protections have instituted fewer protections than those that did.

And, in addition to the DNC checklist, there are numerous other cybersecurity aids for campaigns, including from private companies and a nonprofit organization that the Federal Election Commission recently approved to provide free or low-cost cybersecurity services to campaigns.

The Department of Homeland Security is also offering campaigns cybersecurity assistance including digital vulnerability scans.

This year, DHS has spoken with about a dozen presidential campaigns about cybersecurity protections, “many of which have expressed interest in continued engagement or utilizing election security services offered by DHS,” Matt Masterson, senior cybersecurity adviser for the department’s Cybersecurity and Infrastructure Security Agency, told me by email, though he didn't name the campaigns.

DHS also held a joint briefing for presidential campaigns last month with the FBI and the Office of the Director of National Intelligence, Masterson told me.

“Protecting 2020 will take a whole-of-nation effort, which is why we have sustained outreach and communication with campaigns and political committees throughout this election cycle,” he said.


PINGED: Senate Democrats are trying to use Trump’s comments that he might listen to stolen intelligence about his opponents provided by a foreign power to reinvigorate legislation aimed at protecting the 2020 contest — and they’re slamming Republican colleagues for not helping out.

Sen. Mark R. Warner (D-Va.) tried to push through legislation on Thursday that would require political campaigns to report to the FBI if foreign agents tried to give them dirt on opponents, but Republicans blocked the measure.

Sen. Ron Wyden (D-Ore.) also slammed Republicans in an email to me, saying, “The president has made perfectly clear that he has no problem with foreign hackers interfering in our democracy. If congressional Republicans don’t end their obstruction of election security legislation like my [Protecting American Votes and Elections Act of 2019], the only logical conclusion is they don’t have a problem with foreign interference, either.”


Sen. Amy Klobuchar (D-Minn.) called Trump's comments "inexcusable" and pushed two election security bills she's sponsoring. 

House Democrats are also prepping a wide array of election security bills following Trump’s comments. Here are all the details from my colleagues Mike DeBonis and Ellen Nakashima.

PATCHED: Senators from both sides of the aisle offered a stern warning to the Trump administration Thursday about its potential backpedaling on a series of restrictions on the Chinese telecom Huawei in the hopes of reaching a trade agreement with Beijing. “In no way should Huawei be used as a bargaining chip in trade negotiations,” Warner and Sen. Marco Rubio (R-Fla.) wrote in a letter yesterday to the State Department and the U.S. Trade Representative.

The senators also warn of “long-term security risks posed by Chinese telecommunications firms.” Schumer earlier warned that Senate Democrats would do all they could to block any Trump efforts to go easy on Huawei, calling it “a dire threat to our national security.”

PWNED: A phony LinkedIn profile created with artificial intelligence probably demonstrates how foreign powers are using social media to spy on Americans, the Associated Press’s Raphael Satter reports.

The profile for “Katie Jones” claimed she was a fellow at the Center for Strategic and International Studies think tank and had numerous high- profile Washington connections. But experts tell Satter they believe Jones doesn’t exist and the profile photo was generated by A.I. — probably as part of a foreign spying operation. Satter broke down the almost imperceptible clues that the image was a fake:

“William Evanina, director of the U.S. National Counterintelligence and Security Center, said foreign spies routinely use fake social media profiles to home in on American targets — and accused China in particular of waging “mass scale” spying on LinkedIn,” Satter reported.

“Instead of dispatching spies to some parking garage in the U.S. to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” Evanina told Satter. 

Here are more details on China's vast LinkedIn spying operations from Cyberscoop’s Jeff Stone


Cybersecurity news from the public sector:

Mitch McConnell is Making the 2020 Election Open Season for Hackers (The New Yorker)

Lawmakers grapple with deepfake threat at hearing (The Hill)

Here Are Images of Drivers Hacked From a U.S. Border Protection Contractor (Motherboard)

Baltimore won't be able to send water bills again this month as ransomware recovery continues (The Baltimore Sun)

Next step in Assange extradition case due in UK court on Friday (Reuters)


Cybersecurity news from the private sector:

Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says - CyberScoop (CyberScoop)

Google's Push to Close a Major Encrypted Web Loophole (Wired)

Medical infusion-pump system has two serious bugs, researchers say - CyberScoop (Cyberscoop)

SEC security alert warns about misconfigured NAS, DBs, and cloud storage servers | ZDNet (ZDNet)


Cybersecurity news from abroad:

Telegram hit by massive Chinese cyberattack during Hong Kong protests (Rachel Siegel)