The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Buttigieg's cybersecurity adviser resigns right before Iowa caucuses

with Joseph Marks


Mick Baccio, who served as former South Bend, Ind., mayor Pete Buttigieg's cybersecurity chief, has left the campaign citing “fundamental philosophical differences.” His departure comes just weeks before the Iowa caucuses, the kickoff to the 2020 primary season.

“[I left due to] fundamental philosophical differences with the campaign management regarding the architecture and scope of the information security program,” Baccio told Shannon Vavra at CyberScoop

“Mick resigned earlier this month and we thank him for the work he did to protect our campaign against attacks,” Chris Meagher, national press secretary for the Buttigieg campaign, said in a statement. “Our campaign has retained a new security firm and continues to be committed to digital security and protecting against cyber attacks.”

The news was first reported by the Wall Street Journal.

The Buttigieg campaign declined to name the firm it has hired to fill the gap left by Baccio. The Buttigieg campaign also has a contract with Massachusetts cybersecurity firm Carbon Black.

Baccio joined the campaign in July, making Buttigieg the first and only 2020 Democrat known to have brought a chief information security officer on staff. Baccio was a former Obama administration cyber official.

His departure comes as security officials are warning that hacking attempts against the 2020 elections will be even greater than in 2016 when Russian agents hacked the email of Hillary Clinton campaign chairman John Podesta and breached the Democratic National Committee's servers.

“The threats as we go into 2020 are frankly more sophisticated,” Shelby Pierson, the intelligence community’s first election threat executive, said Tuesday. “This is not a Russia-only problem. [It’s] Russia, China, Iran, North Korea, nonstate hacktivists who all have opportunity, means and potentially motive to come after the United States in the 2020 election…This is a top national security priority.”

Those efforts are already underway. Russian spies have reportedly attempted to hack into the Ukrainian gas firm Burisma, likely in an effort to dig up dirt on former vice president Joe Biden and his son Hunter, who served on the company's board. Iranian hackers targeted a presidential campaign in October thought to be the Trump campaign.

And all of the 2020 candidates are under a constant barrage of cyberattacks. Cybersecurity company Cloudflare recently told me it sees nearly half a million attacks against campaign websites a day.

“The timing is unfortunate,” Maurice Turner, deputy director of the Internet architecture project at the Center for Democracy and Technology, said. But he added it's unlikely that Baccio's departure would change the calculcus for hackers.

“As far as malicious actors are concerned, if the actors are motivated to infiltrate the Buttigieg campaign I don't think this really moves the needle,” he said.

Still, Baccio's departure dings ongoing efforts to get presidential candidates to prioritize cybersecurity.

“You want a candidate who takes info security seriously to turn into an elected official who takes it seriously,” Turner said. 

“Having a single point of contact such as a CISO is a strength because there is one individual to whom all members of the organization can turn for leadership on these matters,” Steve Grobman, senior vice president and chief technology officer at McAfee, told me.

But turnover in the field isn't unusual, he says. 

 “Cybersecurity is a very lucrative field, and it’s not uncommon to see a great deal of turnover in the executive ranks of the CISO when there are many options for qualified individuals."

The big picture is that campaigns need to be maximizing their defenses well before primaries are in full swing.

“Every one of these primaries and caucuses is an opportunity for that attacker to influence the process and shape it to serve his political goals,” Grobman said.

Baccio spoke publicly about his role in November. He expressed a focus on securing donor data and vetting the security of third-party vendors used by the campaign.

“I’m creating a culture — heavy on the cult,” he told the audience. “I’m pushing something in a place where it’s never, ever been before and we’re moving at 100 miles an hour,” he said at the   Cyberwarcon conference  conference just outside Washington.

What garnered the most attention, however, was Baccio's philosophy on preventing adversaries from using manipulated video also known as deepfakes to malign the candidate.

“We keep the mayor in front of a camera basically all his waking hours,” Baccio told the audience. “So if there is that doctored video we have the original to combat it.” 


PINGED: The presidential campaign of billionaire businessman and former New York mayor Mike Bloomberg is taking cybersecurity seriously and requiring staff to take numerous precautions including using complex passwords, encrypted messaging apps and extra security procedures before logging into devices and websites, a campaign spokesman told Joe. 

The campaign has also hired a “a dedicated security team responsible for all aspects of security” that has “assembled a range of technologies and practices to help keep campaign information and employees safe,” spokesman Michael Frazier said.

Bloomberg, who joined the presidential race in November and is funding his own campaign, has implemented all but one of the cybersecurity measures I’ve been surveying campaigns about since June and that are recommended by the Democratic National Committee. The one measure the campaign hasn’t implemented yet is providing cybersecurity training for all paid staff, Frazier said. 

The campaigns for former vice president Joe Biden, former South Bend, Ind., mayor Pete Buttigieg, Sen. Amy Klobuchar (D-Minn.) and businessman Tom Steyer also said this week they’ve implemented all or most of the protections. Sens. Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.) declined to answer questions about their cybersecurity protections. 

PATCHED: The White House will not use the controversial Chinese telecom Huawei as a “chess piece” in negotiations over a phase 2 trade deal with China, Treasury Secretary Steven Mnuchin pledged yesterday. 

That could give some solace to China hawks in Congress who argue Huawei could assist Beijing spying and who fear President Trump will roll back severe restrictions on the company’s role in next-generation 5G wireless networks to strike a trade bargain with China. 

“Huawei is not part of the economic dialogue. It is part of the national security dialogue … These will be negotiated separately,” Mnuchin said on CNBC

The comments come as Trump administration officials are urging allies to bar Huawei from building their 5G networks, but with limited success, and as a bipartisan group of senators is pushing a $1 billion plan to subsidize U.S. firms to be more competitive in 5G. Huawei has steadfastly denied assisting Chinese spying. 

PWNED: Lawmakers are pushing the Trump administration for more information about how it’s protecting U.S. companies against cyberattacks following the killing of a top Iranian general.

House Commerce Committee Democrats pressed the Federal Communications Commission and Department of Homeland Security for information about protections for telecommunications networks in letters sent yesterday.

“It is paramount that the U.S. Government work with all network providers, and particularly smaller carriers and those that might not otherwise have the means or ability to defend against any attack,” Chairman Frank Pallone Jr. (D-N.J.) and Mike Doyle (D-Pa.), who leads the committee’s communications panel, wrote. 

Sens. Marco Rubio (R-Fla.) and Ben Cardin (D-Md.) separately urged the Small Business Administration to take “immediate action” to protect against cyberthreats from Iran, Sean Lyngaas at CyberScoop reported


— Cybersecurity news from the public sector:

The FBI Got Data From A Locked iPhone 11 Pro Max — So Why Is It Demanding Apple Unlock Older Phones? (Forbes)

House Democrats Used Cellebrite to Publish Lev Parnas iPhone Messages (Motherboard)

Intel agencies push to close threats hearing after Trump outburst (Politico)

DOD Aims to Issue Proposed Rule for Certifying Contractors’ Cybersecurity in the Fall  (Nextgov)


— Cybersecurity news from the private sector:

Equifax to pay customers $380.5 million as part of final breach settlement - CyberScoop

Google finally brings its security key feature to iPhones (TechCrunch)

What’s the Price of Getting Your Data? More Data (The New York Times)

Facebook Will Now Remind You When It's Not the Only One Looking at Your Data (Gizmodo)


— Cybersecurity news from abroad:

UK vows to keep Huawei out of key security infrastructure (South China Morning Post)

5G: Southeast Asia favours Samsung, unsure of Chinese tech brands (South China Morning Post)


Coming up:

  • The Senate Commerce Committee will host a hearing on “the 5G Workforce and Obstacles to Broadband Deployment” at 10 a.m. on Wednesday.
  • RSA Conference 2020 is scheduled for February 24-28 in San Francisco