“Voter contact has shifted to digital and phones — and it's just primed for digital hackers and their shenanigans,” says Matt Rhoades, co-founder of Defending Digital Campaigns, a nonprofit group that connects political campaigns with free or reduced-price cybersecurity tools.
Social distancing measures in the United States may give some people more time to cause disruptions, said Rhoades, a former presidential campaign manager for Mitt Romney. “From a domestic digital threat we have a bunch of hackers sitting in their parents' basement eating ramen who have nothing to do but find weak spots in our elections,” he said.
But U.S. adversaries are also eager to find openings. Rhoades says that Iran and China – the latter of which has been behind a surge in hacking attempts during the pandemic aimed at stealing personal information – also “seem poised” to engage in cyberattacks against campaigns.
DDC is emphasizing to campaigns that they must securely send and receive documents especially now that more work has moved online. “Campaigns are real targets of bad cyber actors,” Michael Kaiser, president and chief executive of DDC, told me. “If you work in a campaign you have to assume you are a target.”
And Kaiser recommends campaigns use encrypted services such as Signal or Wickr, a DDC partner. Whichever they choose, Kaiser said, the key is enforcing consistent use across everyone in the campaign — which can be tricky for often loose-knit networks of staff and volunteers. “Making some of those cultural shifts about the way things get shared is a really important element right now,” Kaiser said.
But campaigns have been less forthcoming on how they're protecting themselves as they shift online and embrace new ways to reach voters.
“Biden for President takes cybersecurity seriously and has high quality personnel to ensure that the campaign's assets are secure,” a representative for former vice president Joe Biden said in a statement. “In furtherance of this goal, we will not be answering questions about specific methods used to ensure this security.”
The campaigns for Sen. Bernie Sanders (I-Vt.) and President Trump did not respond to questions about what digital security steps they're taking.
While many campaigns have upped their efforts to protect email in the wake of the 2016 hack of Hillary Clinton's presidential campaign, there are deep concerns about the lack of protection for the virtual fundraisers, meetings and town halls that have boomed during the pandemic.
Zoom, which the Biden campaign has used for town halls, has been blindsided by a number of security concerns, my colleague Cat Zakrzewski reported. After multiple reports of anonymous trolls targeting educators with racist and pornographic material, the FBI issued a warning last week advising that Zoom users should opt to keep meeting private and use participant-screening features. But my colleague Drew Harwell found thousands of private Zoom calls, including confidential therapy sessions, online last week, raising concerns about the company's privacy features.
“I know that the larger campaigns are super-sensitive to it,” says Shomik Dutta, co-founder and partner at Higher Ground Labs, a political technology accelerator. “If you have a great broadcast experience that is truly two-way, you don't want you somebody crashing the party drawing something strange on their screen or hijacking control of the thing.”
Higher Ground Labs has invested in a number of technologies, such as text-to-voter organizing tools, that are in demand as campaigns go digital, and has its eye on investing in more live event platforms. It encourages its start-ups to undergo frequent security and resiliency testing.
This could extend to the political space as the election draws near — especially as virtual and phone campaigning open up the door for pranksters to pose as candidates.
But Rhoades says campaigns are in a box right now and security may not always be perfect. “Candidates have to be able to talk to voters,” Rhoades says. “Whether these systems are functioning at 110 percent, candidates have to move forward.”
Scams targeting voters or campaign workers could also pose a threat. Agari, an email security firm, has seen a nearly 600 percent increase of coronavirus-themed attacks against the private sector. While so far there has been no similar uptick in phishing scams using coronavirus-themed bait to steal personal information from campaigns, Agari chief identity officer Armen Najarian tells me, it's possible that could change.
Both the Sanders and Trump campaigns aren't fully using a security protocol that prevents hackers from sending emails pretending to be from their campaign website domains.
And the personal emails of campaign members are also not immune from increased coronavirus-themed scams.
“I think campaign staff are consumers, too, and while they might have a campaign email, they all have personal emails as well,” Kaiser says. “When it comes to the covid issues and the coronavirus, just like everyone else they're going to possibly be targeted during the crisis.”
PINGED, PATCHED, PWNED
PINGED: The Wisconsin Supreme Court blocked an executive order by Gov. Tony Evers (D) that would have postponed today's elections until July, leaving pollworkers scrambling, my colleagues Amy Gardner, Elise Viebeck and Dan Simmons report. The decision could make it easier to challenge similar moves by other states to extend voting deadlines during the coronavirus pandemic.
The U.S. Supreme Court also struck down the state's plan for extended absentee voting with a 5-to-4 ruling in conservatives' favor.
Wisconsin Republicans strongly lobbied against changing the primary date in the state, reflecting a growing national sentiment from the party questioning vote-by-mail and other measures introduced to lessen coronavirus risks. President Trump alleged on Friday that mail-in voting would allow more voters to “cheat.”
“At the end of the day, this is about the people of Wisconsin,” Evers said Monday. “They frankly don’t care much about Republicans and Democrats fighting. They’re scared. We have the surgeon general saying this is Pearl Harbor. It’s time to act.”
BYTES: Sen. Michael Bennet (D-Colo.) criticized Zoom's privacy practices in a letter yesterday videos of thousands of private meetings surfaced online on public sites such as YouTube. The Colorado Democrat joins a growing list of Democrats who have criticized the videoconferencing company for putting users' privacy and security at risk.
“Many of these videos include intimate details of private businesses and personal relationships, potentially exposing users to significant financial, personal, and psychological harm,” Bennet wrote in a letter to Zoom CEO Eric Yuan. “In case after case, these issues consistently stem from Zoom’s deliberate decision to emphasize ease of use over user privacy and safety.”
Bennet wants to know all the data Zoom collects on users, how long it stores that data, and which third parties can access the data. He also wants to know what steps the company has taken to notify victims of the breach, which was first reported by my colleague Drew Harwell last week.
Zoom has taken a number of steps to address mounting security concerns with its platform and plans to make more privacy and security features available to users by default, Yuan told my colleague Cat Zakrzewski last week.
PWNED: YouTube will remove videos promoting a conspiracy theory that 5G communications networks cause the coronavirus, Hadas Gold at CNN reports. The conspiracy theory, which traces back to the virus's emergence in China, exploded over social media in the United Kingdom last week and led to arson and vandalism of more than a dozen cellphone towers.
Content promoting the false link between the virus and the communications technology appears on Facebook and Twitter, as well. Both companies are set to meet with government leaders about curbing the misinformation this week, Alex Hern and Jim Waterson at the Guardian report.
Industry groups representing U.S. chipmakers are pushing back against proposed changes that would prevent foreign merchants from selling chips made with U.S. technology without a license, Karen Freifeld at Reuters reports.
The rule change could hurt advanced medical equipment essential to coronavirus response, the groups argued in a letter to U.S. Commerce Secretary Wilbur Ross. The groups are asking for the department to allow a public comment period before the rules go into place.
The proposal is aimed at Chinese telecommunications giant Huawei, but could lead to reprisals against the United States by China, the company's chairman warned last week.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: