The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Most Democratic presidential campaigns score high on cybersecurity protections

with Tonya Riley


Democratic presidential candidates are doing a pretty good job protecting their campaigns against hacking by Russia and other adversaries, according to a report out today from the cybersecurity company SecurityScorecard.

Those results are a positive sign they’ll be able to fend off the sort of digital attacks that upended Hillary Clinton’s campaign in 2016. But the election is still a long way off and hacking threats are likely to grow more sophisticated and dangerous as the election nears.

“They're seemingly all taking [cybersecurity] seriously,” Paul Gagliardi, SecurityScorecard’s head of threat intelligence, told me. “We didn't really find any low-hanging fruit. But security changes every single day … As the election comes closer, we could get some very targeted attacks by sophisticated actors.”

And another hack and leak campaign like the one that targeted Clinton could not only severely damage the Democratic nominee's prospects, it might compromise faith in the electoral process. “You don't want a foreign power impacting or modifying the sanctity of our elections,” Gagliardi said. 

All of the Democratic candidates who are still in the race earned an A or a B using the company’s grading system, which is based on information that’s available on the Internet, such as whether campaign websites are patched against known computer bugs and whether they’re taking basic precautions to guard against phishing emails. Campaigns with high marks are five times less likely to be breached than those earning Cs or lower, the company said, based on its customer base of more than a million organizations. 

Campaigns for top-polling candidates former vice president Joe Biden, former New York City mayor Michael Bloomberg, former South Bend, Ind., mayor Pete Buttigieg and Sen. Amy Klobuchar (D-Mass.) have all told me they're taking basic measures such as mandating cybersecurity training for staff and requiring that staff use extra security precautions before accessing smartphones and websites. Sens. Elizabeth Warren (D-Mass.) and Bernie Sanders (I-Vt.) have declined to answer security questions. 

High security scores mean the campaigns are more secure than many major businesses and even better secured than the Democratic National Committee when the company performed a similar test in May. They’re almost certainly more secure than Clinton’s campaign, which fell prey to a basic phishing attack — a phony email that managed to snare then-campaign chairman John Podesta’s password. 

But those basic protections may not be enough to protect against a highly-trained army of nation-state hackers, and officials are growing increasingly concerned about sophisticated efforts to undermine the contest — not just from Russia but also from China, Iran and North Korea.

“It’s hard to ever say that you feel comfortable defending your network against the likes of Russia or China,” Gagliardi told me. 

The only major problem, the company found, ironically, was numerous vulnerabilities in an app used by supporters of Andrew Yang, a tech entrepreneur who has since dropped out of the race. The app was not used by the campaign itself, SecurityScorecard said. 

The report comes as top U.S. intelligence and law enforcement agencies are sounding an alarm about efforts to undermine the 2020 contest through hacking or disinformation and “working directly with campaigns and candidates to educate them about ways to help keep their networks secure," according to a USA Today op-ed published yesterday.

The op-ed was written by Attorney General William P. Barr, FBI Director Christopher Wray, acting Department of Homeland Security chief Chad Wolf, acting director of National Intelligence Joseph Maguire and leader of DHS’s cybersecurity division Chris Krebs. 

Those officials haven’t identified any foreign hacking efforts aimed at preventing or changing votes during the first few primaries and caucuses of 2020. But they warn that adversaries are eager to “undermine our trust and confidence in each other, our democratic society and democracy itself.”

They’re also calling on the public to join in a “whole-of-society approach” to prevent election interference by ensuring they’re double-checking anything that might be misinformation and going to trusted sources for election information such as times and polling locations. 

“As leaders of our government, we are committed to defending our democracy, but we need your help, too,” the op-ed states. 

They also “encourage candidates, election officials, technology companies and others involved in elections to report suspicious cyber activity to” the FBI and DHS. 

“We cannot prevent all disinformation, foreign propaganda or cyberattacks on our infrastructure,” the officials write. “However, together, we can all help to mitigate these threats by exercising care when we share information and by maintaining good cyber hygiene to reduce the risks that malicious cyberattacks will succeed.” 


– The Democratic debate in Las Vegas last night contained lots of attacks, but not much cyber. The one big moment for election security watchers came when Sen. Bernie Sanders (I-Vt.) suggested without evidence some of the social media vitriol attributed to his campaign may actually be a Russian disinformation operation. “All of us remember 2016, and what we remember is efforts by Russians and others to interfere in our election and divide us up,” he said. “I’m not saying that’s happening, but it would not shock me.” 

That claim hasn’t been backed up by any intelligence agencies or social media companies, however. And it drew quick rebukes from some disinformation researchers who warned it’s irresponsible without hard evidence. 

Here’s Laura Rosenberger, director of the Alliance for Securing Democracy at The German Marshall Fund:

Here’s other big cybersecurity news:

PINGED: Former Republican congressman Dana Rohrabacher (Calif.) allegedly carried a message from President Trump offering  WikiLeaks founder Julian Assange a pardon in exchange for saying Russia had nothing to do with the 2016 hack and leak of emails from the Democratic National Committee, a lawyer for Assange claimed in British court yesterday. Assange rejected the offer, the lawyer said. WikiLeaks published many of those leaked emails. 

The White House and Rohrabacher both denied that allegation as my colleagues William Booth and Ellen Nakashima report. White House Press Secretary Stephanie Grisham called the story “a complete fabrication” and “probably another never ending hoax and total lie from the DNC.” 

Rohrbacher said in a statement posted to his website on Wednesday, “At no time did I talk to President Trump about Julian Assange. Likewise, I was not directed by Trump or anyone else connected with him to meet with Julian Assange.”

Trump has routinely disputed the unanimous conclusion from U.S. intelligence agencies Russia was behind the hack and leak of Democratic emails in 2016 and did it to aid his campaign. Rohrabacher, who lost reelection in 2018, has also disputed Russia’s role in the election. 

Assange is in prison in London fighting extradition to the United States where he’s facing charges under the Espionage Act.  

PATCHED: The cybersecurity world got a shakeup at the top in both the private and public sectors, yesterday.

Richard Grenell, the U.S. ambassador to Germany, will be the next acting director of national intelligence, President Trump announced. The appointment of Grenell who’s a conservative policy hawk and Trump confidante could worsen conflict between Trump and the intelligence community, my colleagues Shane Harris and Josh Dawsey report.  

It's unclear if Trump intends to nominate Grenell to serve in the role permanently, which would require Senate confirmation. 

Grenell recently played a pivotal role in the U.S. fight against Huawei, relaying via Twitter Trump’s threat to cut off intelligence sharing with nations that allowed the company to build their next-generation telecom networks. 

Meanwhile, CrowdStrike co-founder and chief technology officer Dmitri Alperovitch announced he will leave the firm to "launch a non-partisan, non-profit policy accelerator." 

"During my tenure, I helped transform the cybersecurity industry and want to apply the same ingenuity and a venture approach to galvanize solutions to pressing cybersecurity," he tweeted.

CrowdStrike has been an industry leader in attributing hacking campaigns to groups connected with the Russian, Chinese, Iranian and North Korean governments. The company has responded to numerous major hacks since 2012, most notably assisting with the  investigation into the 2016 DNC breach. The company's role in examining the DNC server gave fodder to a baseless conspiracy theory embraced by President Trump that Crowdstrike somehow helped Ukraine interfere in the 2016 election. 

PWNED:The personal information of more than 10.6 million former guests of MGM Resorts, including Twitter CEO Jack Dorsey and popstar Justin Bieber, surfaced on a hacking forum this week, Catalin Cimpanu at ZDNet reports. The leaked files included phone numbers, home address and birth dates for the guests, which include other celebrities, tech CEOs, reporters, and government officials, ZDNet found. 

MGM verified a hacker accessed the data in a breach last summer and said it notified the affected guests at the time. No financial information or password data was involved, the spokesperson told ZDNet. 


--Hackers have been buying mistyped domain names tweeted by Trump lawyer Rudy Giuliani in order to infect his followers with malware, Alfred Ng at CNET reports.  

The attack called "typo-squatting" isn't a new trick for hackers, but Giuliani's frequent typos and large following among politicians, journalists and Trump associates could make his typos especially dangerous, Jerome Segura, a director of threat intelligence at cybersecurity company Malwarebytes said.

"You're kind of relying on the user to make those typos and they happen once in a blue moon, so that's not ideal for attackers," Segura said. "With [Giuiliani], just looking at the last few days, there were multiple occasions where he created links by mistake."

--The Navy is scrambling to modernize aging technology that has left it struggling to defend against hacks from China and other sophisticated hacking groups, according to an internal memo obtained by Dustin Volz and Gordon Lubold at the Wall Street Journal. The 17-page memo demonstrates the latest push by the military branch to shore up its defenses after an internal audit concluded nearly a year ago that it was "under cyber siege."

The Navy’s outdated technology, some of which dates back to the 1990s, limits its ability to identify and stop cyberattacks, according to the memo. Unaddressed weaknesses have also created a "sieve" for leaked data that emboldens adversaries, acting Navy Secretary Thomas Modly told the Journal. 

— More cybersecurity news from the public sector:

U.S. urges EU to use 5G by Ericsson, Nokia, Samsung, seen on par with Huawei (Reuters)

Kentucky state official says foreign adversaries 'routinely' scan election systems (The Hill)

CISA Shares Details About Ransomware that Shut Down Pipeline Operator (Nextgov)


— Cybersecurity news from the private sector:

How Saudi Arabia Infiltrated Twitter (BuzzFeed News)

Hackable firmware lurks inside Dell, HP and Lenovo computers amid supply chain security efforts ( CyberScoop)


— Cybersecurity news from abroad:

Watchdog ponders tougher independent oversight for Australia's encryption laws (ZDNet)



  • US Election Assistance Commission will host a 2020 Elections Disability, Accessibility and Security Forum in Washington, D.C. on Thursday from 9am to 4:30pm

Coming up

  • The Penn State Dickinson Law and Institute for Computational and Data Sciences will host an event “Hacking The U.S. Election: How Can We Make U.S. Elections More Secure?” on Monday from 8:30am-1:00pm.
  • RSA Conference 2020 is scheduled for Feb. 24 to 28 in San Francisco.
  • The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on March 11 at 2:30pm.